Symantec says the gang has been attacking South Korea for the past 4 years

Jun 27, 2013 13:21 GMT  ·  By

A cybercriminal gang dubbed DarkSeoul is believed to be responsible for numerous sophisticated cyberattacks against South Korea over the past four years, including the two attacks that took place this year.

According to Symantec, the DarkSeoul gang is responsible for both the March attacks on broadcasters and financial institutions, and this week’s attacks on government websites. In addition to attacks on South Korea, the group is also believed to be responsible for operations against the United States.

Experts have been able to attribute several attacks to the gang because they tend to use the same methods of operation.

For instance, the cyberattacks against high-profile targets from South Korea have always been multi-staged. In addition, the destructive malware payloads – such as the DDOS attacks and MBR wiping – are set to trigger on historically significant dates.

In the attacks launched by DarkSeoul, the disk sectors that were overwritten by malware were replaced with politically-themed strings.

Specific encryption and obfuscation methods, the use of certain third-party webmailer servers to store files, the use of similar C&C structures, and the abuse of legitimate patching mechanisms allowed researchers to link the group to the attacks.

So is North Korea funding DarkSeoul?

Symantec says the attacks conducted by the gang required intelligence, coordination, and technical sophistication so it’s clear that they’re well-funded. However, it’s difficult to determine if North Korea is backing the hackers.

“Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea,” the security firm noted.

It’s worth noting that in the March incident the gang attempted to attribute the attack to a group called Whois gang. In the attacks that took part earlier this week, they attempted to draw attention to Anonymous.