Cyberattack shakes South Korea: Could North Korea have pulled it off?

Some South Korean banks and television stations were hit by an apparent cyberattack Wednesday. But the attack seems too crude for North Korea's cyberwar program, which is thought to be fairly advanced.

Ahn Young-joon/AP
Depositors leave after checking their accounts at automated teller machines of Shinhan Bank Wednesday in Seoul. The bank's computer networks were paralyzed by an apparent cyberattack.

Cyberattacks on three South Korean TV stations and two banks disrupted computer networks and halted ATM services temporarily on Wednesday, sending a tremor through that nation’s heavily Internet-dependent economy and raising questions about whether the attack was carried out by a nation-state or a hacker group.

Fingers were quickly pointed at North Korea as a likely suspect – especially given its protests last week that South Korea and the US were behind a two-day temporary shutdown of its Internet. Longstanding reports suggest that the North is training cadres of elite hackers.

Senior South Korean government officials withheld judgment while the matter is being investigated. But cybersecurity experts said the attacks, which occurred at around 2 p.m. local time, were synchronized and appear to have been the result of malicious software – a crude cyberweapon planted inside the computer networks of the banks and TV stations.

The malicious software was a “wiper” program that deletes computer files en masse – the type of cyberweapon used to attack Saudi Aramco in August 2012, damaging or wrecking 30,000 work stations in the giant oil company’s network.

To plant that kind of cyberweapon in multiple South Korean networks, the attackers had to have been inside the networks for some period. That differentiates these attacks from the attacks now going on against US banks, which flood websites with data and make web services freeze up.

Adding confusion, some South Korean computers were reported to have shown the image of a skull and a graphic claiming the attack was conducted by a group called the “Whois Team.” But that display may say little about who was behind the attack, cybersecurity experts say. More revealing is the apparent goal.

Most hacktivists want to win attention without causing serious damage, yet this attack seemed to be about trying to wreck computer networks, says Anup Ghosh, president of Invincea, a cybersecurity software company in Fairfax, Va.

“We can’t rule out hacktivsts yet, but this has similar hallmarks to the attacks on Saudi Aramco,” he says. “This looks kind of like a nation-state trying a false flag attack – trying to hide behind the idea that a hacker group is responsible.”

But other analysts say the attack was not sophisticated enough to be the work of a nation-state.

“If this was an actual cyberattack, it was an abysmal failure,” says Charlie Miller, a former expert for the National Security Agency. “If the goal here was to bring down the banks or TV station, well that just didn’t happen.”

“Also, North Korea likes to saber rattle and take credit. So it seems to me either this was random malware installed by a South Korean hacker doing what hackers do – or else some exploratory effort that wasn’t really trying to cause serious problems, but just test capabilities for some future attack,” he adds.

Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown, which included online banking and automated teller machines. Another major bank, Nonghyup, was hit too. But both banks said their systems rebounded and customer records were safe. Broadcasters MBC and KBS reported their computer networks were hit at the same time, but without an impact on TV broadcasts.

South Koreans routinely shrug off nuclear threats from North Korea, but the prevailing mood after the attack was uncertainty. South Korea is, after all, the world’s most wired country, with its Internet penetration rate exceeding 100 percent, meaning there are more Internet connections than people, according to data released in July 2012 by the Organization for Economic Cooperation and Development.

“Most people aren’t sure yet. There are lots of rumors that maybe North Korea was trying to cause some kind of problems, or it could have been a hacker group. It’s still too early to tell,” said Park Hyun-jung, a recent university graduate in Seoul.

North Korea is believed to have carried out cyberattacks on South Korean government agencies and financial institutions in 2009 and 2011. In the past, the North has issued threats specifically targeting South Korean conservative media outlets (including some of the networks that reported disturbances today), which tend to be harshly critical of Pyongyang.

North Korea’s capacities are still a matter of debate among US cybersecurity experts.

North Korea was reported to have increased the number of troops in its cyberwarfare unit from 500 to about 3,000 in 2011, according to a study last year by the Institute for Korea-US Political Development, an independent research organization based in Las Vegas. The report also said Kim Il Political Military University, known as a “secret university,” educates some 100 world-class hackers every year. The North is sending promising candidates overseas to Russia and China for cyberwarfare training, as well.

“I don’t think anyone really knows what North Korea’s cyber capabilities are,” Miller says. “But if they started couple years ago, and had major government funding and backing ... they could be pretty sophisticated at this point. But if they didn’t, they might have nothing.”

If North Korea has exerted even modest resources into a cyberwar program, then Wednesday’s attack appears too ineffective to be its handiwork, some say. The “attack” may not be an attack at all, but malicious software released by someone with minimal talent.

That conclusion is seconded by Sophos, a cybersecurity company in Britain that has analyzed the malware. Its conclusion “is that the malware is not particularly sophisticated,” writes Graham Cluley, senior technology consultant at Sophos, on the company blog. “For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a 'cyberwarfare' attack coming from North Korea.... As yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.”

But others say the incident should not be cast off as a failure.            

“I would disagree that it 'really failed,’ ” says Michael Sutton, head of security research for Zscaler, a cybersecurity firm in San Jose, Calif., writes in an e-mail. “While the attack itself had limited sophistication, it succeeded in disrupting the activities of numerous major banks and media outlets in South Korea. It is unlikely that Pyongyang will ever take credit, but given recent tensions, they are a logical suspect.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to