Today we announce the McAfee Labs report Dissecting Operation Troy: Cyberespionage in South Korea, the results of a four-month investigation into the events surrounding the cyberattack Dark Seoul, which occurred on March 20. The group behind Dark Seoul was involved in more than what previous reports have covered: DDoS attacks dating from 2009 and the wiping of the master boot record of many machines on March 20. The missing element was military espionage.
In our investigation we reveal that one of the primary goals of this group was a covert military spying operation that attempted to target military forces in South Korea. Along with this goal, we have found the covert development of military-espionage malware during a four-year period carried out by the same actors responsible for Dark Seoul and the recent attacks of June 25. That development had remained hidden in the shadows until now.
Many of the Trojans we describe in the report are based on malware developed in 2009. The Dark Seoul adversaries show a consistent pattern of psychological warfare that includes throwing off investigators by blaming the attacks on hacktivism. (Both the March and June events share this feature.)