161208_EAB5B0_ED95B4ED82B9EC82ACEAB3A0_EAB480EBA0A8_ECB0B8EAB3A0EC_hTXvVAT.hwp (280 KB)

South Korea’s Ministry of National Defense said malware was distributed through an internet antivirus relay server after attackers exploited weaknesses in the military internet antivirus system. Investigators found the same malware on some defense-network PCs and confirmed that military materials, including classified information, had been stolen, with the activity assessed as likely North Korean. The intrusion path involved compromising the antivirus relay server, finding a connection point into the defense network, and hacking selected PCs, while the ministry cited weak vulnerability management, improper internet-defense network connectivity, and network-separation failures as contributing causes. Emergency response actions included removing the internet-to-defense network connection point, creating and distributing antivirus coverage for more than 40 malware variants, formatting infected PCs, and patching the vendor antivirus system software.