Hacker IP traced to China

Social Affairs

Published: 21 Mar. 2013, 21:15

Hacker IP traced to China

Officials of the Digital Forensic Team at the National Police Agency examine hacked hard drives collected from TV broadcasters and financial institutions yesterday at the Cyber Terror Response Center in western Seoul. Three major TV stations and three banks suffered cyberattacks on Wednesday, with over 32,000 computers damaged across the six targeted companies. By Kim Seong-ryong

One Internet Protocol (IP) address used in the massive cyberattacks waged against major TV networks and financial institutions Wednesday was discovered to be from China, adding weight to the widely held speculation that North Korea was behind the action.

A joint government-civilian-military team, formed in response to the cybersecurity breach, announced its initial findings based on analysis of the data collected from Nonghyup Bank that the malicious code that paralyzed the network systems came from a Chinese IP address.

“After we analyzed the network systems of Nonghyup [one of the three banks hacked], we discovered an IP address from China accessed a bank server that managed [antivirus] software updates, which then produced malicious files,” Park Jae-moon, director of the Korea Communications Commission’s network policy team told reporters during a briefing yesterday.

The director said it was through the virus infected-update-management server that other computers at the bank headquarters and branches were also infected with the malware.

The embedded malicious code, delivered by unidentified hackers with the Chinese IP address, was programmed to start destroying the boot function of the computers to paralyze the network system.

대한민국이 사이버 공격을 받고 있다. 주요 방송사와 금융기관이 피해를 보자 한국인터넷진흥원 인터넷침해대응센터 상황실도 분주해졌다. 21일 직원들이 ‘사이버 위협 현황 모니터’를 통해 전 세계에서 한국으로 유입되는 디도스와 악성코드의 공격 현황을 실시간 모니터링하고 있다. 이 시스템은 사이버 공격에 대응하기 위해 2010년 12월에 구축됐다. 우리나라를 공격하는 악성코드는 노란 선으로, 디도스 공격은 빨간 선으로 표시된다. 지구상에 가로로 표시된 빨간색 띠는 현재 한국을 공격하고 있는 디도스의 양을 나타낸다. [안성식 기자]

The watchdog added the same method was used for other hacked companies in what appeared to be a single-entity-driven operation, judging from the fact that “the malware all damaged the hard disks of contaminated computers” and “identical character codes were discovered” in the computer servers at the six damaged firms.

The state-run body also reported 32,000 computers and network servers of the six targeted institutions were sabotaged.

Experts say it is hard to track down the IP address if it comes from a third country, such as China, which is why Pyongyang is strongly thought to have orchestrated the massive infiltration Wednesday. North Korea is thought to have carried out its cyber-espionage attempts in the past via IP addresses in China, an allegation the communist state has denied so far.

“As we have identified a source of the attack, many different scenarios [about the attack] are possible now. We are now doing our best to identify those responsible for the hacking,” added the official.

The spontaneous cyberattack waged on Wednesday caused shutdowns of computer servers at three TV network stations, MBC, KBS and YTN, and hindered banking transactions at Shinhan, Nonghyup and Jeju banks as their computers were also infected with the virus.

As of 5 p.m. yesterday, the Web site of KBS was still down while the groupware operations at MBC were malfunctioning. YTN also reportedly suffered from losing its database.

Shinhan Bank said it fully resumed its banking operations following the recovery of network operations. It was business as usual at Nonghyup except for some 20 percent of the ATM machines in the county weren’t working. The groupware Web page of the telecom service provider LG U+ showed an image of skulls with a message from the hackers.

The Korea Internet Security Agency said it would take at least four to five days to restore functioning of the computer network systems of the damaged institutions.

One senior-ranking official at the Blue House said there is a “high suspicion that the attack was committed by the North while the government is analyzing the incident with all the possibilities in mind.”

Another official at the presidential office, who also spoke on condition of anonymity, said it’s “too early to say the attack was done by the North at the current stage.” But he added the North is fully “capable of carrying out the cyberattack” like the one seen on Wednesday with its cyberwarfare unit that reportedly has trained around 3,000 elite hackers.

“We already have taken action to raise readiness against another round of cyberattacks that could target national infrastructure facilities,” said the official.

Amid rising speculation it was a Pyongyang-driven plan to disrupt media and financial operations in the tech-savvy country, the National Intelligence Service said in its report to the National Assembly that 73,030 cyberattacks on South Korean government and private institutions have been waged over the past five years. The spy agency strongly believes six out of the total numbers were carried out by the North.

One of the suspected six Pyongyang-led cyberattacks is the hacking of the Web site and server of the JoongAng Ilbo and the Korea JoongAng Daily, in June of last year, which disrupted the network system and destroyed the database that stored articles and photos.

The three targeted broadcasters - KBS, YTN and MBC - were on a list of media groups Pyongyang warned of retaliation last year for their critical coverage of North Korean affairs.

Pyongyang has neither acknowledged nor denied responsibility for the Wednesday attack as of yesterday. It has not commented on the incident.

By Kang Jin-kyu [jkkang2@joongang.co.kr]