11 reports
CSIS examines North Korea's cyber operations after the 2013 attacks on South Korean banks and media agencies and the 2014 Sony Pictures Entertainment breach. The excerpt frames DPRK cyber activity as a strategic issue, asking why North Korea pursues cyber…
Unit 42 analyzes TDrop2 malware used in a campaign tied to Dark Seoul and Operation Troy activity, targeting European transportation organizations through a trojanized security-camera video player package. The first-stage installer drops both the legitima…
GIAC’s DarkSeoul case study describes destructive malware that crippled tens of thousands of South Korean banking and media-sector systems, wiping Windows and Unix-like hosts and disrupting ATMs, payment terminals, and mobile banking. The paper says South…
Unit 42 reports TDrop2 activity in 2015 that closely resembled the Dark Seoul and Operation Troy toolset, while noting that the available evidence was insufficient to conclusively prove the same operators. The observed attack targeted the European transpo…
AhnLab’s Black Mine Operation analysis tracks more than 240 Bmdoor samples collected from May 2014 to July 2015 and says the activity targeted South Korean energy, transportation, telecommunications, broadcasting, IT, finance, and political organizations.…
Symantec reports that Duuzer was active against South Korea, with a particular focus on the manufacturing industry, although the activity was not limited to that region. The backdoor supports remote access, file download, data theft, system and drive enum…
Seoul Metro disclosed that office PC management infrastructure for subway lines 1 through 4 had been compromised by an organization assessed by South Korea's National Intelligence Service as likely linked to North Korea's Reconnaissance General Bureau. In…
FireEye analyzed malicious Hangul Word Processor documents exploiting CVE-2015-6585, a then unknown HWPX parsing vulnerability in hwpapp.dll. The exploit abuses a type confusion condition in para text handling, uses Unicode values and heap spraying to red…
Somansa analyzes malicious HWP documents attributed in the report to Kimsuky and aimed at specific South Korean institutions through a Hangul Office vulnerability that had already been patched. The documents use heap spraying and shellcode to extract encr…
The KHNP incident analysis describes the December 2014 cyberattack timeline, including thousands of phishing emails sent to more than 3,500 employees from hundreds of accounts, malicious Hangul documents, staged data leaks, and destructive malware activit…
Korean prosecutors reported that attackers sent 5,986 destructive-malware emails to 3,571 KHNP employees in December 2014, but only eight PCs were infected and five hard disks were initialized, with no impact to nuclear plant operations or safety. The int…