The Inquirer-Home

South Korea cyber attacks are linked back to China

Could be a rogue group hiding behind a Chinese IP address
Thu Mar 21 2013, 14:35
South Korea

OFFICALS IN SOUTH KOREA have linked the recent cyber attacks in the country, which brought down six organisations on Wednesday including broadcasters and banks, to a Chinese IP address.

The country's telecoms regulator underlined that though the hackers used an IP address that appeared to come from China to plant the malicious code, they could have routed their attacks through a Chinese address to cover their true location and identities.

"Unidentified hackers used a Chinese IP address to contact servers of the six affected organisations and plant the malware which attacked their computers," said Park Jae-moon of South Korea's communications regulator.

"At this stage, we're still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open," he said.

The large scale cyber attack was reported by South Korea's national broadcasters KBS, MBC and YTN shortly after 2pm local time yesterday, with their network systems having been crippled by the attacks.

The three broadcasters were said to experience a locked error screen on their computers, which could not be restarted, while unconfirmed reports suggested that the Shinhan bank was also affected, bringing down its internet banking services and ATM machines.

Sophos Labs reported detecting the malware used in the attacks on Wednesday as "Darkseoul". The firm said that the simplistic nature of the malware indicated the attacks did not originate in the North Korean government.

"What's curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated," wrote Sophos' security analysts Graham Cluley.

"For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a 'cyber warfare' attack coming from North Korea."

Kaspersky has reason to believe the loud nature of the attack means they were likely mounted by a non-affiliated rogue group.

"Obviously, the attacks were designed to be 'loud' - the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," read Kaspersky's statement.

Security firms and South Korean officials have been unable to identify the hackers involved or the reason behind the attacks. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015