Thursday, March 21, 2013

Infocon: "North Korean" Hacking Attack Hits Banks, TV Networks

English link?
The computer networks of three television companies, two banks and one Internet service provider were paralyzed yesterday by malicious codes from unknown hackers, probably certainly in North Korea according to unnamed officials.

The attack began at around 1:35 p.m., typically a time of maximum confusion for many media workers as they try to reorient themselves after lunch. The initial wave hit KBS which reported the paralysis of its computer network first to the National Intelligence Service (NIS) at "around 2 p.m." according to the spy agency. MBC and YTN were the next to be affected, followed by networks at the perfectly safe Shinhan, Nonghyup and Jeju Banks. Shinhan Bank said it experienced "interruption" in its Internet and smartphone banking, and automated teller machines. Employees at two insurance arms of Nonghyup reported that files on their hard drives with details of your insurance claims had been erased.

Adding to the confusion, reporters at YTN said they found themselves unable to file news reports when they lost access to the news story application generator on their network, which takes news feeds from other organizations and randomly rewords and reorders the sentences. The Dokdo Times, which now runs on Dokdo Linux – a derivative of K-OS - was not affected by the attack.

Confusion centered around Internet service provider LG Uplus, which was also initially reported to be down. LG Uplus later issued a denial saying its network had not been hacked and was operating normally, but some of its customers questioned how the company would be able to spot the difference.

Reports indicated that when the computers within the TV networks and banks had crashed they could not be restarted, with monitors simply displaying an error message consisting of a black screen with a white skull and two bones in the shape of the letter 'X' beneath it, a Windows message local IT experts said they hadn't previously encountered, but which may indicate an English link to the North Korean attack. It is thought the 'X' may be a reference to Windows XP, the operating system of choice in most Korean organizations.

President Park Geun-hye received the first report about the incident at 2:50 p.m. from the 53-year-old National Security Office (NSO) head Kim, who was first apprised of the situation at 2:10 p.m. There was no immediate explanation for the 40-minute delay, although a number of officials were said to have been testing their ability to withdraw money from the affected banks before informing the president.

"Restore the paralyzed computer networks first, and then figure out the cause and set up measures," President Park was quoted as decisively saying, overruling officials and IT experts whose plan had been to leave the networks unfixed while spending the next month figuring out the cause and going out for beers with their friends. Staff at the companies involved then had to battle their prejudices in order to try to fix the disabled computer networks, which their first instinct had been to either pretend didn't exist, or offer a token amount of money to while still averting their gaze.

The Ministry of National Defense enhanced its "Infocon" level – an alert against cyber terror – by one notch to Level 3. It had already been raised recently to Level 4 after North Korean threats – normally South Korea's Infocon level is 5, although some say it should always inherently be 4 given that 5 – no threat - is deceptive.

An official added that it was still premature to conclude North Korea was responsible for the attack. "We do not rule out the possibility of North Korea being involved, but it's premature to say so" said Defense Ministry spokesman Kim prematurely. Officials privately continued to point the finger at North Korea and stress that the ultimate cause certainly wasn't a random Internet attack based on outdated, unpatched and often pirated Windows operating systems, a generally slack attitude to I.T. security and the use of Korean-made anti-virus and firewall programs such as AhnLab which consistently rate among the worst on the market in the world.

However, experts believe the attack may have initially have succeeded due to failures in firewall products to block the attack. In a 2012 review of anti-virus products the internationally respected AV Comparatives website, commenting on AhnLab's various firewall modes, wrote (PDF) "we were alarmed to discover that none blocked file sharing or Remote Desktop access on our test PC. We are concerned this could could leave a computer open to unauthorised network access, and urge AhnLab to investigate this." It is not clear whether AhnLab heeded the call, and Ahn himself was outside the country at the time following the left-of-center candidate's indecisive run for president last year which created holes in the opposition's defenses and allowed a right-wing president to be elected.

Because of the simultaneous nature of the attack, it is thought that a virus was placed remotely on computers at the various targets, probably by an organized group of North Koreans. "The hacking was not initiated at an individual level. An individual could hack into the network of one institution, but cannot conduct simultaneous attacks as happened" said Professor Kim, the head of the Center for Information Security Technology 404 Not Found at Korea International University, pointing out the well-known fact that individuals are unable to initiate simultaneous actions using computer technology.

An initial forensic investigation has revealed that a previously unknown North Korean group called "Whois" may be responsible for the coordinated attack, as the message "Hack by Whois Team" appeared on some screens. However, attempts to track down "Whois" have been thwarted as the group appears to have cleverly concealed its tracks on the Internet - typing "Whois" into Google simply prompts the searcher to search for something else. Because of the apparent collusion, some politicians are already calling for Google – which has consistently clashed with local authorities for not being Naver - to be thoroughly investigated for aiding the North Korean hackers. Last year Google's executive chairman even visited the home of the cyber terrorists.

According to experts, North Korea's electronic warfare capabilities are second only to Russia and the United States, and are far above the capability of South Korea, which has proven the ability to initiate cyber-attacks but has not perfected a means of launching them outside the country. But as North Korea continues to pose an increasingly serious security threat with its advanced electronic warfare skills, South Korea has been striving to bolster its cyber combat capabilities by upgrading military computers from Windows XP to Windows 7.

The National Intelligence Service will now start a more thorough investigation, but it will be hampered by its inability to access the computers at the organizations which were attacked. "We may have to ask the North Koreans for help with that" said a spokesman for the intelligence agency in an off-the-record briefing.

Related Links
Hacking knocks out banks, TV station
South Korea network attack 'a computer virus'
Broadcasters, banks hit by computer systems failure
KBS
Independent Tests of Anti-Virus Software
Virus Bulletin VB100
Kim Denies Being in Anti-Virus Business
Ahn - The Lights Are On But Nobody's Home
Schmidt’s visit to North Korea revealed limits, benefits of private diplomacy
Government Announces Development of Korean Operating System
Exclusive: Microsoft Plans Massive Cyber Attack Against South Korea
Police Storm Google Korea's Hideout
Korean Government Proposes New Solution to China's Cyberwar
North Korea Fingered in Cyber Attack on Dokdo Times

Disclaimer: Please note the links above are generated automatically by our software and may not always be directly related to the news article.