It’s difficult to trust anything South Korean on anything North Korean these days, given the blustery overreaction sparked by “triple-witching” on the Korean peninsula: a new, unproven South Korean executive; a new, unproven North Korean leader and parliamentary elections; a second-term American leader beset with a Republican opposition. For what it’s worth, Seoul says Pyongyang hacked its government agencies and banks last month.
Last month’s mysterious cyber attack that crippled banks and television stations in South Korea was executed by North Korea’s intelligence agency, according to official investigators based in Seoul.
The findings were revealed in the Korea Herald today as South Korea’s Ministry of Science, ICT (information communications technology) and Future Planning connected the attacks to North Korea’s Reconnaissance General Bureau.
On March 20, the computer systems of local South Korean television stations KBS, YTN, and MBS, as well as banking firms Shinhan, Jeju, and NongHyup experienced major disruptions in what appeared to be a coordinated attack. Because of recent regional tensions, international security experts immediately raised the possibility of North Korea’s involvement, but South Korean officials appeared hesitant to lay the blame on its neighbor. A day after the attack, South Korea investigators reportedly traced the attack to an IP address in China, but quickly retracted those claims, adding to the confusion regarding the source of the attack.
Finally, during a major press conference today (above), the ministry outlined the specifics of the now confirmed North Korean cyber attack. “The attacker gained control of personal computers or server computers within the target organizations at least eight months ago,” the agency said. “After maintaining monitoring activities, [the attackers] sent out the command to delete data stored in the server, and distributed malware to individual computers through the central server.”
Officials also tagged at least six computers in North Korea as the source of South Korean banking attacks that span as far back as June 2012.
The Korea Herald offered more of the reasoning behind the analysis by the South Korean Ministry of Science, ICT and Future Planning (rolls off the tongue at cocktail parties, doesn’t it?).
The investigation has shown that more than 30 of the 76 different types of code collected from equipment affected or involved in the last month’s attack were identical to those used in previous attacks.
In addition, 22 of the 49 internet protocol addresses involved in the attack were the same as those used in cyber attacks carried out by North Korea since 2009, the Science Ministry said.
The investigators also said that at least six computers located within North Korea accessed the financial institutions’ computer systems on 1,590 occasions since June 28, 2012.
Over the period, the North Korean hackers spread malware and extracted information stored in the affected computers.
It’s hard to see this as Seoul’s full court press to convince the world that it’s a victim. Until I find out that North Korea isn’t just the dupe of non=government or non-military hacktivists, I have to doubt any analysis coming from either capital.