Thursday, September 1, 2011

Suspected North Korean Cyberattack on a South Korean Bank

Via Washington Post -

After nearly half of the servers for a South Korean bank crashed one day in April, investigators here found evidence indicating that they were dealing with a new kind of attack from an old rival: North Korea.

South Korean officials said that 30 million customers of the Nonghyup agricultural bank were unable to use ATMs or online services for several days and that key data were destroyed, making it the most serious of a series of incidents in recent months. But even more troubling was the prospect that a belligerent neighbor had acquired the tools to disrupt one of the world’s most heavily wired nations — and that even more damaging attacks could be in store.

“This was an unprecedented act of cyberterror involving North Korea,” said Kim Young-dae, a senior South Korean prosecutor in charge of the investigation.

Conclusively identifying who ordered a cyberattack is notoriously difficult. But Western analysts who studied the incident agreed that the aggressor was probably North Korea and described it as the first publicly reported case of computer sabotage by one nation against a financial institution in another country.

Cyberwarfare offers high potential for asymmetric threats, providing poor nations with easy opportunities to inflict damage on a richer, more developed rival. Such an attack is relatively cheap to launch, but playing defense is costly: After the incident, the South Korean bank pledged to spend $476 million by 2015 on network security.

“They are doing massive damage with simple means,” said Georg Wicherski, a researcher with U.S.-based McAfee Labs, who analyzed the attack. “This is Cyber­warfare 101.”


South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

Investigators say the April bank attack occurred when a contractor inadvertently downloaded a malicious program onto a laptop computer, giving hackers the ability to control the computer remotely. Then, over a period of weeks or months, the hackers placed malicious code throughout the bank’s network, which allowed them — with the equivalent of a squeeze on a cyber-trigger — to make hundreds of servers crash at once.

North Korea has denied any role in the attack, saying in a statement carried by the state-run Korean Central News Agency that the South was “clinging to confrontation with its compatriots through crudely fabricated schemes.”

No comments:

Post a Comment