Seoul cautious in blaming North Korea for massive cyberattack

The victims are three broadcasters – KBS, MBC and YTN – and two banks, Shinhan and Nonghyup. The banks have since restored their operations, but systems at the TV stations were still down as of Wednesday afternoon.

While an organization identifying itself as "WhoisTeam" took credit for the attacks, speculation abounds that North Korea may have sponsored the offensive. South Korean fficials, mindful of tensions on the peninsula, are being cautious with any rhetoric. According to the Guardian, a presidential aide said no determination as to Pyongyang’s role has yet been made.

Nonetheless, the South raised its cyber-attack threat level to level three out of five, and its communications agency has tripled the number of staff devoted to monitoring critical infrastructure. Defense minister Kim Kwan-jin also called an emergency security meeting.

"We sent down teams to all affected sites,” one police official told Reuters. “We are now assessing the situation. This incident is pretty massive and will take a few days to collect evidence."

Cyber-chatter intelligence last week led the South to up its up cyberspace surveillance, ZDnet reported, in preparation of a possible attack from North Korea. It raised the alert level all the way to four and announced that it would be conducting 24-hour monitoring of state telecommunications network. For its part, North Korea accused the US and South Korea of conspiring to take out its internet infrastructure for two days – a charge both vehemently denied.

ZDnet also pointed out that South Korean prime minister Chung Hong-won has made cybersecurity a priority: he visited the Korea Internet and Security Agency (KISA) earlier in March to discuss preparedness for potential cyberattacks.

North Korea is thought to have attacked the South before in virtual fashion, with a 10-day denial of service attack on anti-virus firm McAfee in 2011.

“If North Korean agencies are responsible, this is the latest step in an escalation of cyber-attacks made across the Korean peninsula in recent months,” said Jarno Limnell, director of cyber security at Stonesoft, in an emailed comment. He added, “The choice of targets is telling of the trend that the chief candidates for attack are increasingly likely to be global financial markets and critical infrastructure systems, which if taken down have the power to cripple a nation.”

While those responsible for the attacks may not be unmasked for weeks or even months, researchers are already analyzing the malware. AlientVault found one of the offending pieces of code to attack by way of overwriting a system’s master boot record (MBR), making it a rootkit bug.

It also found references in the code to the word “Hastati” – a potential clue as to the perpetrators and their motivation.

Wikipedia describes Hastati as “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment – light armor and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the first battle line. They fought in a quincunx formation, supported by light troops. They were eventually done away with after the Marian reforms of 107 BC.”

Avast meanwhile uncovered that  the attack makes use of an Internet Explorer vulnerability, CVE-2012-1889, which allows a remote attacker via a crafted web site to execute arbitrary code. It also speculated that the attack likely came from China, not the Korean penninsula. 

"The attack probably originates in China. Aside from location of the final (, which is in China, analysis of both 2nd and 3rd stage executable makes us think so," researchers said. "First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese."

All good forensics, but for now, researchers are generally urging caution in assigning blame for the attacks. “The cause of yesterday’s network problems are still unclear and managed to infiltrate systems to the point of crippling them,” said Ross Brewer, vice president and managing director for international markets at LogRhythm, in a comment. “There remains an enormous amount of uncertainty surrounding the origins of the attack. Without confirmation of the source of cyber-attacks, inaccurate finger-pointing can and often occurs – and given the current diplomatic tensions between South and North Korea, this can lead to unwanted military involvement.

What’s hot on Infosecurity Magazine?