Jump to content

2013 South Korea cyberattack

From Wikipedia, the free encyclopedia
(Redirected from DarkSeoul (wiper))

In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.

March

[edit]

On 20 March 2013, six South Korean organizations suffered from a suspected cyberwarfare attack.[1] The organizations included three media companies (KBS, MBC, &YTN) and three financial institutions (The National Agricultural Cooperative Federation, Shinhan Bank, & Jeju Bank). The South Korean communications watchdog Korea Communications Commission raised their alert level on cyber-attacks to three on a scale of five. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. This attack also came at a period of elevated tensions between the two Koreas, following Pyongyang’s nuclear test on 12 February.[2] South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as "[i]ntelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks."[3] It was later revealed that the IP address did not originate from China but from the internal network of one of the attacked organizations.[4]

The attacks on all six organizations derived from one single entity. The networks were attacked by malicious codes, rather than distributed denial-of-service (DDoS) attacks as suspected at the beginning. It appeared to have used only hard drive overwrites.[5] This cyberattack “damaged 32,000 computers and servers of media and financial companies.”[6] The Financial Services Commission of South Korea said that Shinhan Bank reported that its Internet banking servers had been temporarily blocked and that Jeju Bank [ko] and NongHyup reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased. Woori Bank reported a hacking attack, but said it had suffered no damage.[7]

This cyberattack “caused US$750 million in economic damage alone. (Feakin 2013)”[8] Also, “[t]he frequency of cyber attacks by North Korea and rampant cyber espionage activities attributed to China are of great concern to the South Korean government. (Lewis 2013)”[9]

June

[edit]

The June 25 cyber terror is an information leak that occurred on June 25, 2013, that targeted Cheongwadae and other institutions. The hacker that caused this incident admitted that the information of 2.5 million Saenuri Party members, 300 thousand soldiers, 100 thousand Cheongwadae homepage users and 40 thousand United States Forces Korea members. There were apparent hacking attacks on government websites. The incident happened on the 63rd anniversary of the start of the 1950-53 Korean War, which was a war that divided the Korean peninsula. Since the Blue House’s website was hacked, the personal information of a total of 220,000 people, including 100,000 ordinary citizens and 20,000 military personnel, using the “Cheong Wa Dae” website were hacked.[10] [unreliable source] The website of the office for Government Policy Co-ordination and some media servers were affected as well.

While multiple attacks were organized by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks against the South Korean government websites were directly linked to the “DarkSeoul” gang and Trojan.Castov.[11] Malware related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012. It has contributed to multiple previous high-profile attacks against South Korea.

Timeline

[edit]

At approximately 2013 June 25 9:10 AM, websites such as the Cheongwadae website, main government institute websites, news, etc. became victims of website change, DDoS, information thievery and other such attacks. When connecting to the Cheongwadae homepage words such as 'The great Kim Jong-un governor' and 'All hail the unified chairman Kim Jong-un! Until our demands are met our attacks will continue. Greet us. We are anonymous' would appear with a photo of president Park Geun-hye.

The government changed the status of cyber danger to 'noteworthy' on June 25 10:45 AM, then changed it to 'warning' on 3:40 PM.[12] Cheongwadae uploaded an apology on June 28.[13]

The Ministry of Science, ICT and Future Planning revealed on July 16 that both the March and June incidents corresponded with past hacking methods used by North Korea.[14] However, the attacked targets include a Japanese Korean Central News Agency site and major North Korean anti-South websites, and the hackers also have announced that they would release information of approximately 20 high-ranked North Korean army officers with countless pieces of information on North Korean weaponry.

Response

[edit]

Following the hacking in June there was further speculation that North Korea was responsible for the attacks. Investigators found that “an IP address used in the attack matched one used in previous hacking attempts by Pyongyang.”[15] Park Jae-moon, a former director-general at the Ministry of Science, ICT and Future Planning said, “82 malignant codes [collected from the damaged devices] and internet addresses used for the attack, as well as the North Korea's previous hacking patterns," proved that "the hacking methods were the same" as those used in the 20 March cyber attacks.[16]

With this incident, the Korean government publicly announced that they would take charge of the “Cyber Terror Response Control Tower” and along with different ministries, the National Intelligence Service (NIS) will be responsible to build a comprehensive response system using the “National Cyber Security Measures.”[17]

The South Korean government asserted a Pyongyang link in the March cyberattacks, which has been denied by Pyongyang.[18] A 50-year-old South Korean man identified as Mr. Kim is suspected to be involved in the attack.[19]

Appearance in the South Korean National Geographic

[edit]

The South Korean National Geographic published cyber terror as one of the top 10 keywords of 2013 due to these attacks.[20]

