A month has passed since the massive hacking of SK Telecom ...
A month has passed since the massive hacking of SK Telecom, Korea's largest mobile telecommunications company, occurred. Industry attention is focused on the background of stealing the USIM information of 25 million customers through the company's stacked server network. This is because the flow of information leakage was detected only recently after showing no movement for about three years since the first malicious code was installed in 2022. Amid a series of expert diagnoses that it may not be a hack just for money, various rumors such as "China's work" and "North Korea's involvement" are mixed at the scene.
Tracking Cyberattack Activities
In the meantime, AhnLab ASEC and the National Cyber Security Center (NCSC) have recently published a report tracking and analyzing the recent cyberattack activities of the APT (intelligent persistent attack) group TA-Shadow Cricket, which is believed to be related to China.
The "TA-Shadow Cricket," which is believed to have started its activities more than a decade ago, is an APT attack group with suspected Chinese links but uncertain state support. They are classified as organizations that have received relatively little attention even in the security industry because they have little related information. The report contains the results of AhnLab and NCSC's joint tracking of the activities of "TA-Shadow Cricket" from 2023 to the latest.
Modus Operandi of TA-Shadow Cricket
According to the report, 'TA-Shadow Cricket' is an attack group previously called 'Shadow Force' and is believed to be related to China. Since 2012, it has been active in Asia-Pacific countries, including South Korea, and has been quietly controlling more than 2,000 infected systems around the world by infiltrating remote access functions of Windows servers or MS SQL.
Purpose of Hacking
What should be noted is the purpose of hacking. TA-Shadow Cricket has been operating in a way that keeps the system in quiet control for a long time after penetration, without actions that are common in general hacking such as money demand or information leakage. Experts in the security industry emphasize that APT's hacking purpose goes beyond monetary gain and has a clear strategic goal.
Attack Strategies and Implications
According to the report, the "TA-ShadowCricket" attack group penetrates the externally exposed Windows server's remote access (RDP) function or database access by searching port information and attempting a password randomly. After the infection, a backdoor malicious code that can control the system remotely is installed, enabling various malicious actions on the infected system without the attacker having to reconnect directly.
