Last Update: Apr 15, 2013
Initial Disclosure Date: Apr 2, 2013

Around 2pm on March 20, three South Korean broadcasters (KBS, MBC, and YTN), and three banks (Jeju, Nonghyup and Shinhan Bank) suffered computer network failures. Over 48,000 computers were infected and saw their hard drives wiped. ^(footnote:1) Reportedly, the cyber-attacks did not affect either the South Korean government or military. ^(footnote:2) The media were able to continue broadcasting and the cyber-attacks briefly interrupted some ATM services. ^(footnote:3)

The Korea Communications Commission (KCC) initially reported that they had traced the malware back to a Chinese IP address which was used to attack servers of the six organizations. ^(footnote:4) The South Korean Ministry of National Defense argued that it cannot rule out the possibility that Pyongyang was involved in the cyber-attacks. ^(footnote:5) North Korea is believed to wage cyber-attacks on South Korea in 2009 and 2011. Also, the 3/20 cyber-attacks were launched in the midst tension after the Korean Central News Agency (KNCA) accused South Korea and the United States of cyber-attacks against North Korea and warned it would resort to retaliation. ^(footnote:6)

Nonetheless, the KCC found out on March 22 that the IP address belongs to the internal server of one of the victims, Nonghyup Bank, and it “coincidently matched” a Chinese IP address. ^(footnote:7) On the 25th, the Commission told the Chosun Ilbo newspaper, “We traced some IP addresses found on [affected] computer networks to overseas sources like the U.S. and a few European countries.” The South Korean National Police Agency requested the United States and three European countries to help their investigation to find the users of the IP addresses. The European countries remain unnamed. ^(footnote:8)

Xecure Lab, a security research firm based in Taipei, analyzes that the culprit set a logic bomb to start at 2pm to 3pm on March 20, 2013. ^(footnote:9) The wiper overwrote master boot record (MBR) data, compromising Linux, Unix, and Windows, and made the systems inoperable. ^{(footnote:10)} After the attacks, a message appeared on the screen of the victim’s computers as follows: “Boot device not found. Please install an operating system on your hard disk.” ^{(footnote:11)}

Symantec dubbed the malware as Trojan.Jokra and WS.Reputation.1. ^{(footnote:12)} Yusuke Okano, Engineer at Fourteenforty Research Institute based in Tokyo, also analyzed the malware. He noticed that it executed the “taskkill” command through WinExec to stop pasvc.exe and clisvc.exe, which are the process of South Korean-made anti-virus software. ^{(footnote:13)}

IssueMakersLab claims that the cyber-attacks are part of an operation, Operation 1Mission, which has been ongoing since January 2012 and linked to hackers who have been operating since 2007. The infection of internal computers was done between June 2012 and January 2013. ^{(footnote:14)}

On April 10, the South Korean government announced that their investigation had identified the culprit as North Korea’s Reconnaissance General Bureau, given the access records and malicious codes used. ^{(footnote:15)} Yet, on April 12, the General Staff of the Korean People’s Army issued a statement to deny any involvement in the March 2013 cyber-attacks on South Korea through KCNA and indicated retaliation against South Korea to that blame. ^{(footnote:16)}

According to the Chosun Ilbo, Kim Jong-un visited the Reconnaissance General Bureau to cheer up hackers and expressed confidence in North Korea’s cyberwarfare against South Korea this February. On April 7, a South Korean government official quoted Kim who is believed to say back then that the bureau with robust information technology and brave (cyber) warriors would allow North Korea to break any sanction and make the country strong and prosperous. The official admitted that Kim has the reason to be confident because North Korea has at least 12,000 hackers who are highly skilled in encryption and masking. ^{(footnote:17)}

Sources:

