CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND
Contents
Z:\MAKE TROY\, NOT WAR:
CASE STUDY OF THE WIPER APT IN KOREA,
AND BEYOND
-Kyle Yang, CCIE#19065
Director, AV Engine Development
Fortinet Inc. Canada
Agenda
•
•
•
•
•
•
•
3.20 Wiper Attack
Operation Troy
Operation 1Mission/Mission
Operation Nstar
Operation Eaglexp
Operation Flame
Operation Flame2
3.20 Wiper Attack Impact
Company
Name
Damage
Shinhan
Bank
57 Branches
6 DB Servers
NongHyup
Bank
30 Branches
10% of
employees
computer
50% of ATM
KBS TV
MBC TV
YTN TV
5000
employees
computer
800
employees
computer
500
employees
computer
Wiper Case 1
AgentBase.exe
2013-01-31
Windows Wiper
conime.exe
PCSP from
PuTTY suite
~pr1.tmp
Linux/Unix
Wiper
alg.exe
Plink from
PuTTY suite
Dropper
2013-03-20
Wiper Case 1
Wiper Case 1
Wiper Case 2
Dropper
2013-03-20
schsvcsc.exe
2013-03-19
Injector
~schsvcsc.dll
2013-03-20
Wiper
Wiper Case 2
Wiper Case 3
Huh?
Wiper Spreader Case 1
Dropper
2013-03-19
Update.zip
2013-03-19
vms1014.zip
2010-10-14
vmsinit.ini
2013-03-19
OthDown.exe
2013-01-31
Update
Configuration
File
Wiper Case 3
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Abnormal Update Config File
Normal Update Config File
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
…
CASE STUDY OF THE WIPER APT IN KOREA,
AND BEYOND
-Kyle Yang, CCIE#19065
Director, AV Engine Development
Fortinet Inc. Canada
Agenda
•
•
•
•
•
•
•
3.20 Wiper Attack
Operation Troy
Operation 1Mission/Mission
Operation Nstar
Operation Eaglexp
Operation Flame
Operation Flame2
3.20 Wiper Attack Impact
Company
Name
Damage
Shinhan
Bank
57 Branches
6 DB Servers
NongHyup
Bank
30 Branches
10% of
employees
computer
50% of ATM
KBS TV
MBC TV
YTN TV
5000
employees
computer
800
employees
computer
500
employees
computer
Wiper Case 1
AgentBase.exe
2013-01-31
Windows Wiper
conime.exe
PCSP from
PuTTY suite
~pr1.tmp
Linux/Unix
Wiper
alg.exe
Plink from
PuTTY suite
Dropper
2013-03-20
Wiper Case 1
Wiper Case 1
Wiper Case 2
Dropper
2013-03-20
schsvcsc.exe
2013-03-19
Injector
~schsvcsc.dll
2013-03-20
Wiper
Wiper Case 2
Wiper Case 3
Huh?
Wiper Spreader Case 1
Dropper
2013-03-19
Update.zip
2013-03-19
vms1014.zip
2010-10-14
vmsinit.ini
2013-03-19
OthDown.exe
2013-01-31
Update
Configuration
File
Wiper Case 3
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Abnormal Update Config File
Normal Update Config File
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
Wiper Spreader Case 1
…