Cyberattack shakes South Korea: Could North Korea have pulled it off?

Cyberattacks on three South Korean TV stations and two banks disrupted computer networks and halted ATM services temporarily on Wednesday, sending a tremor through that nation’s heavily Internet-dependent economy and raising questions about whether the attack was carried out by a nation-state or a hacker group.

Fingers were quickly pointed at North Korea as a likely suspect – especially given its protests last week that South Korea and the US were behind a two-day temporary shutdown of its Internet. Longstanding reports suggest that the North is training cadres of elite hackers.

Senior South Korean government officials withheld judgment while the matter is being investigated. But cybersecurity experts said the attacks, which occurred at around 2 p.m. local time, were synchronized and appear to have been the result of malicious software – a crude cyberweapon planted inside the computer networks of the banks and TV stations.

The malicious software was a “wiper” program that deletes computer files en masse – the type of cyberweapon used to attack Saudi Aramco in August 2012, damaging or wrecking 30,000 work stations in the giant oil company’s network.

To plant that kind of cyberweapon in multiple South Korean networks, the attackers had to have been inside the networks for some period. That differentiates these attacks from the attacks now going on against US banks, which flood websites with data and make web services freeze up.

Adding confusion, some South Korean computers were reported to have shown the image of a skull and a graphic claiming the attack was conducted by a group called the “Whois Team.” But that display may say little about who was behind the attack, cybersecurity experts say. More revealing is the apparent goal.

Most hacktivists want to win attention without causing serious damage, yet this attack seemed to be about trying to wreck computer networks, says Anup Ghosh, president of Invincea, a cybersecurity software company in Fairfax, Va.

“We can’t rule out hacktivsts yet, but this has similar hallmarks to the attacks on Saudi Aramco,” he says. “This looks kind of like a nation-state trying a false flag attack – trying to hide behind the idea that a hacker group is responsible.”

But other analysts say the attack was not sophisticated enough to be the work of a nation-state.

“If this was an actual cyberattack, it was an abysmal failure,” says Charlie Miller, a former expert for the National Security Agency. “If the goal here was to bring down the banks or TV station, well that just didn’t happen.”

“Also, North Korea likes to saber rattle and take credit. So it seems to me either this was random malware installed by a South Korean hacker doing what hackers do – or else some exploratory effort that wasn’t really trying to cause serious problems, but just test capabilities for some future attack,” he adds.

Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown, which included online banking and automated teller machines. Another major bank, Nonghyup, was hit too. But both banks said their systems rebounded and customer records were safe. Broadcasters MBC and KBS reported their computer networks were hit at the same time, but without an impact on TV broadcasts.

1 | 2

Next