Kaspersky bod Kurt Baumgartner has released more details on the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea.
Research conducted in the wake of the epic Sony breach last month had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by ‘WhoIs Team’ that hit 30,000 computers with the Shamoon malware at a time when tensions were high between Saudi Arabia and Iran.
The malware served to Sony disabled or destroyed corporate machines forcing the firm to enter an IT lock-down. It was dubbed BKDR_WIPALL by Trend Micro and Destover by Kaspersky.
“In all three cases: Shamoon, Dark Seoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Baumgartner (@k_sec) wrote in an analysis piece.
“All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.
“Images from the Dark Seoul Whois and Destover GOP groups included a ‘hacked by’ claim, accompanied by a ‘warning’ and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back.”
A further point linking the Sony and South Korea attacks was in the styling of the defacements used, which used skulls and the same colours. The GOP bore a group name with a similar cheesy 90 hacker phonetic structure to the Saudi Aramco culprits known as the ‘Cutting Sword of Justice’.
There were technological similarities too. Shamoon and Wiper used off-the-shelf EldoS RawDisk drivers maintained in the dropper’s resource section, while Shamoon and Dark Seoul dropped political messages to overwrite disk data and the master boot record.
The hackers worked to a tight deadline in the Dark Seoul and Sony attacks compiling executables two days before attack.
Shamoon components were similarly rushed having been built five days from d-day.
The commonalities were no smoking gun pointing to North Korea, but the links between the attack campaigns was “extraordinary” given the high profile nature of the victims, Baumgartner said.
“… it should be noted that the reactionary events and the groups’ operational and tool set characteristics all carry marked similarities [and] it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognisable similarities,” he said.
Sony would be likely able to recover its wiped data if the malware was close-enough to that used in Shamoon and Dark Seoul, Baumgartner said.