http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240144243/new-cyberespionage-attack-targets-russia.html
By Kelly Jackson Higgins
Dark Reading
Dec 11, 2012
China is often considered synonymous with cyberespionage, but what about
Korea? A new targeted attack campaign with apparent Korean ties has been
stealing email and Facebook credentials and other user-profile
information from Russian telecommunications, IT, and space research
organizations.
FireEye says the so-called "Sanny" attacks appear to indicate that Korea
may be home to the command-and-control and other communications for the
malware. Researchers didn't specify whether either North or South Korea,
but say that around 80 percent of the victims in the attacks are Russian
organizations.
Ali Islam, security researcher for FireEye, says it's possible that
Korea is being used a proxy for the attack. But there are a few clues of
a Korean connection: the SMTP email server and command and control
servers are based in Korea; the "Batang" and KP CheongPong" fonts used
in the lure documents are Korean; a Korean message board is used for the
C&C; and the Yahoo email account used in the attacks, "jbaksanny" is
connected to an empty Korean Wikipedia page created by a user named
Jbaksan.
"We believe both countries [North and South Korea] have cyberattack
capabilities. The attacker has done a great job of hiding his/her self
by choosing a public forum as normally with APTs --in contrast to normal
malware-- you don't need a long-lasting CnC," Islam says.
[...]
______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