1. Eyder Peralta, “South Korea Says Cyberattack That Paralyzed Computers Was Traced to Chinese IP,” NPR, March 21, 2013,
   http://www.npr.org/blogs/thetwo-way/2013/03/21/174926441/south-korea-says-cyberattack-that-paralyzed-computers-was-traced-to-chinese-ip
   Yonhap News, “Gov’t confirms Pyongyang link in March cyber attacks,” April 10, 2013,
   http://english.yonhapnews.co.kr/northkorea/2013/04/10/49/0401000000AEN20130410007300320F.HTML
2. Sam Kim, “South Korea: Chinese address source of attack,” AP, March 21, 2013,
   http://news.yahoo.com/south-korea-chinese-address-source-attack-015145641.html
3. Charles Arthur, “South Korea cyber attack ‘increasingly likely’ to have been government-led,” The Guardian, Mach 22, 2013,
   http://www.guardian.co.uk/technology/2013/mar/22/south-korea-cyber-attack
4. BBC News, “China IP address link to South Korea cyber-attack,” March 21, 2013,
   http://www.bbc.co.uk/news/world-asia-21873017
5. Voice of America, “S. Korea Finds No Evidence Between North, Cyber Attack,” March 20, 2013,
   http://www.voanews.com/content/south_korea_says_it_sees_no_evidence_yet_that_north_was_behind_cyberattack/1625386.html
6. In-Soo Nam, “Pyongyang Accuses ‘Hostile Forces’ in South and U.S. of Cyberattacks,” Wall Street Journal, March 16, 2013,
   http://online.wsj.com/article/SB20001424127887324077704578361891957616344.html
7. BBC News, “South Korea says China hack link a ‘mistake’,” March 22, 2013,
   http://www.bbc.co.uk/news/world-asia-21891617
8. Shaun Waterman, “South Korea cyberattack traced to U.S. and Europe, not China,” The Washington Times, March 25, 2013,
   http://www.washingtontimes.com/news/2013/mar/25/south-korea-cyberattack-originated-us-and-europe-n/
9. Xecure Lab, “Let’s gossip what happens in South Korea,” March 30, 2013,
   http://blog.xecure-lab.com/2013/03/lets-gossip-what-happens-in-south-korea.html
10. Mathew J. Schwartz, “How South Korean Bank Malware Spread,” Information Week, March 25, 2013,
    http://www.informationweek.com/security/attacks/how-south-korean-bank-malware-spread/240151647
11. Kim Zetter, “Logic Bomb Set Off South Korea Cyberattack,” Wired, March 21, 2013,
    http://www.wired.com/threatlevel/2013/03/logic-bomb-south-korea-attack/
12. Symantec, “Official Blog: South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack,” March 21, 2013,
    http://www.symantec.com/connect/blogs/south-korean-banks-and-broadcasting-organizations-suffer-major-damage-cyber-attack
13. Yusuke Okano, “FFRI BLOG: 2013-03-27 Kinkyu repoto: Kankoku saiba kogeki maruuea shosai kaiseki kekka [FFRI BLOG: 2013-03-27 Flash Report: analysis results on the malware used to launch cyber-attacks on South Korea],” Fourteenforty Research Institute, Inc. March 27, 2013,
    http://www.fourteenforty.jp/blog/2013/03/2013-03-27.htm
14. IssueMakersLab, “Operation 1Mission,”
    http://issuemakerslab.com/320/1mission.html
15. AFP, “S. Korea probe says North behind cyber attack: Report,” April 10, 2013,
    http://www.straitstimes.com/breaking-news/asia/story/s-korea-probe-says-north-behind-cyber-attack-report-20130410
16. NHK World, “N. Korea denies involvement in South cyber attacks,” April 13, 2013,
    http://www3.nhk.or.jp/nhkworld/english/news/20130413_12.html
17. Yi Yonsu, “Kim Jong-un shi ‘yumo na saiba senshi ga ireba donna seisai mo yabureru [Kim Jong-un said, ‘Brave cyber warriors would allow us to break any sanction’],” Chosun Ilbo Japanese Version, April 8, 2013,
    http://www.chosunonline.com/site/data/html_dir/2013/04/08/2013040800897.html

• * Each company name, an organization name, and a brand name are a trade name of each company and each organization, or a registered trademark.