Approximately 32,000 financial and media industry computers were infected by an attack in South Korea last Wednesday. Originally, it was thought that the IP address of origin was Chinese. But as per a BBC report, the IP address was configured on a server at the Nonghyup Bank, which was one of the banks hit in the attack. In other words, the attack seems to have come from within. Another thing to consider is this: the attacks were very successful at destroying data and bringing down systems. This attack impacted the Financial Sector of South Korea. The attackers might have been able to have stolen vast amounts of money, if they had used another tool - they elected to cause damage. Is this a random act of chaos and destruction, or a diversion?
The 32,000 computers belonged to six South Korean banks and broadcasters. The attack earased random data on the system hard drives and destroyed the master boot record (MBR), the virus, detected by ClamAV as Win.Trojan.Agent-257543, then forced the systems to reboot - leaving them inoperable.
Who else stands to gain by this being in the news? There are folks pushing an agenda of "more secure" boot management technologies... but they wouldn't do something like this, would they?
Clearly the lesson learned thus far is once again a story of maintaining current anti-virus protections. It will no doubt also come down to operational security though. Who has physical access to which computers in your environment? Can anyone with physical access to a computer, stick a usb thumb drive into a computer and have it load? We can help you CyberCede.