The South Korean military has been under attack for four years in a campaign which has been linked to the attack in March which wiped the data from 30,000 PCs.
A cyber-espionage campaign which gave hackers access to a huge range of sensitive South Korean military documents has been on-going for at least four years according to a new report, but the identity of the attackers remains unknown.
At 2pm local time on 20 March some 30,000 PCs belonging to TV stations and banks in Seoul simultaneously crashed forcing the media outlets offline and a suspension of services for the banks customers.
The so-called Dark Soeul attack was immediately seen as an attack on the South by North Korea at a time when tensions on the Korean peninsula were high, with the South claiming it had satellite imagery to prove North Korea was preparing to fire short-range missiles over the border.
All fingers in the South immediately pointed toward Pyongyang but the South Korean government was initially reticent to assign blame. However a subsequent investigation by the Korea Internet Security Center at the state-run Korea Internet & Security Agency linked the attack to six computers based in North Korea.
Now a report by security firm McAfee's has discovered that the Dark Seoul attack was just the latest effort in a cyber campaign which has been operational since at least 2009.
While McAfee's report doesn't go as far as identifying the attackers location or motives, suspicion will remain on North Korea considering the target of the attack and the information they were looking for.
While the Dark Seoul attack was aimed at civilian targets in the South, the previous attacks in the campaign - dubbed Operation Troy for repeated mentions of the fabled city in the malware code - have all targeted the South Korean military.
According to the McAfee report the group used what is called a "watering hold attack" to infect PCs associated with the South Korean military. This type of attack sees the hackers infect a website - this time a military-related website - and when anyone visits the site, malware is automatically and silently downloaded to the users computer.
The malware used in these attacks catalogued the PCs' directories and searched documents for sensitive keywords such as "weapon", "US Army" "tactics", "brigade", "logistics" and "Operation Key Resolve" - the last term being a joint annual military exercise carried out with the US.
Pick and choose
In an attempt to avoid detection, the malware would not upload all documents to the hackers' servers but would allow the attackers to pick and choose which documents they wanted to see.
Along with watering-hole attacks, he hackers used spear-phishing campaigns which see official-looking emails sent to members of the military which contained malware or links to websites which contain malware.
The South Korean defence ministry played down the potential threat telling the Associated Press that all its computers which hold classified reports were not connected to the internet.
The Pentagon said it was looking into the report from McAfee.