Measures

[edit]
  • The government formed a joint civil-government-military cyber crisis response headquarters.[21]
  • Security companies such as AhnLab and Hauri are implementing emergency updates or distributing dedicated vaccines to detect malware that causes problems in their products. The diagnosis given by each company is as follows.
  • AhnLab - Win-Trojan/Agent.24576.JPF (JPG, JPH), Dropper/Eraser.427520[22]
  • INCA Internet - ApcRunCmd.exe : Trojan/W32.Agent.24576.EAN / Othdown.exe : Trojan/W32.Agent.24576.EAO[23]
  • Hauri - ApcRunCmd.exe : Trojan.Win32.U.KillMBR.24576 / Othdown.exe : Trojan.Win32.U.KillMBR.24576.A
  • Symantec - Trojan.Jokra[23]
  • Sophos - Mal/EncPk-ACE (aka "DarkSeoul")

See also

[edit]

References

[edit]
  1. ^ "South Korea on alert for cyber-attacks after major network goes down". the Guardian. 2013-03-20. Retrieved 2023-01-31.
  2. ^ "Cyber attack hits S Korea websites". 2013-06-25. Retrieved 2019-09-25.
  3. ^ "China IP address link to South Korea cyber-attack". BBC. 21 March 2013. Retrieved September 12, 2016.
  4. ^ "韓国のサイバー攻撃、アクセス元は社内のプライベートIPアドレス". @IT (in Japanese). Retrieved 2023-05-05.
  5. ^ "Are the 2011 and 2013 South Korean Cyberattacks Related?". Symantec Security Response. Archived from the original on April 1, 2013. Retrieved 2019-09-25.
  6. ^ Michael Pearson; K.J. Kwon; Jethro Mullen (20 March 2013). "Hacking attack on South Korea traced to China". CNN. Retrieved 2019-09-25.
  7. ^ Choe Sang-Hun, "Computer Networks in South Korea Are Paralyzed in Cyberattacks", The New York Times, 20 March 2013.
  8. ^ "Roles for Australia, Canada and South Korea". Mutual Security in the Asia-Pacific: Roles for Australia, Canada and South Korea. McGill-Queen's University Press. 2015. JSTOR j.ctt1jktr6v.
  9. ^ "Roles for Australia, Canada and South Korea". Mutual Security in the Asia-Pacific: Roles for Australia, Canada and South Korea. McGill-Queen's University Press. 2015. JSTOR j.ctt1jktr6v.
  10. ^ "북한의 사이버 공격과 우리의 사이버 안보 상황". Naver Blog | 통일부 공식 블로그 (in Korean). Retrieved 2019-09-25.
  11. ^ "Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War". Symantec Security Response. Retrieved 2019-09-25.
  12. ^ 홍, 재원; 박, 홍두 (2013-06-25). "'6·25 사이버 테러' 남도 북도 같은 날 당했다". Kyunghyang Shinmun (in Korean). Retrieved 2023-01-31.
  13. ^ "10만건 개인정보유출 사실로 드러나....청와대, 사과문 공지". www.ddaily.co.kr (in Korean). Retrieved 2023-01-31.
  14. ^ "[속보]정부 "6·25 사이버공격 북한 소행"". Kyunghyang Shinmun (in Korean). 2013-07-16. Retrieved 2023-01-31.
  15. ^ "N Korea 'behind hacking attack'". 2013-07-16. Retrieved 2019-09-25.
  16. ^ 권, 혜진 (2013-07-16). ""'6·25 사이버공격'도 북한 소행 추정"(종합)". Yonhap News Agency (in Korean). Retrieved 2019-09-25.
  17. ^ "보도자료(과학기술정보통신부) | 과학기술정보통신부". www.msit.go.kr. Retrieved 2019-09-25.
  18. ^ Lee Minji (April 10, 2013). "(2nd LD) Gov't confirms Pyongyang link in March cyber attacks". Yonhap News. Retrieved September 7, 2016.
  19. ^ Jeyup S. Kwaak (July 31, 2013). "Seoul Suspects South Korean Tech Executive of Helping North in Cyberattacks". The Wall Street Journal. Retrieved August 3, 2013.
  20. ^ 내셔널지오그래픽채널, '2013년 10대 키워드' 경향신문, 2013년 12월 12일
  21. ^ "朴대통령 전산망마비 '조속복구' 지시…범정부팀 가동". 연합뉴스 (in Korean). 20 March 2013.
  22. ^ "AhnLab". www.ahnlab.com (in Korean).
  23. ^ "[잉카인터넷 대응팀] [긴급대응]언론사 방송국, 금융사이트 부팅 불가 사고 발생 [#Update 2013. 03. 25. 03]". erteam.nprotect.com. Archived from the original on 25 March 2013.