Cyberattack shakes South Korea: Could North Korea have pulled it off?
Some South Korean banks and television stations were hit by an apparent cyberattack Wednesday. But the attack seems too crude for North Korea's cyberwar program, which is thought to be fairly advanced.
Depositors leave after checking their accounts at automated teller machines of Shinhan Bank Wednesday in Seoul. The bank's computer networks were paralyzed by an apparent cyberattack.
Ahn Young-joon/AP
Boston and Seoul, South Korea
Cyberattacks on three South Korean TV stations and two banks disrupted computer networks and halted ATM services temporarily on Wednesday, sending a tremor through that nation鈥檚 heavily Internet-dependent economy and raising questions about whether the attack was carried out by a nation-state or a hacker group.
Fingers were quickly pointed at North Korea as a likely suspect 鈥 especially given its protests last week that South Korea and the US were behind a two-day temporary shutdown of its Internet. Longstanding reports suggest that the North is training cadres of elite hackers.
Senior South Korean government officials withheld judgment while the matter is being investigated. But cybersecurity experts said the attacks, which occurred at around 2 p.m. local time, were synchronized and appear to have been the result of malicious software 鈥 a crude cyberweapon planted inside the computer networks of the banks and TV stations.
The malicious software was a 鈥渨iper鈥 program that deletes computer files en masse 鈥 the type of cyberweapon used to attack Saudi Aramco in August 2012, damaging or wrecking 30,000 work stations in the giant oil company鈥檚 network.
To plant that kind of cyberweapon in multiple South Korean networks, the attackers had to have been inside the networks for some period. That differentiates these attacks from the attacks now going on against US banks, which flood websites with data and make web services freeze up.
Adding confusion, some South Korean computers were reported to have shown the image of a skull and a graphic claiming the attack was conducted by a group called the 鈥淲hois Team.鈥 But that display may say little about who was behind the attack, cybersecurity experts say. More revealing is the apparent goal.
Most hacktivists want to win attention without causing serious damage, yet this attack seemed to be about trying to wreck computer networks, says Anup Ghosh, president of Invincea, a cybersecurity software company in Fairfax, Va.
鈥淲e can鈥檛 rule out hacktivsts yet, but this has similar hallmarks to the attacks on Saudi Aramco,鈥 he says. 鈥淭his looks kind of like a nation-state trying a false flag attack 鈥 trying to hide behind the idea that a hacker group is responsible.鈥
But other analysts say the attack was not sophisticated enough to be the work of a nation-state.
鈥淚f this was an actual cyberattack, it was an abysmal failure,鈥 says Charlie Miller, a former expert for the National Security Agency. 鈥淚f the goal here was to bring down the banks or TV station, well that just didn鈥檛 happen.鈥
鈥淎lso, North Korea likes to saber rattle and take credit. So it seems to me either this was random malware installed by a South Korean hacker doing what hackers do 鈥 or else some exploratory effort that wasn鈥檛 really trying to cause serious problems, but just test capabilities for some future attack,鈥 he adds.
Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown, which included online banking and automated teller machines. Another major bank, Nonghyup, was hit too. But both banks said their systems rebounded and customer records were safe. Broadcasters MBC and KBS reported their computer networks were hit at the same time, but without an impact on TV broadcasts.
South Koreans routinely shrug off nuclear threats from North Korea, but the prevailing mood after the attack was uncertainty. South Korea is, after all, the world鈥檚 most wired country, with its Internet penetration rate exceeding 100 percent, meaning there are more Internet connections than people, according to data released in July 2012 by the Organization for Economic Cooperation and Development.
鈥淢ost people aren鈥檛 sure yet. There are lots of rumors that maybe North Korea was trying to cause some kind of problems, or it could have been a hacker group. It鈥檚 still too early to tell,鈥 said Park Hyun-jung, a recent university graduate in Seoul.
North Korea is believed to have carried out cyberattacks on South Korean government agencies and financial institutions in 2009 and 2011. In the past, the North has issued threats specifically targeting South Korean conservative media outlets (including some of the networks that reported disturbances today), which tend to be harshly critical of Pyongyang.
North Korea鈥檚 capacities are still a matter of debate among US cybersecurity experts.
North Korea was reported to have increased the number of troops in its cyberwarfare unit from 500 to about 3,000 in 2011, according to a study last year by the Institute for Korea-US Political Development, an independent research organization based in Las Vegas. The report also said Kim Il Political Military University, known as a 鈥渟ecret university,鈥 educates some 100 world-class hackers every year. The North is sending promising candidates overseas to Russia and China for cyberwarfare training, as well.
鈥淚 don鈥檛 think anyone really knows what North Korea鈥檚 cyber capabilities are,鈥 Miller says. 鈥淏ut if they started couple years ago, and had major government funding and backing ... they could be pretty sophisticated at this point. But if they didn鈥檛, they might have nothing.鈥
If North Korea has exerted even modest resources into a cyberwar program, then Wednesday鈥檚 attack appears too ineffective to be its handiwork, some say. The 鈥渁ttack鈥 may not be an attack at all, but malicious software released by someone with minimal talent.
That conclusion is seconded by Sophos, a cybersecurity company in Britain that has analyzed the malware. Its conclusion 鈥渋s that the malware is not particularly sophisticated,鈥 writes Graham Cluley, senior technology consultant at Sophos, on the company blog. 鈥淔or this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a 'cyberwarfare' attack coming from North Korea.... As yet no strong evidence has emerged that whoever was behind this attack is based in, or has backing from, North Korea.鈥
But others say the incident should not be cast off as a failure. 聽聽聽聽聽聽聽聽聽聽聽
鈥淚 would disagree that it 'really failed,鈥 鈥 says Michael Sutton, head of security research for Zscaler, a cybersecurity firm in San Jose, Calif., writes in an e-mail. 鈥淲hile the attack itself had limited sophistication, it succeeded in disrupting the activities of numerous major banks and media outlets in South Korea. It is unlikely that Pyongyang will ever take credit, but given recent tensions, they are a logical suspect.鈥