Tag Archives: cyberespionage South Korea

Who Trusts Microsoft? The Locked-In

Leave a reply

In 2024, the Department of Homeland Security released a scathing report detailing Microsoft’s mistakes during a 2023 hack in which China stole thousands of emails from top government officials. Two years before that, China-linked cyberattackers compromised more than 250,000 Microsoft Exchange servers. In response to the 2024 report, Nadella, the CEO of Microsoft, promised to rededicate Microsoft to protecting its products and its customers from bad actors…

Shortly after Nadella took the reins, Microsoft eliminated the group that had companywide responsibility for Microsoft’s security work, pushing security decisions to the individual business units. Around the same time, Microsoft changed the way it developed software, laying off many of the test engineers charged with uncovering bugs before products ship to customers…

With regard to the July 2025 Microsoft hack, researchers said more than 400 SharePoint servers had been hacked—many of them belonging to government entities—and Microsoft had linked some of the attacks to the Chinese government

In previous episodes, such as the massive 2021 hack of the Microsoft Exchange email system, China pulled off impressive technical feats before being caught…

Regarding the 2025 SharePoint cyberattack, Eye Security researchers discovered, on July 18, 2025 an unauthorized script on a SharePoint server belonging to one of their customers. As the Eye team dug in, they started finding the same script on about 150 other SharePoint servers all over the internet…The script opened a back door to the SharePoint servers, creating an encryption key that could be used later to run commands on the machine. “It was just like a door key left on the street,” said Kerkhofs. “It was accessible for everybody. We just started scanning and we grabbed all the keys.”…Microsoft, learning that hackers were exploiting the bugs, called in its security team.

Eventually the Eye team discovered 80 infected organizations. European government agencies were compromised, as were U.S. federal agencies, municipalities and universities…

On July 20, 2025, the Energy Department confirmed that it was a victim… News of the compromise was reported by Bloomberg, which said that the National Nuclear Security Administration was specifically victimized.

Excerpt from Robert McMillan, A Failed Microsoft Security Patch Is the Latest Win for Chinese Hackers, WSJ, July 25, 2025

Cyber-Attacks on South Korea 2009-2013

Leave a reply

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013