Incident Details

Incident: Logic Bomb Cyberattack Hits South Korean Banks and Media Companies

Published Date: 2013-03-21

Postmortem Analysis
Timeline	1. The software failure incident happened on March 20, 2013 [17638].
System	1. Microsoft Windows machines 2. Linux servers 3. Trend Micro researchers' systems 4. Technology firm LG's website
Responsible Organization	1. The cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea was caused by a logic bomb in the code, as reported by a security firm in the U.S. [17638]
Impacted Organization	1. Banks in South Korea 2. Broadcasting companies in South Korea 3. ATMs in South Korea 4. Technology firm LG (though denied being hacked) [17638]
Software Causes	1. The software cause of the failure incident was a logic bomb in the code that dictated the date and time for the malware to begin erasing data from machines, triggering the wiping process across multiple victims [17638].
Non-software Causes	1. The cyberattack incident was triggered by a logic bomb in the code, dictating the date and time for the malware to begin erasing data from machines [17638]. 2. The attack involved a phishing email sent to South Korean organizations, purporting to come from a bank, with a malicious attachment containing a Trojan [17638].
Impacts	1. The software failure incident resulted in the wiping of hard drives and master boot records of at least three banks and two media companies simultaneously, causing disruption to their operations [17638]. 2. Some ATMs were put out of operation, preventing South Koreans from withdrawing cash [17638]. 3. Users saw a message on their screens stating, "Boot device not found. Please install an operating system on your hard disk" after the wiping occurred [17638]. 4. The malware included a module for deleting data from remote Linux machines, indicating a broader attack on infrastructure systems [17638]. 5. The incident led to confusion and speculation about the involvement of a hacking group called WhoIs, although LG denied being hacked and there was no confirmed connection between WhoIs and the attacks in South Korea [17638].
Preventions	1. Implementing robust cybersecurity measures such as intrusion detection systems, firewalls, and endpoint protection to detect and prevent cyberattacks like logic bombs [17638]. 2. Conducting regular security audits and penetration testing to identify vulnerabilities in the system before attackers exploit them [17638]. 3. Educating employees on cybersecurity best practices to prevent falling victim to phishing emails and downloading malicious attachments [17638]. 4. Enforcing strict access controls and regularly updating software to patch known vulnerabilities that attackers could exploit [17638].
Fixes	1. Enhancing cybersecurity measures to prevent logic bombs and malware attacks [17638]
References	1. Security firm FortiGuard Labs based in Vancouver, the research division of Fortinet [17638] 2. Security firm Trend Micro [17638] 3. Reuters [17638]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	(a) The software failure incident related to a cyberattack involving a logic bomb that wiped the hard drives of computers in South Korea does not indicate a similar incident happening again at the same organization or with its products and services [17638]. (b) The software failure incident involving the cyberattack with a logic bomb in South Korea does not mention a similar incident happening again at other organizations or with their products and services [17638].
Phase (Design/Operation)	design, operation	(a) The software failure incident in South Korea, where banks and broadcasting companies were targeted by a cyberattack, was attributed to a logic bomb in the code. The logic bomb dictated the date and time the malware would begin erasing data from machines, coordinating the destruction across multiple victims [17638]. (b) The operation of the malware involved triggering the wiping of hard drives and master boot records on Microsoft Windows machines at a specific date and time. The malware also included a module for deleting data from remote Linux machines by searching for remote connections and using stored credentials to access Linux servers and wipe their master boot record [17638].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident in South Korea, where banks and broadcasting companies had their hard drives wiped by a cyberattack, was caused by a logic bomb within the code of the malware. The logic bomb was set to trigger the wiping process at a specific date and time, coordinating the destruction across multiple victims [17638]. (b) outside_system: The cyberattack that led to the software failure incident in South Korea was initiated by external factors, specifically a phishing email that contained a malicious attachment. This attachment, posing as coming from a bank, was actually a downloader that fetched multiple files from different URLs, leading to the installation of the malware responsible for the attack [17638].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in South Korea was primarily caused by a logic bomb in the code, which was a non-human action. The logic bomb dictated the date and time for the malware to begin erasing data from machines, leading to the coordinated destruction across multiple victims [17638]. (b) Human actions also played a role in the incident as the malware was distributed through a phishing email that contained a malicious attachment purporting to come from a bank. This attachment was actually a downloader that initiated the attack on the machines. Additionally, there was confusion about the involvement of a hacking group called WhoIs, which may have been attempting to associate themselves with the attacks [17638].
