Cyberattacks traced to Pyongyang

Jeon Gil-soo, chief of the joint response team from the Korea Internet Security Agency, explains yesterday in a press briefing that North Korea conducted the March 20 cyberattacks on major broadcasters and banks. [NEWSIS]

The South Korean government yesterday announced that the methods that paralyzed the computer networks of the country’s major broadcasters and banks on March 20 are identical to those used in cyberattacks of the JoongAng Ilbo (2012) and Nonghyup Bank (2011), leading them to conclude they were attacked by hackers from North Korea.

The joint response team, composed of government agencies, the military and private antivirus software developers, held a press briefing at the headquarters of the Ministry of Science, ICT and Future Planning in Gwacheon, Gyeonggi, at 2 p.m. yesterday and presented its interim investigation report to the public.

The joint response team found the “March 20 Cyber Terror,” which brought down the computer networks of major broadcasters KBS, MBC and YTN, along with banks Shinhan and Nonghyup, was carried out with malicious codes distributed by IP addresses in North Korea.

A total of 57,000 PCs as well as the servers of the broadcasters and banks went down.

It added that the other cyberattacks carried out after March 20: the indiscriminate malicious code that hit www.nalsee.com, a weather forecast Web site, (March 25); destruction of files saved in the servers of 14 anti-Pyongyang Web sites (March 26); and destruction of files contained in the servers of YTN’s affiliate company (March 26), were carried out by the North as well.

“At least six PCs in the North accessed the servers of South Korean banks 1,590 times over eight months since June 28 last year to plant malicious code, so they can carry out attacks anytime they want from the North,” said Jeon Gil-soo, chief of the joint response team from the Korea Internet Security Agency in the briefing.

“We found the servers were accessed 13 times and traced them to North Korean IP addresses.”

It added that the North accessed the security patch servers connected with bank servers that were managed by private antivirus software companies, including AhnLab, and most of those servers were also attacked and digital history left there was also destroyed.

“There are a total of 49 IP addresses [25 domestic and 24 overseas] that we suspect the North used in cyberattacking the South since 2009 and 22 [18 domestic and four overseas] of them were used in the March hacking,” Jeon said.

“There are a total of 76 kinds of malicious code that the North used to attack the systems in Seoul and 30 of them were reused at this time.”

The joint response team said they could find such evidence after comparing the 76 kinds of malicious code that the South Korean investigation agencies, including the National Intelligence Service and the Ministry of National Defense, found in previous hacking attacks against the South.

To activate the malicious code, a signal had to be sent directly from PCs in North Korea.

The South Korean government currently judges that the serial cyberattacks conducted in March were operated by the General Reconnaissance Bureau of the North. It estimated that there are about 12,000 hackers, and 1,000 of them are operating outside of Pyongyang.

“We believe that the hackers could not take over the administrative accounts that manage data servers of the banks,” Jeon said.

“We weren’t able to defend the systems because the North attacked the systems before we could create new software that could make up for the defects of previous antivirus programs.”

The government will have a meeting to improve the country’s cyber safety with 15 government offices, including the Ministry of Science, ICT and Future Planning, Financial Services Commission and National Intelligence Service today.

By Lee Jie-sang, Shim Seo-hyeon [sakwon80@joongang.co.kr]