There are valuable security lessons for Canadian government agencies and business in the cyber attacks that caused massive disruptions for South Korean financial firms and media outlets yesterday, according to a Toronto-based security expert.
Computer networks of at least three media broadcast stations, and Internet Service Provider and two banks were paralyzed Wednesday. The attack involved defacement of the ISP’s site and crippling of the servers belonging to the other organizations.
Security software company, McAfee Inc. said the attack wiped put the master boot records (MBR) of the hard drives of the infected computers and over wrote the MBRs with a set of three different data strings.
“The attacks also overwrote random parts of a file system with the same string rendering several files unrecoverable.” A blog post by malware researchers Jorge Arias and Guillermo Veneer said. “So even if the MBR is recovered, the files on disk will be compromised too.”
The attack forces the system to reboot after which the computers are unable to restart because of the corrupted MBR.
The office of the South Korea government told media that the disruption was caused by a malware and that investigators are looking into the possibility of involvement of North Korea. A week earlier, North Korea suffered an Internet outage that impacted users of the country’s 1,024 Internet Protocol (IP) addresses for over a day.
Symantec Corp. yesterday said it detected malware such as Trojan horse, Trojan Okra and WS Reputation 1 in the attacks. Today, the company said it also found that a malware component used to erase Linux machines was also employed by the attackers.
“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands,” Symantec said.
South Korea is reported to be upgrading its information surveillance posture and has charged its neighbor of hacking into the computer systems of the country’s government agencies and financial companies over the years. North Korea has denied these allegations.
Popa said the real lesson behind yesterday’s disruption is that organizations need to continually review their networks and address vulnerabilities diligently.
“Being lazy will always backfire,” he said. “If organizations take the time to plug vulnerabilities as fast as they can, they can avoid being victims to attacks such as this one.”
Popa government as well as business IT administrators and decision makers should:
– Make sure networks are resilient enough to withstand threats and that vital and operational systems are still able to operate even in the face of a cyber attack
– Create an effective back up strategy that outlines policies, procedures and allocates resources aimed at security, storage and recovery of data; continuity of operations; and quick return to previous capacities