Dimension (Hardware/Software)	software	(a) The software failure incident in South Korea was primarily due to a logic bomb in the code, which was a contributing factor originating in the software itself. The logic bomb dictated the date and time for the malware to begin erasing data from machines, leading to the wiping of hard drives and master boot records of banks and media companies [17638]. (b) The software failure incident was also attributed to a malware attack that included a malicious attachment containing a Trojan, which was a software-related contributing factor. The malware triggered the wiping mechanism on machines, leading to the deletion of data from remote Linux machines as well [17638].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in South Korea was malicious in nature, as it was caused by a cyberattack involving a logic bomb in the code that wiped the hard drives of computers belonging to banks and broadcasting companies. The attack was coordinated to begin erasing data across multiple victims at a specific date and time, indicating a deliberate intent to harm the systems [17638]. Additionally, the attack included a module for deleting data from remote Linux machines, showing a comprehensive and targeted approach to causing damage [17638]. (b) There is no information in the articles to suggest that the software failure incident was non-malicious.
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident was likely due to poor_decisions. The cyberattack that wiped the hard drives of computers in South Korea was set off by a logic bomb in the code, indicating a deliberate and malicious act [17638]. Additionally, the malware included a module for deleting data from remote Linux machines, showing a strategic and intentional effort to cause damage not just to desktops but also to infrastructure [17638]. The attack was coordinated to occur simultaneously across multiple victims, demonstrating a planned and targeted approach [17638].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in South Korea, where banks and broadcasting companies were targeted by a cyberattack involving a logic bomb, could be attributed to development incompetence. The logic bomb was intentionally set to trigger the wiping of hard drives and master boot records at a specific date and time, indicating a deliberate act of malicious coding by the attackers [17638]. (b) The incident could also be considered accidental to some extent, as the malware used in the attack was initially delivered through a phishing email that contained a malicious attachment posing as coming from a bank. This suggests that the initial infection may have occurred unintentionally through unsuspecting users opening the attachment, leading to the subsequent triggering of the wiping mechanism [17638].
Duration	permanent	(a) The software failure incident described in the articles was permanent. The cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea was triggered by a logic bomb in the code, which dictated the date and time the malware would begin erasing data from machines [17638]. The attack wiped the hard drives and master boot record of at least three banks and two media companies simultaneously, causing significant damage and disruption. The malware included a mechanism to overwrite the hard drive and master boot record on Microsoft Windows machines and then reboot the system, rendering the affected machines inoperable [17638]. (b) The software failure incident was not temporary as the attack resulted in permanent damage to the affected systems, with the malware wiping data and causing disruption that required significant recovery efforts. The incident was not a transient glitch or error but a deliberate and destructive cyberattack that had lasting consequences on the targeted organizations [17638].
Behaviour	crash, omission, timing, value, other	(a) crash: The software failure incident in South Korea involved a cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies. The malware triggered the wiping of hard drives and master boot records on Microsoft Windows machines, causing them to crash and display a message stating, "Boot device not found. Please install an operating system on your hard disk" [17638]. (b) omission: The malware in the attack omitted to perform its intended functions on remote Linux machines by wiping their master boot records. It searched for remote connections and used stored credentials to access Linux servers and delete data, indicating an omission in the system's intended functions [17638]. (c) timing: The software failure incident was timed to begin the wiping process at a specific date and time dictated by a logic bomb in the code. The malware was set to trigger the wiping on March 20, 2013, at 2 pm local time, demonstrating a timing-related failure [17638]. (d) value: The incident involved a failure in the system's value as it performed its intended functions incorrectly. The malware was designed to erase data from machines belonging to banks and media companies, causing financial disruptions and preventing South Koreans from withdrawing cash from ATMs [17638]. (e) byzantine: The software failure incident did not exhibit a byzantine behavior as described in the articles. (f) other: The software failure incident also involved a phishing email with a malicious attachment that contained a Trojan. This additional behavior of spreading malware through phishing emails is another aspect of the incident not covered by the options (a) to (e) [17638].

