It has been reported in the media that several South Korean banks and local broadcasting organizations have been impacted by a cyberattack.
The attack included the defacement of a Korean ISP/telecoms provider and also the crippling of servers belonging to a number of organizations.
The defacement displays an elaborate animated Web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team.
The attack was first noticed when a number of websites began to experience problems. Customers of banks could not access their online accounts and reports of other sites being down began to surface. While specific details are not known at this time, it has been reported that a number of sites affected had their hard drives wiped leaving the affected computers in a crippled state.
Symantec detects the suspected malware as Trojan Horse/Trojan.Jokra and WS.Reputation.1.
We are currently performing detailed analysis of the threat. At this time, we can confirm that the malware performs the following actions:
The results of the disk wiping actions are consistent with the major outages reported in that region. Disk wiping is not a new activity; in a separate incident in August 2012, a number of middle eastern organizations were hit by the W32.Disttrack (Shamoon) threat that caused similar damage by wiping hard disks.
There are currently no indications of the source of this attack or how the attackers infiltrated the affected parties. The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands.
Symantec will publish further information as it becomes available.