Last Update: Apr 15, 2013
Initial Disclosure Date: Apr 2, 2013
Around 2pm on March 20, three South Korean broadcasters (KBS, MBC, and YTN), and three banks (Jeju, Nonghyup and Shinhan Bank) suffered computer network failures. Over 48,000 computers were infected and saw their hard drives wiped. (footnote:1) Reportedly, the cyber-attacks did not affect either the South Korean government or military. (footnote:2) The media were able to continue broadcasting and the cyber-attacks briefly interrupted some ATM services. (footnote:3)
The Korea Communications Commission (KCC) initially reported that they had traced the malware back to a Chinese IP address which was used to attack servers of the six organizations. (footnote:4) The South Korean Ministry of National Defense argued that it cannot rule out the possibility that Pyongyang was involved in the cyber-attacks. (footnote:5) North Korea is believed to wage cyber-attacks on South Korea in 2009 and 2011. Also, the 3/20 cyber-attacks were launched in the midst tension after the Korean Central News Agency (KNCA) accused South Korea and the United States of cyber-attacks against North Korea and warned it would resort to retaliation. (footnote:6)
Nonetheless, the KCC found out on March 22 that the IP address belongs to the internal server of one of the victims, Nonghyup Bank, and it “coincidently matched” a Chinese IP address. (footnote:7) On the 25th, the Commission told the Chosun Ilbo newspaper, “We traced some IP addresses found on [affected] computer networks to overseas sources like the U.S. and a few European countries.” The South Korean National Police Agency requested the United States and three European countries to help their investigation to find the users of the IP addresses. The European countries remain unnamed. (footnote:8)
Xecure Lab, a security research firm based in Taipei, analyzes that the culprit set a logic bomb to start at 2pm to 3pm on March 20, 2013. (footnote:9) The wiper overwrote master boot record (MBR) data, compromising Linux, Unix, and Windows, and made the systems inoperable. (footnote:10) After the attacks, a message appeared on the screen of the victim’s computers as follows: “Boot device not found. Please install an operating system on your hard disk.” (footnote:11)
Symantec dubbed the malware as Trojan.Jokra and WS.Reputation.1. (footnote:12) Yusuke Okano, Engineer at Fourteenforty Research Institute based in Tokyo, also analyzed the malware. He noticed that it executed the “taskkill” command through WinExec to stop pasvc.exe and clisvc.exe, which are the process of South Korean-made anti-virus software. (footnote:13)
IssueMakersLab claims that the cyber-attacks are part of an operation, Operation 1Mission, which has been ongoing since January 2012 and linked to hackers who have been operating since 2007. The infection of internal computers was done between June 2012 and January 2013. (footnote:14)
On April 10, the South Korean government announced that their investigation had identified the culprit as North Korea’s Reconnaissance General Bureau, given the access records and malicious codes used. (footnote:15) Yet, on April 12, the General Staff of the Korean People’s Army issued a statement to deny any involvement in the March 2013 cyber-attacks on South Korea through KCNA and indicated retaliation against South Korea to that blame. (footnote:16)
According to the Chosun Ilbo, Kim Jong-un visited the Reconnaissance General Bureau to cheer up hackers and expressed confidence in North Korea’s cyberwarfare against South Korea this February. On April 7, a South Korean government official quoted Kim who is believed to say back then that the bureau with robust information technology and brave (cyber) warriors would allow North Korea to break any sanction and make the country strong and prosperous. The official admitted that Kim has the reason to be confident because North Korea has at least 12,000 hackers who are highly skilled in encryption and masking. (footnote:17)
Sources:
日立システムズは、システムのコンサルティングから構築、導入、運用、そして保守まで、ITライフサイクルの全領域をカバーした真のワンストップサービスを提供します。