IoT System Layer

Layer	Option	Rationale
Perception	network_communication, embedded_software	(a) sensor: The software failure incident in South Korea was not directly related to sensor errors. The incident involved a cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies. The attack was triggered by a logic bomb in the code, which dictated the date and time for the malware to begin erasing data from machines [17638]. (b) actuator: The incident did not involve actuator errors. The cyberattack primarily targeted the hard drives and master boot record of computers, causing them to be wiped and displaying a message stating, "Boot device not found. Please install an operating system on your hard disk" [17638]. (c) processing_unit: The failure was not due to errors introduced by the processing unit. The attack involved a logic bomb in the code that coordinated the destruction of data across multiple victims at a specific date and time [17638]. (d) network_communication: The incident did involve network communication errors. The malware included a module for deleting data from remote Linux machines by searching for remote connections and using stored credentials to access Linux servers and wipe their master boot record. This indicates that the attackers targeted not only desktops but also infrastructure components through network communication [17638]. (e) embedded_software: The failure was related to errors introduced by embedded software. The cyberattack involved malware that included a file triggering the wiping process and a hex string indicating the date and time for the attack to begin. The malware also had a module for deleting data from remote Linux machines, showing the presence of embedded software components in the attack [17638].
Communication	unknown	The software failure incident reported in the articles was not related to the communication layer of the cyber physical system that failed. Instead, the incident was primarily caused by a logic bomb in the code triggering a cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea [17638]. The attack involved malware that wiped hard drives, master boot records, and even had a module for deleting data from remote Linux machines. The attack was coordinated to begin at a specific date and time, indicating a deliberate and targeted cyberattack rather than a failure at the communication layer of the cyber physical system.
Application	FALSE	The software failure incident described in the article [17638] was not related to the application layer of the cyber physical system. Instead, it was caused by a cyberattack involving a logic bomb in the code that triggered the wiping of hard drives and master boot records of computers belonging to banks and broadcasting companies in South Korea. The attack was orchestrated to begin erasing data at a specific date and time, affecting multiple victims simultaneously. The malware used in the attack included files like AgentBase.exe, which initiated the wiping process based on a predetermined date and time. Additionally, the malware had the capability to delete data from remote Linux machines, indicating a broader infrastructure-focused attack rather than a specific application layer failure.

Other Details

Category	Option	Rationale
Consequence	property, non-human	(d) Property: People's material goods, money, or data was impacted due to the software failure. The software failure incident in South Korea, caused by a cyberattack involving a logic bomb, resulted in the wiping of hard drives and master boot records of computers belonging to banks and broadcasting companies. This attack led to the destruction of data across multiple victims, including at least three banks and two media companies. As a consequence, some ATMs were put out of operation, preventing South Koreans from withdrawing cash. Additionally, the malware included a module for deleting data from remote Linux machines, indicating a broader impact on infrastructure beyond just desktops [17638].
Domain	information, finance	(a) The failed system was intended to support the information industry, specifically banks and broadcasting companies in South Korea. The cyberattack targeted computers belonging to these organizations, leading to the wiping of hard drives and master boot records [17638]. The attack affected the operations of at least three banks and two media companies, causing disruptions such as putting ATMs out of operation and preventing South Koreans from withdrawing cash [17638]. (h) The failed system was also related to the finance industry as it targeted banks in South Korea. The cyberattack wiped the hard drives of computers belonging to banks, leading to disruptions in their operations [17638]. (m) The system failure incident was not related to any other industry mentioned in the options provided.

Sources

Logic Bomb Set Off South Korea Cyberattack - WIRED - Published on: 2013-03-21
Article ID: 17638

Back to List