Cyberattack source still in question
A day earlier, the joint investigation team consisting of the KCC, National Police Agency and the Korea Internet Security Agency said the attack came from China via China Telecom, connecting to the antivirus software-distributing patch management system and planting malicious code into the system to destroy the booting areas of linked computers.
The identification of China as the country of origin led to the assumption that North Korean hackers were behind the crime. The Blue House also said on Thursday it had a “strong suspicion North Koreans spread the malicious code.”
Nonghyup was pinpointed among the six victims because joint investigators found hints of the origin of the attack on some of its computers. TV networks KBS, MBC and YTN and Nonghyup, Shinhan and Jeju banks were attacked.
“We were confused because Nonghyup IP address was similar to the one used in China,” said Lee Jae-il, head of the Internet incidents prevention division at the KISA, yesterday. “That the IP address was based in Nonghyup’s antivirus software update management server does not necessarily mean the hackers were its own employees or South Koreans.”
According to international Internet usage protocol, countries are assigned unique IP addresses, and they are distinguishable from virtual IP addresses for intranet systems at different organizations. However, some addresses may overlap, according to KISA.
Meanwhile, investigators also found out that antivirus software from two major developers - AhnLab and Hauri - played a crucial role in actually spreading the malicious code. Antivirus-program users are supposed to update their software on a regular basis. The update request, however, is done by the central patch management system.
By Seo Ji-eun [firstname.lastname@example.org]