South Korean officials said Friday that they erred in linking a massive cyberattack against banks and broadcasters this week to an Internet address in China — illustrating the difficulties inherent in identifying the hackers behind such attacks.
The attack effectively wiped all data from as many as 32,000 computers at the three banks and three TV networks it struck, South Korean officials said, rendering them useless. It also shut down email, websites, ATMs and online banking for a day or more.
Officials at the Korea Communications Commission, South Korea’s telecommunications regulator, Thursday said they had identified the Internet Protocol or IP address from which malicious software, or “malware,” was downloaded onto the computers of the targeted organizations, and traced it to China.
But Friday, they said they had erred, mistaking an internal IP address at one of the banks under attack for a world wide web address in China.
Officials had already explained that the fact the IP address was based in China did not identify who was behind the attack. Hackers routinely hide their tracks by routing their attacks through an address belonging to a third party.
Nonetheless, Friday’s news muddied the already murky picture about who might have been responsible for the attack, which employed common-or-garden malware that infected computers at the organizations it struck through so-called “drive by downloads.”
Drive-bys infect any computer that visits a website that has been modified to install malicious code. In this case, as is common in drive-by infections, the modified website was operated by an innocent third party, the Korea Software Property Rights Council, according to Avast, a Prague-based computer security firm.
Other security specialists said the malware had likely been lurking undetected on the infected networks for some time, but it was unclear how it was triggered.
“We did not detect any form of network communication,” said Pat Calhoun, vice-president of network security for McAfee, meaning the malware was not “phoning home” to get instructions on when to set itself off.
He said it was possible that the attack time had been hard-coded into the malware package, but his team was still studying the issue.
“We don’t know how the switch was flicked,” he said. Wednesday’s cyberattack, the largest against South Korea for at least two years and what looks like the most sophisticated to date, came in the midst of rising tensions on the peninsula and just days after North Korea accused the United States and its South Korean allies of knocking several of Pyongyang’s websites offline last week.
North Korean leaders have ratcheted up their bellicose rhetoric recently, and this week ran national civil defense and military drills, in response to a ten-day joint U.S.-South Korean military exercise codenamed Key resolve that ended Thursday.
Pyongyang has been blamed for previous cyber attacks in 2009 and 2011 that had also targeted South Korean financial institutions and government agencies.
News agencies in Seoul have quoted unnamed government officials as saying North Korea was also likely behind Wednesday’s attack. In the past, South Korean officials have said that there are North Korean hackers based in China.
But others disagree Pyongyang was behind the attack.
“In my opinion, this was likely not a state sponsored attack but probably the work of hacktivists” based in China, Michael Markulec told The Washington Times.
Hacktivists are independent hackers motivated by political or ideological concerns, although those motivated by patriotism, for example, often align themselves with their government’s military or strategic objectives.
Mr. Markulec, the chief technical officer of Lumeta, a company that does computer security work for the Department of Defense, said that the IP address in China was not linked to any known state-sponsored cyberactivity and the attack itself “Not very sophisticated … a nuisance attack.”
James A. Lewis, a cybersecurity scholar at the Center for Strategic and International Studies, agreed with that assessment. “It’s hard to see what they [the North Koreans] will get out of it. It makes you feel good, I guess.”
He said that while the attack was more sophisticated than past North Korean efforts “that doesn’t mean it’s sophisticated in real terms.” If North Korea was behind the attack, “They’ve advance from primitive to basic” in terms of their cyberwar capabilities.
On the other hand, he said, the evidence for any theory about who was behind the attack is “flimsy.”
“There’s nothing conclusive,” he said. “You can make the case either way.”
• Shaun Waterman can be reached at swaterman@washingtontimes.com.
Please read our comment policy before commenting.