As investigators work to assess who is behind a cyberattack that shuttered banks in South Korea on Wednesday, details are emerging that can help U.S. banks learn from what happened overseas.
The attack, which froze ATMs, suspended online banking and paralyzed internal systems at Shinhan Bank, Nonghyup Bank and Cheju Bank, likely resulted from malicious software sent through the banks' computers, South Korea's Financial Services Commission said Thursday in a statement.
The institutions restored most operations, although some branches of Nonghyup Bank remained without service late Thursday morning, roughly 21 hours after the attack, regulators said.
Though the Yonhap News Agency quoted a senior government official as saying the South Korean government "strongly" suspects North Korea of engineering the attack, experts say it will take time to determine who is responsible. On Friday, South Korean regulators said an Internet address used in the attacks had been traced to one of the victim banks, Reuters reported. Regulators declined to speculate on the nature of that element of the attack.
In the meantime, they are uncovering features of the attack, which also crippled computers at three South Korean broadcast networks.
The malware destroyed files that controlled the targeted part of the computers' operating system known as a master boot record, according to analysis published Wednesday by researchers at digital security firms McAfee and Symantec.
The malware struck at both Windows- and Unix-based systems, the firms found. In all, roughly 32,000 computers were altered in the attack, South Korea's Internet Security Agency estimated, according to news reports. The magnitude and malware used in the attack resemble a separate incident in August, when cyberattackers shut down 30,000 computers at Saudi Aramco, the state-owned oil company.
In the attacks on firms in Seoul, computers reportedly infected by the malware appear to be searching for their operating systems, based on photos relayed from employees of some of the companies targeted.
Regulators said they had received no reports of funds being drained from accounts or customers' personal information breached, although the regulators told banks to come up with criteria to compensate customers for any losses. "If the intention was to take data, they wouldn't have wiped out these machines completely," Satnam Narang, a security response manager at Symantec, told American Banker.
Experts note the attacks in Seoul also reflected an unusual degree of coordination, and that the malware used appeared to enable the attackers to start and stop the attack with rough precision. "There was a high degree of central management and it was very well orchestrated," says Carl Herberger, vice president of security solutions at Radware, a digital security firm, told American Banker. Whoever was behind the attack "orchestrated a very nice entry and exit mechanism," he added.
Despite the source of the attack being unknown, experts say that the attackers most likely preyed on human vulnerabilities to plant the malware on the target networks. "I would be very surprised if it wasn't targeted through a phishing attack or website download," says Vincent Weafer, a senior security researcher at McAfee Labs, told American Banker. "Something had to drop [the malware] into that environment. It is not self-replicating."
Narang adds that the attackers could have infected a website they knew workers at the organizations targeted were likely to visit. "The horse is going to go to the watering hole, so you're going to go after the watering hole as opposed to the horse," Narang said.
The malware itself tried to override two types of antivirus software believed by researchers to be used by the companies targeted, according to researchers at McAfee. Herberger says the breach reflects a limitation of many antivirus systems, which must be updated continuously to maintain protection against evolving malware strains. "Much of the infrastructure today leverages antivirus tools used 15 years ago," Herberger noted.
Both Narang and Weafer say even banks that have the latest safeguards in place cannot be impervious to malware attacks so long as email and other systems that connect to the outside world remain in use. "A perfect storm could happen, but the best thing you can do is make sure you protect yourself at all angles," Narang said.
The attacks in Seoul follow a wave of cyberattacks that have slowed websites and impeded service at more than a dozen banks in the U.S. and abroad.
According to Herberger, the campaigns, which appear to be waged separately but all derail operations of banks and other firms, take three forms. One is the attack on South Korea that used so-called directed attacks, via malware, to disrupt bank operations. A second are the so-called denial of service attacks waged against U.S. banks by hacktivists who vow to continue their campaign until YouTube takes down a trailer for an anti-Muslim film.
According to Herberger, that campaign, which hacktivists claiming responsibility have dubbed Operation Ababil, is proceeding "with a great degree of changing tactics and ferocity," as evidenced by attacks recently on roughly a half dozen U.S. banks in a single day.
The third operation, says Herberger, is Operation Israel, in which the hacker collective Anonymous has claimed credit for electronic assaults against banks and mobile phone companies in Israel to protest what the group says are the government's policies in Gaza.
"If you step back and look at what's going on, it's a very strange period of time, in that we really have normalized major industrial sector attacks," Herberger added. "It's the new normal."