clock menu more-arrow no yes

Malware in Sony Attack Linked to 2013 South Korean Incidents

Similarities are found to an attack against South Korean banks and TV broadcasters.

jrwasserman / Thinkstock

Upon examination, the malicious software likely to be behind last week’s attack on the computer systems of Sony Pictures Entertainment appears similar to malware used in attacks against South Korean broadcasters and banks last year.

The South Korean government blamed agents working on behalf of North Korea for the attacks in 2013.

Sony Pictures last week suffered a devastating hacking attack that brought operations of its corporate computer network to a halt. Attackers soon leaked video of five Sony-produced films to file-sharing networks, and then numerous sensitive corporate files, including the salaries of its executives. The FBI has been investigating the attack.

The latest findings come from researchers at the security software firm Symantec. In a blog post, Symantec said samples of the malware described in an FBI warning Monday, known as Backdoor.Destover, communicate with some of the same servers used for command and control — or C&C — purposes in a series of attacks on South Korean TV and banking networks in March of 2013.

“The shared C&C indicates that the same group may be behind both attacks,” the post read.

The malware described in the FBI warning Monday is thought to be the same as that found in the Sony incident, though the FBI didn’t specifically name Sony as the victim.

The software used in the 2013 attacks, known as Trojan.Volgmer, is described as a reconnaissance tool used for gathering information on a system in order to facilitate a later attack. A version of Volgmer that shares the same C&C features was specifically configured to attack Korean systems and “will only run on Korean computers,” the company said.

The malware thought to have been central to the attacks on Sony shares other characteristics with the South Korean incidents, but also with an attack known as the Shamoon incident on the Saudi Arabian oil company Saudi Aramco in 2012.

In all three, software used to completely wipe data stored on a hard drive was used. However, Symantec says it’s unlikely that the South Korean and Saudi incidents are linked. “Instead it would appear that the Destover attacks copied techniques from Shamoon,” the company said.

Last year, Symantec pinned responsibility for a series of attacks in South Korea dating back to 2009 on a single gang of operators it nicknamed the “DarkSeoul Gang,” though it didn’t name specific individuals as its members.

In the 2013 incidents, the computer networks of three South Korean banks — Shinhan, NongHyup and Jeju — and of three TV broadcasters — KBS, MBC and YTN — were attacked and their operations disrupted. A South Korean government agency at the time blamed North Korea, which denied involvement.

Prosecutors in Seoul later investigated a South Korean tech executive on suspicions that he helped North Korea carry out the attacks.

Sony and its outside security consultants Mandiant are investigating the possibility of a North Korean connection to the attacks. One possible motivation is the country’s complaints about the release of a Sony-produced film called “The Interview.” The film is a comedy that depicts two TV journalists who land an interview with North Korean leader Kim Jong-Un, and who are then recruited by the CIA to assassinate him.

In comments to Voice of America, the North Korean government has officially denied involvement.

Symantec’s researchers were among the first in 2010 to ferret out the Stuxnet digital weapon used to attack nuclear research facilities in Iran, and last month uncovered a stealthy computer spying tool they dubbed Regin.

A spokesman for Mandiant, the division of the security company FireEye that is helping Sony investigate the attack, had no comment. A Sony spokeswoman did not immediately return messages seeking comment.

This article originally appeared on Recode.net.

Sign up for the newsletter Sign up for The Weeds

Get our essential policy newsletter delivered Fridays.