2116602603.pdf (1 MB)

A Korean prosecution presentation reconstructs the 2011 NongHyup banking disruption as a prepared destructive cyberattack that progressed from website-based malware infection to keylogging, backdoor installation, command-file staging, and execution of file deletion and system-destruction commands. The timeline shows attackers collecting IP addresses, passwords, and chat contents from March to April before triggering destructive activity on April 12, causing failures across internal, web, and test servers. The incident affected 273 of 587 total servers, including 180 internal servers and 45 web servers, with recovery of branch, ATM, card, and customer services taking days to weeks. The slides compare malware and command-line construction with the 7.7 DDoS and 3.4 DDoS incidents, including high overlap in samples and shared password-key characteristics, making the case for related destructive tradecraft against South Korean financial infrastructure.