Dissecting operation Troy: Cyberespionage in South Korea
Contents
White Paper
Dissecting Operation Troy:
Cyberespionage in South Korea
By Ryan Sherstobitoff and Itai Liba, McAfee® Labs
and James Walter, Office of the CTO
Table of Contents
Executive Summary
3
Attack Timeline
3
State Sponsorship or Cyberterrorism?
3
The adversaries
The Analysis
4
The Malware
4
The dropper Trojan
5
MBR wiper
5
The remote-access Trojan
5
Linking to the Attackers
6
Code Analysis
7
Revealing “Operation Troy”
7
Persistent espionage campaign in South Korea: 2009–2013
7
Tools and tactics
8
Military Espionage Malware: 2009–2013
2
3
16
The encrypted network
17
Data exfiltration
21
The DLL relationship
23
Relationships to Http Dr0pper
27
Destroying the target
27
The campaigns
28
Conclusion
28
About the Authors
29
About McAfee Labs
29
Dissecting Operation Troy: Cyberespionage in South Korea
Executive Summary
South Korea was hit by a major cyberattack on March 20, 2013, at 2:00 pm local time. This cyberattack caused a
significant amount of damage to the affected organizations by wiping the hard drives of tens of thousands of computers.
McAfee Labs research provides further insight into the likely source of these attacks. Though not definitive, our analysis
provides a much clearer picture. The research also indicates that there may have been two distinct groups, attacking
different targets.
Our analysis …
Dissecting Operation Troy:
Cyberespionage in South Korea
By Ryan Sherstobitoff and Itai Liba, McAfee® Labs
and James Walter, Office of the CTO
Table of Contents
Executive Summary
3
Attack Timeline
3
State Sponsorship or Cyberterrorism?
3
The adversaries
The Analysis
4
The Malware
4
The dropper Trojan
5
MBR wiper
5
The remote-access Trojan
5
Linking to the Attackers
6
Code Analysis
7
Revealing “Operation Troy”
7
Persistent espionage campaign in South Korea: 2009–2013
7
Tools and tactics
8
Military Espionage Malware: 2009–2013
2
3
16
The encrypted network
17
Data exfiltration
21
The DLL relationship
23
Relationships to Http Dr0pper
27
Destroying the target
27
The campaigns
28
Conclusion
28
About the Authors
29
About McAfee Labs
29
Dissecting Operation Troy: Cyberespionage in South Korea
Executive Summary
South Korea was hit by a major cyberattack on March 20, 2013, at 2:00 pm local time. This cyberattack caused a
significant amount of damage to the affected organizations by wiping the hard drives of tens of thousands of computers.
McAfee Labs research provides further insight into the likely source of these attacks. Though not definitive, our analysis
provides a much clearer picture. The research also indicates that there may have been two distinct groups, attacking
different targets.
Our analysis …