Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

South Korea Tracks Cyber Attack to China, North Still Suspect

Update: South Korea says source cyber attack not based in China as originally believed.

Update: South Korea says source cyber attack not based in China as originally believed.

SEOUL – South Korea said Thursday it had sourced a damaging cyber attack on its broadcasters and banks to an IP address in China, fuelling suspicions that North Korea may have been responsible.

Previous online attacks blamed on North Korea — including one last year on the computer network of the conservative JoongAng newspaper in Seoul — have also been tracked back to Chinese sources.

Internet security analysts in South Korea believe official North Korean hackers learned many of their skills in China and operate from there.

Map of South Korea

The regulatory Korea Communications Commission (KCC) said Wednesday’s attack had used the Chinese IP address to access the targeted computer networks and generate malware that crashed their systems.

“The Chinese IP may trigger various assumptions,” said Park Jae-Moon, the KCC director of network policy.

“At this stage, we’re still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open,” Park said.

The attack on Wednesday completely shut down the networks of TV broadcasters KBS, MBC and YTN, and halted financial services and crippled operations at three banks — Shinhan, NongHyup and Jeju.

Advertisement. Scroll to continue reading.

Their networks were mostly back up and running Thursday, although a large number of individual PCs were not operational.

“For geopolitical reasons, it’s convenient for North Korea to use Chinese IP addresses for such attacks,” said Choi Yun-Seong, a security expert at the state-run Korea Information Technology Research Institute (KITRI).

“However, domestic and foreign hackers can use them as well, so we cannot say for sure North Korea was behind this,” Choi told AFP.

China, North Korea’s main patron which has angrily denied being behind a spate of cyber attacks on US interests, also stressed the IP address location was meaningless.

“We have pointed out many times that hacking attacks are a global problem,” foreign ministry spokesman Hong Lei said.

“It is anonymous and trans-national. By using other countries’ IP addresses, hackers attack some countries’ networks and this is a common practice,” he said.

Wednesday’s attack came days after North Korea accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that took a number of its official websites offline for nearly two days.

It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test last month.

In testimony last year to the US congressional Armed Services Committee, the commander of US forces in South Korea, General James Thurman, said North Korea was employing “sophisticated computer hackers” trained in cyber attacks.

“Such attacks are ideal for North Korea” because they can be done anonymously, and “have been increasingly employed against a variety of targets including military, governmental, educational and commercial institutions”, Thurman said.

North Korea was particularly blamed for cyber attacks in 2009 and 2011 that targeted South Korean financial entities and government agencies.

Those attacks were so-called distributed denial-of-service attacks, which overload a site with data causing it to crash, and are relatively simple to carry out.

Wednesday’s coordinated assault was more sophisticated, using malware that can wipe the contents of a computer’s hard disk as well as drives connected to the infected computer.

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet