Claimed hacker group probably just a drill: report

Claimed hacker group probably just a drill: report
© Getty Images

OnionDog, an advanced hacker group a Chinese firm claimed was targeting Korean-speaking energy and transit firms, was probably just a military drill, claims a new report. 

Researchers at Trend Micro examined three years worth of malware from OnionDog — around 200 total samples — and found evidence that the malware was likely developed and used in joint U.S./South Korean military exercises. 

In March of last year, the Chinese antivirus firm Qihoo 360 detailed OnionDog as a rising threat. 

"In view of OnionDog's pattern of activity, we are likely to observe a new round of attacks this summer," they wrote in a press release.

According to Trend Micro's analysis, the attacks were predictable each summer for a reason — that's when the U.S. and South Korea run the "Ulchi Freedom Guardian Drills," which include drills to protect digital infrastructure from attack. 

In fact, samples of OnionDog even contained a pop-up message translating to "2013 Ulchi drill cyber threat response training Please let your administrator know you are infected with malicious code.”

Trend Micro noted other anomalies with the purported attacks, including that the malware printed error messages. Error messages are not useful for actual malware, which tends to prefer to stay under the radar.

OnionDog does not appear to cause actual damage. 

The company cautions that using live malware in drills can be dangerous, even as a test. If the malware escapes the test subject group, it can cause panic or even damage if a program intended to be benign has coding errors that cause harm. 

"The dangers and risks of using live malware, or even simulated malware, lie in the ability to contain them. In small exercises, for instance, if the person responsible for the malware goes out for the day for any reason—there’s nothing to help stop it if things go out of control," reads the Trend Micro report. 

South Korea is a frequent target of destructive cyberattacks, typically believed to come from North Korea.