Cyberattacks on three South Korean TV stations and two banks disrupted computer networks and halted ATM services temporarily on Wednesday, sending a tremor through that nation’s heavily Internet-dependent economy and raising questions about whether the attack was carried out by a nation-state or a hacker group.
Fingers were quickly pointed at North Korea as a likely suspect – especially given its protests last week that South Korea and the US were behind a two-day temporary shutdown of its Internet. Longstanding reports suggest that the North is training cadres of elite hackers.
Senior South Korean government officials withheld judgment while the matter is being investigated. But cybersecurity experts said the attacks, which occurred at around 2 p.m. local time, were synchronized and appear to have been the result of malicious software – a crude cyberweapon planted inside the computer networks of the banks and TV stations.
The malicious software was a “wiper” program that deletes computer files en masse – the type of cyberweapon used to attack Saudi Aramco in August 2012, damaging or wrecking 30,000 work stations in the giant oil company’s network.
To plant that kind of cyberweapon in multiple South Korean networks, the attackers had to have been inside the networks for some period. That differentiates these attacks from the attacks now going on against US banks, which flood websites with data and make web services freeze up.
Adding confusion, some South Korean computers were reported to have shown the image of a skull and a graphic claiming the attack was conducted by a group called the “Whois Team.” But that display may say little about who was behind the attack, cybersecurity experts say. More revealing is the apparent goal.
Most hacktivists want to win attention without causing serious damage, yet this attack seemed to be about trying to wreck computer networks, says Anup Ghosh, president of Invincea, a cybersecurity software company in Fairfax, Va.
“We can’t rule out hacktivsts yet, but this has similar hallmarks to the attacks on Saudi Aramco,” he says. “This looks kind of like a nation-state trying a false flag attack – trying to hide behind the idea that a hacker group is responsible.”
But other analysts say the attack was not sophisticated enough to be the work of a nation-state.
“If this was an actual cyberattack, it was an abysmal failure,” says Charlie Miller, a former expert for the National Security Agency. “If the goal here was to bring down the banks or TV station, well that just didn’t happen.”
“Also, North Korea likes to saber rattle and take credit. So it seems to me either this was random malware installed by a South Korean hacker doing what hackers do – or else some exploratory effort that wasn’t really trying to cause serious problems, but just test capabilities for some future attack,” he adds.
Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown, which included online banking and automated teller machines. Another major bank, Nonghyup, was hit too. But both banks said their systems rebounded and customer records were safe. Broadcasters MBC and KBS reported their computer networks were hit at the same time, but without an impact on TV broadcasts.
South Koreans routinely shrug off nuclear threats from North Korea, but the prevailing mood after the attack was uncertainty. South Korea is, after all, the world’s most wired country, with its Internet penetration rate exceeding 100 percent, meaning there are more Internet connections than people, according to data released in July 2012 by the Organization for Economic Cooperation and Development.
“Most people aren’t sure yet. There are lots of rumors that maybe North Korea was trying to cause some kind of problems, or it could have been a hacker group. It’s still too early to tell,” said Park Hyun-jung, a recent university graduate in Seoul.
North Korea is believed to have carried out cyberattacks on South Korean government agencies and financial institutions in 2009 and 2011. In the past, the North has issued threats specifically targeting South Korean conservative media outlets (including some of the networks that reported disturbances today), which tend to be harshly critical of Pyongyang.
North Korea’s capacities are still a matter of debate among US cybersecurity experts.
North Korea was reported to have increased the number of troops in its cyberwarfare unit from 500 to about 3,000 in 2011, according to a study last year by the Institute for Korea-US Political Development, an independent research organization based in Las Vegas. The report also said Kim Il Political Military University, known as a “secret university,” educates some 100 world-class hackers every year. The North is sending promising candidates overseas to Russia and China for cyberwarfare training, as well.
“I don’t think anyone really knows what North Korea’s cyber capabilities are,” Miller says. “But if they started couple years ago, and had major government funding and backing ... they could be pretty sophisticated at this point. But if they didn’t, they might have nothing.”
If North Korea has exerted even modest resources into a cyberwar program, then Wednesday’s attack appears too ineffective to be its handiwork, some say. The “attack” may not be an attack at all, but malicious software released by someone with minimal talent.
That conclusion is seconded by Sophos, a cybersecurity company in Britain that has analyzed the malware. Its conclusion “is that the malware is not particularly sophisticated,” writes Graham Cluley, senior technology consultant at Sophos, on the company blog. “For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a 'cyberwarfare' attack coming from North Korea.... As yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.”
But others say the incident should not be cast off as a failure.
“I would disagree that it 'really failed,’ ” says Michael Sutton, head of security research for Zscaler, a cybersecurity firm in San Jose, Calif., writes in an e-mail. “While the attack itself had limited sophistication, it succeeded in disrupting the activities of numerous major banks and media outlets in South Korea. It is unlikely that Pyongyang will ever take credit, but given recent tensions, they are a logical suspect.”