You can help expand this article with text translated from the corresponding article in Korean. (March 2013)Click [show] for important translation instructions.
|
In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.
On 20 March 2013, six South Korean organizations suffered from a suspected cyberwarfare attack. [1] The organizations included three media companies (KBS, MBC, &YTN) and three financial institutions (The National Agricultural Cooperative Federation, Shinhan Bank, & Jeju Bank). The South Korean communications watchdog Korea Communications Commission raised their alert level on cyber-attacks to three on a scale of five. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. This attack also came at a period of elevated tensions between the two Koreas, following Pyongyang’s nuclear test on 12 February. [2] South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as "[i]ntelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks." [3] It was later revealed that the IP address did not originate from China but from the internal network of one of the attacked organizations. [4]
The attacks on all six organizations derived from one single entity. The networks were attacked by malicious codes, rather than distributed denial-of-service (DDoS) attacks as suspected at the beginning. It appeared to have used only hard drive overwrites. [5] This cyberattack “damaged 32,000 computers and servers of media and financial companies.” [6] The Financial Services Commission of South Korea said that Shinhan Bank reported that its Internet banking servers had been temporarily blocked and that Jeju Bank and NongHyup reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased. Woori Bank reported a hacking attack, but said it had suffered no damage. [7]
This cyberattack “caused US$750 million in economic damage alone. (Feakin 2013)” [8] Also, “[t]he frequency of cyber attacks by North Korea and rampant cyber espionage activities attributed to China are of great concern to the South Korean government. (Lewis 2013)” [9]
The June 25 cyber terror is an information leak that occurred on June 25, 2013, that targeted Cheongwadae and other institutions. The hacker that caused this incident admitted that the information of 2.5 million Saenuri Party members, 300 thousand soldiers, 100 thousand Cheongwadae homepage users and 40 thousand United States Forces Korea members. There were apparent hacking attacks on government websites. The incident happened on the 63rd anniversary of the start of the 1950-53 Korean War, which was a war that divided the Korean peninsula. Since the Blue House’s website was hacked, the personal information of a total of 220,000 people, including 100,000 ordinary citizens and 20,000 military personnel, using the “Cheong Wa Dae” website were hacked. [10] [ unreliable source ] The website of the office for Government Policy Co-ordination and some media servers were affected as well.
While multiple attacks were organized by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks against the South Korean government websites were directly linked to the “DarkSeoul” gang and Trojan.Castov. [11] Malware related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012. It has contributed to multiple previous high-profile attacks against South Korea.
At approximately 2013 June 25 9:10 AM, websites such as the Cheongwadae website, main government institute websites, news, etc. became victims of website change, DDoS, information thievery and other such attacks. When connecting to the Cheongwadae homepage words such as 'The great Kim Jong-un governor' and 'All hail the unified chairman Kim Jong-un! Until our demands are met our attacks will continue. Greet us. We are anonymous' would appear with a photo of president Park Geun-hye.
The government changed the status of cyber danger to 'noteworthy' on June 25 10:45 AM, then changed it to 'warning' on 3:40 PM. [12] Cheongwadae uploaded an apology on June 28. [13]
The Ministry of Science, ICT and Future Planning revealed on July 16 that both the March and June incidents corresponded with past hacking methods used by North Korea. [14] However, the attacked targets include a Japanese Korean Central News Agency site and major North Korean anti-South websites, and the hackers also have announced that they would release information of approximately 20 high-ranked North Korean army officers with countless pieces of information on North Korean weaponry.
Following the hacking in June there was further speculation that North Korea was responsible for the attacks. Investigators found that “an IP address used in the attack matched one used in previous hacking attempts by Pyongyang.” [15] Park Jae-moon, a former director-general at the Ministry of Science, ICT and Future Planning said, “82 malignant codes [collected from the damaged devices] and internet addresses used for the attack, as well as the North Korea's previous hacking patterns," proved that "the hacking methods were the same" as those used in the 20 March cyber attacks. [16]
With this incident, the Korean government publicly announced that they would take charge of the “Cyber Terror Response Control Tower” and along with different ministries, the National Intelligence Service (NIS) will be responsible to build a comprehensive response system using the “National Cyber Security Measures.” [17]
The South Korean government asserted a Pyongyang link in the March cyberattacks, which has been denied by Pyongyang. [18] A 50-year-old South Korean man identified as Mr. Kim is suspected to be involved in the attack. [19]
The South Korean National Geographic published cyber terror as one of the top 10 keywords of 2013 due to these attacks. [20]
In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.
Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Emerging alongside the development of information technology, cyberterrorism involves acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Some authors opt for a very narrow definition of cyberterrorism, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.
CyberBunker was an Internet service provider located in the Netherlands and Germany that, according to its website, "hosted services to any website except child pornography and anything related to terrorism". The company first operated in a former NATO bunker in Zeeland, and later in another former NATO bunker in Traben-Trarbach, Germany.
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
During the Russo-Georgian War, a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began.
Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."
The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.
The cyberattack during the Paris G20 Summit refers to an event that took place shortly before the beginning of the G20 Summit held in Paris, France in February 2011. This summit was a Group of 20 conference held at the level of governance of the finance ministers and central bank governors.
Bureau 121 is a North Korean cyberwarfare agency, and the main unit of the Reconnaissance General Bureau (RGB) of North Korea's military. It conducts offensive cyber operations, including espionage and cyber-enabled finance crime. According to American authorities, the RGB manages clandestine operations and has six bureaus.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 DDoS attacks on Dyn. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.
On October 21, 2016, three consecutive distributed denial-of-service attacks were launched against the Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but scant evidence was provided.
The 2017 Westminster data breach occurred on 23 June 2017, when an unauthorised attempt was made to gain access to email accounts belonging to a number of politicians at the United Kingdom's Houses of Parliament. Whitehall officials have claimed that Iran was behind the attack.
On September 3, 2020, at 2:53 am EDT, a 16-year-old male from South Miami, Florida was arrested in connection with distributed denial-of-service (DDoS) attacks on the Miami-Dade County Public Schools's computer network, the fourth largest in the US, causing the system to crash during the first three days of the school year. It occurred as the school system was attempting to conduct internet-based instruction during the COVID-19 pandemic of 2020. After monitoring the IP addresses using the network, investigators concluded the teenager and several foreign actors had hacked the system. At the time, the school district had contracted Stride, Inc. to provide the software necessary for the internet-based instruction. Despite its price tag of $15.3 million, Stride was surprisingly susceptible to the attacks. Consequently, the school district sought the help of the FBI and U.S. Secret Service to investigate.
Park Jin Hyok (Korean: 박진혁) is a North Korean programmer and hacker. He is best known for his alleged involvement in some of the costliest computer intrusions in history. Park is on the FBI's wanted list. North Korea denies his existence.
During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.
Killnet is a pro-Russia hacker group known for its DoS and DDoS attacks towards government institutions and private companies in several countries during the 2022 Russian invasion of Ukraine. The group is thought to have been formed sometime around March 2022.