As investigators work to assess who is behind a cyberattack that shuttered banks in South Korea on Wednesday, details are emerging that can help U.S. banks learn from what happened overseas.
The attack, which froze ATMs, suspended online banking and paralyzed internal systems at Shinhan Bank, Nonghyup Bank and Cheju Bank, likely resulted from malicious software sent through the banks' computers, South Korea's Financial Services Commission said Thursday in a statement.
The institutions restored most operations, although some branches of Nonghyup Bank remained without service late Thursday morning, roughly 21 hours after the attack, regulators said.
Though the Yonhap News Agency quoted a senior government official as saying the South Korean government "strongly" suspects North Korea of engineering the attack, experts say it will take time to determine who is responsible. On Friday, South Korean regulators said an Internet address used in the attacks had been traced to one of the victim banks, Reuters reported. Regulators declined to speculate on the nature of that element of the attack.
In the meantime, they are uncovering features of the attack, which also crippled computers at three South Korean broadcast networks.
The malware destroyed files that controlled the targeted part of the computers' operating system known as a master boot record, according to analysis published Wednesday by researchers at digital security firms McAfee and Symantec.
The malware struck at both Windows- and Unix-based systems, the firms found. In all, roughly 32,000 computers were altered in the attack, South Korea's Internet Security Agency estimated, according to news reports. The magnitude and malware used in the attack resemble a separate incident in August, when cyberattackers shut down 30,000 computers at Saudi Aramco, the state-owned oil company.
In the attacks on firms in Seoul, computers reportedly infected by the malware appear to be searching for their operating systems, based on photos relayed from employees of some of the companies targeted.
Regulators said they had received no reports of funds being drained from accounts or customers' personal information breached, although the regulators told banks to come up with criteria to compensate customers for any losses. "If the intention was to take data, they wouldn't have wiped out these machines completely," Satnam Narang, a security response manager at Symantec, told American Banker.
Experts note the attacks in Seoul also reflected an unusual degree of coordination, and that the malware used appeared to enable the attackers to start and stop the attack with rough precision. "There was a high degree of central management and it was very well orchestrated," says Carl Herberger, vice president of security solutions at Radware, a digital security firm, told American Banker. Whoever was behind the attack "orchestrated a very nice entry and exit mechanism," he added.
Despite the source of the attack being unknown, experts say that the attackers most likely preyed on human vulnerabilities to plant the malware on the target networks. "I would be very surprised if it wasn't targeted through a phishing attack or website download," says Vincent Weafer, a senior security researcher at McAfee Labs, told American Banker. "Something had to drop [the malware] into that environment. It is not self-replicating."
Narang adds that the attackers could have infected a website they knew workers at the organizations targeted were likely to visit. "The horse is going to go to the watering hole, so you're going to go after the watering hole as opposed to the horse," Narang said.
Be the first to comment on this post using the section below.