Malware called Jokra contains a module for wiping remote Linux machines. The malware specifically looks for login credentials saved by two specific SSH clients: mRemote and SecureCRT. It uses any stored root credentials to log into remote Linux servers: for AIX, HP-UX, and Solaris servers it deletes the MBR. It also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. A previous cyberattack on South Korea had been traced to North Korea using a Chinese IP address.
Source: https://thehackernews.com/2013/03/south-korea-cyber-attack-wiper-malware.html