2013 South Korea cyberattack

Last updated

In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.

Contents

March

On 20 March 2013, six South Korean organizations suffered from a suspected cyberwarfare attack. [1] The organizations included three media companies (KBS, MBC, &YTN) and three financial institutions (The National Agricultural Cooperative Federation, Shinhan Bank, & Jeju Bank). The South Korean communications watchdog Korea Communications Commission raised their alert level on cyber-attacks to three on a scale of five. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. This attack also came at a period of elevated tensions between the two Koreas, following Pyongyang’s nuclear test on 12 February. [2] South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as "[i]ntelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks." [3] It was later revealed that the IP address did not originate from China but from the internal network of one of the attacked organizations. [4]

The attacks on all six organizations derived from one single entity. The networks were attacked by malicious codes, rather than distributed denial-of-service (DDoS) attacks as suspected at the beginning. It appeared to have used only hard drive overwrites. [5] This cyberattack “damaged 32,000 computers and servers of media and financial companies.” [6] The Financial Services Commission of South Korea said that Shinhan Bank reported that its Internet banking servers had been temporarily blocked and that Jeju Bank  [ ko ] and NongHyup reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased. Woori Bank reported a hacking attack, but said it had suffered no damage. [7]

This cyberattack “caused US$750 million in economic damage alone. (Feakin 2013)” [8] Also, “[t]he frequency of cyber attacks by North Korea and rampant cyber espionage activities attributed to China are of great concern to the South Korean government. (Lewis 2013)” [9]

June

The June 25 cyber terror is an information leak that occurred on June 25, 2013 that targeted Cheongwadae and other institutions. The hacker that caused this incident admitted that the information of 2.5 million Saenuri Party members, 300 thousand soldiers, 100 thousand Cheongwadae homepage users and 40 thousand United States Forces Korea members. There were apparent hacking attacks on government websites. The incident happened on the 63rd anniversary of the start of the 1950-53 Korean War, which was a war that divided the Korean peninsula. Since the Blue House’s website was hacked, the personal information of a total of 220,000 people, including 100,000 ordinary citizens and 20,000 military personnel, using the “Cheong Wa Dae” website were hacked. [10] [ unreliable source ] The website of the office for Government Policy Co-ordination and some media servers were affected as well.

While multiple attacks were organized by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks against the South Korean government websites were directly linked to the “DarkSeoul” gang and Trojan.Castov. [11] Malware related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012. It has contributed to multiple previous high-profile attacks against South Korea.

Timeline

At approximately 2013 June 25 9:10 AM, websites such as the Cheongwadae website, main government institute websites, news, etc. became victims of website change, DDoS, information thievery and other such attacks. When connecting to the Cheongwadae homepage words such as 'The great Kim Jong-un governor' and 'All hail the unified chairman Kim Jong-un! Until our demands are met our attacks will continue. Greet us. We are anonymous' would appear with a photo of president Park Geun-hye.

The government changed the status of cyber danger to 'noteworthy' on June 25 10:45 AM, then changed it to 'warning' on 3:40 PM. [12] Cheongwadae uploaded an apology on June 28. [13]

The Ministry of Science, ICT and Future Planning revealed on July 16 that both the March and June incidents corresponded with past hacking methods used by North Korea. [14] However, the attacked targets include a Japanese Korean Central News Agency site and major North Korean anti-South websites, and the hackers also have announced that they would release information of approximately 20 high-ranked North Korean army officers with countless pieces of information on North Korean weaponry.

Response

Following the hacking in June there was further speculation that North Korea was responsible for the attacks. Investigators found that “an IP address used in the attack matched one used in previous hacking attempts by Pyongyang.” [15] Park Jae-moon, a former director-general at the Ministry of Science, ICT and Future Planning said, “82 malignant codes [collected from the damaged devices] and internet addresses used for the attack, as well as the North Korea's previous hacking patterns," proved that "the hacking methods were the same" as those used in the 20 March cyber attacks. [16]

With this incident, the Korean government publicly announced that they would take charge of the “Cyber Terror Response Control Tower” and along with different ministries, the National Intelligence Service (NIS) will be responsible to build a comprehensive response system using the “National Cyber Security Measures.” [17]

The South Korean government asserted a Pyongyang link in the March cyberattacks, which has been denied by Pyongyang. [18] A 50-year-old South Korean man identified as Mr. Kim is suspected to be involved in the attack. [19]

Appearance in the South Korean National Geographic

The South Korean National Geographic published cyber terror as one of the top 10 keywords of 2013 due to these attacks. [20]

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

Beginning on 27 April 2007, a series of cyberattacks targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page.

<span class="mw-page-title-main">Internet in North Korea</span>

Internet access is available in North Korea, but is only permitted with special authorization. It is primarily used for government purposes, and also by foreigners. The country has some broadband infrastructure, including fiber optic links between major institutions. Online services for most individuals and institutions are provided through a free domestic-only network known as Kwangmyong, with access to the global Internet limited to a much smaller group.

<span class="mw-page-title-main">Anonymous (hacker group)</span> Decentralized hacktivist group

Anonymous is a decentralized international activist and hacktivist collective and movement primarily known for its various cyberattacks against several governments, government institutions and government agencies, corporations and the Church of Scientology.

