Cyberattack on Nonghyup Bank traced to North
South Korean prosecutors said the massive April 12 cyberattack on Nonghyup Bank was orchestrated by North Korea, but a lot of questions remain about the incident.
The Seoul Central District Prosecutors’ Office said that North Korea was behind the cyberattack after its investigators discovered the same media access control (MAC) address that was used during a previous DDoS (distributed denial of service) attack in March 2010. That attack was tentatively traced to North Korea.
The MAC address was found inside a laptop of a worker from IBM Korea, a contractor for Nonghyup Bank, controlling the computer to gain access to Nonghyup servers.
On April 12, the electronic banking system of the National Agricultural Cooperatives Federation (Nonghyup), Korea’s main agricultural cooperative, was hit by a cyberattack that shut it down, leaving 30 million account holders stranded for several days.
Prosecutors initially suspected an inside job but now say that North Korea got lucky by randomly infecting a computer that happened to be hooked up to a major South Korean organization’s servers. They say the attack didn’t have a clear or obvious purpose except for causing trouble.
Prosecutors said they found 81 malignant codes on the IBM worker’s laptop that had been encrypted to prevent discovery. The encryption method, prosecutors said, was very similar to that used in DDoS attacks last year and in 2009, which North Korea was believed to be behind.
Seoul prosecutors said the IBM worker’s computer had been infected on Sept. 4, 2010, and subsequently manipulated from afar via the Internet to allow it to extract information.
Kim Young-dae, a senior prosecutor from the Seoul Central District Prosecutors’ Office, said, “1,073 A4 pages worth of information were taken during the past seven months.” Kim said a key-logging program had been installed, giving the perpetrators access to administrator passwords. However, the data extracted was not related to customer transactions, Kim said.
The laptop was then commanded to cause destruction, and on April 12 it wreaked havoc on 273 of Nonghyup’s 587 servers in two attacks lasting 40 minutes.
Hackers deleted the malicious programs from the laptop after the attacks, prosecutors said, which made tracking them “extremely difficult.”
Kim said the perpetrators hadn’t targeted Nonghyup, but by chance managed to infect a computer linked to its servers.
“They checked out the laptop and it turned out to be owned by a system administrator,” he said. “Then they attacked Nonghyup.”
But North Korea’s involvement isn’t proven. The cyberattacks last year and in 2009 still remain unsolved, and South Korean authorities ended their investigations with mere suspicions about North Korea’s involvement.
Asked whether they had more proof to back their allegations against the North, prosecutors said the MAC address had been “specially managed” by the North in the past.
“It took seven months for them to work this out, and it must have taken a great number of people from planning to execution,” said Kim. “This can be seen as proof that North Korea was behind it and that dozens of people were involved in this attack for no special purpose. We cannot go into detail because this is a matter of national security.”
Kim said that several IP addresses were tracked from the IBM worker’s laptop but none could be confirmed to be from the North.
Nonghyup has been scrambling to stabilize their banking system, spending 500 billion won ($468 million) to build stronger security.
IBM Korea may also be in for a hit, as prosecutors said yesterday that the faulty management of the laptop, and the fact that administrator passwords were not changed for the seven months that the laptop was under the hackers’ control, could be a criminal offense.
“We plan to provide our services smoothly for Nonghyup,” said Hong Yong-ki, who is in charge of public relations at IBM Korea. “I do not feel that it is appropriate at this time to say anything further [about the case] until the investigation by the prosecutors is over.”
By Christine Kim [firstname.lastname@example.org]
한글 관련 기사 [중앙일보]
천안함 공격한 북 정찰총국이 농협 테러했다
검찰 “7개월 준비한 사이버 공격”
지난달 12일 발생한 농협 전산망 마비사태는 북한 정찰총국에 의한 ‘사이버 테러’로 드러났다. 서울중앙지검 첨단범죄수사2부는 3일 “이번 전산망 마비는 2009년 7·7 디도스(DDoS·분산서비스거부) 공격과 올해 3·4 디도스 공격을 감행했던 동일 집단이 장기간 치밀하게 준비해 실행한 것”이라고 발표했다. 이와 관련, 국가정보원은 “문제의 집단은 북한의 정찰총국”이라고 밝혔다.
검찰은 “공격 명령이 내려진 농협 협력업체인 한국IBM 직원의 노트북에서 발견된 81개의 악성코드를 분석한 결과 두 차례의 디도스 사건에서 발견된 것과 매우 유사한 것으로 나타났다”고 밝혔다. 수사팀 관계자는 “노트북에서 발견된 파일의 확장자와 순서, 분석 방해용으로 바꿔놓은 문자 표기 방식 등이 7·7 디도스 때와 동일하다”고 했다. 이와 함께 노트북에 접속한 인터넷 프로토콜(IP) 주소 가운데 북한 정찰총국의 ‘해킹용 IP’와 일치하는 주소도 발견됐다고 설명했다.
검찰에 따르면 지난해 9월 북한은 국내 S 웹하드 사이트를 통해 악성코드를 유포시켰다. 한국IBM 직원의 노트북이 이 악성코드에 감염되면서 ‘좀비PC’로 변했고, 북한의 해커들은 7개월에 걸친 공격 준비 끝에 노트북을 통해 삭제명령을 내렸다.