DPRK accused in DDoS attack

According to Bloomberg:

North Korea was responsible for paralyzing the National Agricultural Cooperative Federation’s computer network in April in a second online attack in two months linked to the Kim Jong Il regime, South Korean prosecutors said.

Hackers used similar techniques employed in cyber assaults that targeted websites in South Korea and the U.S. earlier this year and in 2009, the Seoul Central District Prosecutors’ Office said in an e-mailed statement today. The Unification Ministry criticized the “provocation” and urged North Korea to stop such attacks immediately.

The network of the bank better known in Korean as Nonghyup was shut down on April 12, keeping its almost 20 million clients from using automated teller machines and online banking services. In all of the three bouts of online attacks, a method called “distributed denial service” was used, according to the statement.

Under the DDoS tactic, malicious codes infect computers to trigger mass attacks against targeted websites, according to Ahnlab Inc. (053800), South Korea’s largest maker of antivirus software.

Nonghyup will spend 510 billion won ($477.2 million) by 2015 to boost network security, the bank said in an e-mailed statement. The company received 1,385 claims for compensation related to the network disruption as of May 2, and 1,361 of them have been settled, according to the statement.

North Korea’s postal ministry was responsible for the 2009 attacks, Won Sei Hoon, head of South Korea’s National Intelligence Service, told lawmakers in October that year.

Attacks in March this year targeted 40 South Korean websites, including at the presidential office, the National Intelligence Service, and Ministry of National Defense. They were traced to the same Internet Protocol addresses used in the 2009 episodes, South Korean police said last month.

The hackers prepared for the April 12 attack on Nonghyup for more than seven months, the Seoul Central District Prosecutors’ Office said today.

According the Hankyoreh:

Prosecutors stated that a notebook computer belonging to an employee of the company managing the Nonghyup server became a so-called “zombie PC” after being infected in September 2010 by malicious code distributed by the North Korean Reconnaissance General Bureau, and that North Korea subsequently operated the notebook remotely to attack the Nonghyup computer network.

North Korea did not initially target Nonghyup, but the bank was exposed as a result, prosecutors explained.

As bases for this conclusion, prosecutors cited the fact that one of the IP addresses for the server ordering the attack was confirmed to be administered by the North Korean Reconnaissance General Bureau, along with the strong similarity between the malicious code and distribution methods with previous DDoS attacks concluded to be North Korea’s doing.

Some experts at security companies reacted with skepticism to the prosecutors’ contentions. One expert questioned the explanation that the parties behind the attack used the same overseas command server employed by hackers in the DDoS attacks for operating zombie PCs, noting that its IP address was blocked through the Korea Internet Security Agency.

A computer systems design expert said, “The back door program on the notebook used in the attack could not function if linked with Nonghyup’s internal network, which is cut off from the Internet.”

The argument is that it would have been effectively impossible for an outside party to precisely determine and attack Nonghyup’s computer system structure and work currents and those notebooks authorized for top access without assistance from an inside party.

When questioned about their evidence of North Korea’s direct involvement, prosecutors reiterated that they could not disclose the information because it was related to national security.

The story was also covered by the Daily NK and the AFP.

The Choson Ilbo reports that 200 additional infected computers have been discovered.

Authorities have discovered 200 more so-called zombie computers that have been infected with viruses North Korean hackers planted in September last year. They came across them in the process of investigating the laptop computer of an IBM employee that was used to paralyze the computer network of agricultural cooperative lender Nonghyup.

Prosecutors said Monday that the National Intelligence Service identified 201 port numbers that have been infected with viruses so that they can serve as zombie computers, and the IBM employee’s laptop is one of them. This means not only Nonghyup but any state agency could be the target of a North Korean cyber attack.

Growing Sophistication

South Korean authorities and computer experts say the Nonghyup incident demonstrates the increasing sophistication of North Korea’s cyber warfare capabilities. During a so-called distributed denial-of-service attack on July 7, 2009, North Korean hackers used 435 servers in 61 different countries to spread just one type of virus. During a DDoS attack in March this year, 746 servers in 70 countries were used to plant more than three different types of viruses. The cyber attack against Nonghyup involved a different virus which directly infiltrates the computer network of a bank and deletes not just data but its own tracks as well.

Authorities say finding the 200 zombie computers is as difficult as locating a mole planted by North Korean intelligence. As long as the zombie PCs remain dormant, it is impossible to trace them.

The Korea Herald raises points of skepticism:

Despite prosecutors’ announcement pinpointing North Korea as the culprit for the April 12 cyber attack, security experts say that it is difficult to identify its instigator given the complicated nature of the hacking process.

On Tuesday, investigators at the Seoul Central District Prosecutors’ Office said the Reconnaissance General Bureau, the North’s premier intelligence body, orchestrated the “unprecedented cyber terror” that paralyzed the banking system of the National Agricultural Cooperative Federation, or Nonghyup, for several weeks.

They said that the conclusion came as the methods used in the previous two cyber attacks on a number of key South Korean government and business websites in July 2009 and in March last year were similar to the ones used in last month’s attack.

They also stressed that one of the Internet Protocol addresses used in the attack on the cooperative was identical to that used in last year’s attack.

Experts, however, said that evidence of North Korea’s involvement in the worst-ever cyber attack was too “weak” and only based on “circumstantial assumptions” and that the case could remain unaddressed forever given that identifying the hackers is extremely difficult.

First of all, experts pointed out that hackers usually change IP addresses frequently or use someone else’s address to disguise their identity. Thus, an IP address cannot serve as credible evidence to identify the culprit.

“It appears that prosecutors believe the owner of an empty house with a certain address is the thief who broke into the house while the owner is away,” said a security expert in a media interview on condition of anonymity.

Prosecutors also presented a Media Access Control address which was found on a laptop computer used by the North to launch the attack as evidence. But experts say that the address cannot be reliable as it kept changing on the Internet.

The hacking methods similar to the previous North Korean attacks cannot be clear evidence, either, to hold the North responsible, experts added. They said hackers tend to copy effective methods used by others.

During the announcement, investigative authorities stressed that they could not reveal all pieces of “critical” evidence to the public, citing security concerns. However, their concerns fail to ease doubts over whether the weeks-long result of the prosecutorial investigation is credible.

The North has long focused on cyber warfare. It is known to have established many college-level institutions to produce hackers and stationed cyber warfare personnel in China. The North has used cyber attacks to spy on South Korean government bodies or glean crucial intelligence.

Read more about the DPRK organizations thought to be responsible here.

Share

Comments are closed.


An affiliate of 38 North