McAfee: Malware hunts for South Korean military secrets

South Korean army
Image caption McAfee said it found malware designed to copy sensitive data held by the South Korean military

Hackers who wiped tens of thousands of PC hard drives in South Korea earlier this year also appear to be targeting the country's military secrets, according to a report.

A study by McAfee Labs said the group has created malware which scanned systems for keywords including "weapon", "US Army" and "secret".

It said that once a computer's contents had been catalogued, the attackers could "grab documents at will".

South Korea has played down the threat.

Its defence ministry told the Associated Press news agency that it was technically impossible to have lost classified reports because the computers on which it stored military secrets were not connected to the net.

A spokesman for the Pentagon said it planned to review the report.

Social network

McAfee said the attacks were part of a long-term spying operation dating back to at least 2009 which it called Operation Troy because the name of the ancient city repeatedly appeared in the hackers' code.

It began investigating the group following an attack in March which caused data held on PCs used by several banks and TV networks to be deleted.

Although the security firm said that the malware used to wipe the disks was distinct from that used to hunt for the military secrets, it said there were so many similarities between the two that it believed they must be created by the same team.

It traced the spying effort back to at least 2009 when it said the hackers managed to place an exploit on a military social networking site. It added that it believed the code was also spread through the use of "spear phishing" - email or other messages masquerading as official communications which were designed to fool specific individuals into handing over logins and other sensitive information.

Image caption TV network KBS was among the organisations targeted by the 20 March cyber-attack

The report said that once the malware was in place it searched the infected systems for "interesting" documents.

To do this it scanned for a variety of Korean and English-language keywords.

The study lists dozens of examples including "tactics", "brigade", "logistics" and "Operation Key Resolve" - a military exercise involving both South Korean and US forces carried out every year. McAfee said it had opted to withhold other "sensitive" terms at the request of US officials.

The report explained the software then flagged which computers appeared to have the most valuable contents and uploaded copies of their directories to the attackers' servers.

It said the hackers were then able to pick and choose which files to download in order to keep network traffic to a minimum, helping them avoid detection.

McAfee also warned that it had discovered a version of the spying malware which had the ability to destroy data in a way similar to the one used against the civilian targets.

"This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence," it said.

"There was at least one limitation, however. We found the malware of February 2011 could wipe its targets only if it was detected that it was being debugged or analysed by a security product."

Wiper function

A spokesman for South Korea's government denied classified documents would have been at risk since the computer network that stored them was not connected to the net.

Image caption McAfee said the malware contained code designed to hunt out military-related terms

"It's physically separated," said Kim Min-Seok.

However, one of the report's authors suggested there was still a risk.

"It is not entirely impossible to extract information from a closed network that is disconnected from the internet," said senior threat researcher Ryan Sherstobitoff.

"[But] it would require some extensive planning and understanding of the internal layout to stage such an exfiltration [unauthorised data transfer] to the external world."

The report does not name who McAfee believes to be responsible, however South Korean officials have previously said that the 20 March attack "resembled North Korea's past hacking patterns".

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites