New Cyberespionage Attack Targets Russia

By Kelly Jackson Higgins Dark Reading Dec 11, 2012

China is often considered synonymous with cyberespionage, but what about Korea? A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations.

FireEye says the so-called “Sanny” attacks appear to indicate that Korea may be home to the command-and-control and other communications for the malware. Researchers didn’t specify whether either North or South Korea, but say that around 80 percent of the victims in the attacks are Russian organizations.

Ali Islam, security researcher for FireEye, says it’s possible that Korea is being used a proxy for the attack. But there are a few clues of a Korean connection: the SMTP email server and command and control servers are based in Korea; the “Batang” and KP CheongPong” fonts used in the lure documents are Korean; a Korean message board is used for the C&C; and the Yahoo email account used in the attacks, “jbaksanny” is connected to an empty Korean Wikipedia page created by a user named Jbaksan.

“We believe both countries [North and South Korea] have cyberattack capabilities. The attacker has done a great job of hiding his/her self by choosing a public forum as normally with APTs –in contrast to normal malware– you don’t need a long-lasting CnC,” Islam says.


______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More!