<span class="mw-page-title-main">Cyberattacks during the Russo-Georgian War</span> Series of cyber attacks during Russo-Georgian war in 2008

During the Russo-Georgian War, a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

The cyberattack during the Paris G20 Summit refers to an event that took place shortly before the beginning of the G20 Summit held in Paris, France in February 2011. This summit was a Group of 20 conference held at the level of governance of the finance ministers and central bank governors.

Bureau 121 is a North Korean cyberwarfare agency, and the main unit of the Reconnaissance General Bureau (RGB) of North Korea's military. It conducts offensive cyber operations, including espionage and cyber-enabled finance crime. According to American authorities, the RGB manages clandestine operations and has six bureaus.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

<span class="mw-page-title-main">DDoS attacks on Dyn</span> 2016 cyberattack in Europe and North America

On October 21, 2016, three consecutive distributed denial-of-service attacks were launched against the Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but scant evidence was provided.

<span class="mw-page-title-main">2020 Miami-Dade Public Schools DDoS attack</span> Computer hacking incident

On September 3, 2020, at 2:53 am EDT, a 16-year-old male from South Miami, Florida was arrested in connection with distributed denial-of-service (DDoS) attacks on the Miami-Dade County Public Schools's computer network, the fourth largest in the US, causing the system to crash during the first three days of the school year. It occurred as the school system was attempting to conduct internet-based instruction during the COVID-19 pandemic of 2020. After monitoring the IP addresses using the network, investigators concluded the teenager and several foreign actors had hacked the system. At the time, the school district had contracted Stride, Inc. to provide the software necessary for the internet-based instruction. Despite its price tag of $15.3 million, Stride was surprisingly susceptible to the attacks. Consequently, the school district sought the help of the FBI and U.S. Secret Service to investigate.

<span class="mw-page-title-main">Park Jin Hyok</span> North Korean computer programmer and hacker

Park Jin Hyok (Korean: 박진혁) is a North Korean programmer and hacker. He is best known for his alleged involvement in some of the costliest computer intrusions in history. Park is on the FBI's wanted list. North Korea denies his existence.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

References

  1. "South Korea on alert for cyber-attacks after major network goes down". the Guardian. 2013-03-20. Retrieved 2023-01-31.
  2. "Cyber attack hits S Korea websites". 2013-06-25. Retrieved 2019-09-25.
  3. "China IP address link to South Korea cyber-attack". BBC . 21 March 2013. Retrieved September 12, 2016.
  4. "韓国のサイバー攻撃、アクセス元は社内のプライベートIPアドレス". @IT (in Japanese). Retrieved 2023-05-05.
  5. "Are the 2011 and 2013 South Korean Cyberattacks Related?". Symantec Security Response. Retrieved 2019-09-25.
  6. Michael Pearson; K.J. Kwon; Jethro Mullen (20 March 2013). "Hacking attack on South Korea traced to China". CNN. Retrieved 2019-09-25.
  7. Choe Sang-Hun, "Computer Networks in South Korea Are Paralyzed in Cyberattacks", The New York Times , 20 March 2013.
  8. "Roles for Australia, Canada and South Korea". Mutual Security in the Asia-Pacific: Roles for Australia, Canada and South Korea. McGill-Queen's University Press. 2015. JSTOR   j.ctt1jktr6v.
  9. "Roles for Australia, Canada and South Korea". Mutual Security in the Asia-Pacific: Roles for Australia, Canada and South Korea. McGill-Queen's University Press. 2015. JSTOR   j.ctt1jktr6v.
  10. "북한의 사이버 공격과 우리의 사이버 안보 상황". Naver Blog | 통일부 공식 블로그 (in Korean). Retrieved 2019-09-25.
  11. "Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War". Symantec Security Response. Retrieved 2019-09-25.
  12. 홍, 재원; 박, 홍두 (2013-06-25). "'6·25 사이버 테러' 남도 북도 같은 날 당했다". Kyunghyang Shinmun (in Korean). Retrieved 2023-01-31.
  13. "10만건 개인정보유출 사실로 드러나....청와대, 사과문 공지". www.ddaily.co.kr (in Korean). Retrieved 2023-01-31.
  14. "[속보]정부 "6·25 사이버공격 북한 소행"". Kyunghyang Shinmun (in Korean). 2013-07-16. Retrieved 2023-01-31.
  15. "N Korea 'behind hacking attack'". 2013-07-16. Retrieved 2019-09-25.
  16. 권, 혜진 (2013-07-16). ""'6·25 사이버공격'도 북한 소행 추정"(종합)". Yonhap News Agency (in Korean). Retrieved 2019-09-25.
  17. "보도자료(과학기술정보통신부) | 과학기술정보통신부". www.msit.go.kr. Retrieved 2019-09-25.
  18. Lee Minji (April 10, 2013). "(2nd LD) Gov't confirms Pyongyang link in March cyber attacks". Yonhap News . Retrieved September 7, 2016.
  19. Jeyup S. Kwaak (July 31, 2013). "Seoul Suspects South Korean Tech Executive of Helping North in Cyberattacks". The Wall Street Journal . Retrieved August 3, 2013.
  20. 내셔널지오그래픽채널, '2013년 10대 키워드' 경향신문, 2013년 12월 12일
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.