The so-called Dark Seoul attack on financial services and media firms in South Korea last March utilized a broad range of technology and tactics beyond wiping out data in the hard drives of infected PCs, according to McAfee Labs.
Initial reports in the wake of the attack focused on the Master Boot Record (MBR) wiping functionality.
McAfee Labs said its investigation into the incident uncovered a long-term domestic spying operation, based on the same code base, against South Korean targets.
The forensic data indicates that Dark Seoul is actually just the latest attack to emerge from a malware development project that has been named Operation Troy, it added.
The primary suspect group in these attacks is the New Romanic Cyber Army Team (NRCAT), which makes significant use of Roman terms in their code.
Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed.
Sometimes, as in the case of the NRCAT, the developers insert such fingerprints on purpose to establish “ownership” of a new threat.
McAfee Labs said these operations remained hidden for years and evaded the technical defenses that the targeted organizations had in place. Much of the malware from a technical standpoint is rather old, with the exception of Concealment Troy, which was released in early 2013.