The identities of the hackers, and the value of any information they have acquired, are not known to U.S. and South Korean researchers who have studied line after line of computer code. But they do not dispute South Korean claims that North Korea is responsible. Experts said the links to military spying fuel Seoul’s allegations.


Researchers at Santa Clara, California-based McAfee Labs said the malware was designed to find and upload information referring to U.S. forces in South Korea, joint exercises or even the word “secret.”


McAfee said versions of the malware have infected many websites in an ongoing attack that it calls Operation Troy because the code is peppered with references to the ancient city. McAfee said that in 2009, malware was implanted into a social media website used by military personnel in South Korea.


“This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage,” said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave The Associated Press a report that the company is releasing later this week. He analyzed code samples shared by U.S. government partners and private customers.


McAfee found versions of the keyword-searching malware dating to 2009. A South Korean cybersecurity researcher, Simon Choi, found versions of the code as early as 2007, with keyword-searching capabilities added in 2008. It was made by the same people who have also launched prior cyberattacks in South Korea over the last several years, Choi said.


Versions of the code may still be trying to glean military secrets from infected computers. Sherstobitoff said the same coded fingerprints were found on an attack June 25 — the anniversary of the start of the 1950-53 Korean War — in which websites for South Korea’s president and prime minister were attacked. A day later the Pentagon said it was investigating reports that personal information about thousands of U.S. troops in South Korea had been posted online.


Cyberspying targeted South Korea, U.S. military