N.Korea was behind Nonghyup cyberattack, prosecutors say

Posted on : 2011-05-04 14:40 KST Modified on : 2019-10-19 20:29 KST
Experts question whether N.Korea could have accessed Nonghyup’s internal network
 a senior prosecutor from the Seoul Central District Prosecutors’ Office
a senior prosecutor from the Seoul Central District Prosecutors’ Office

By Kim Tae-gyu and Koo Bon-kwon, Senior Staff Writer 

 

Prosecutors are pointing to North Korea as the culprit in an attack that paralyzed the Nonghyup Bank computer network.

The Second High-Tech Crimes Investigation Division of the Seoul Central District Prosecutors’ Office, under Chief Prosecutor Kim Young-dae, released its investigation results Tuesday, characterizing the attack as “unprecedented cyber-terrorism with North Korean involvement, closely prepared over a long period of time and executed by the same group that perpetrated the DDos (distributed denial of service) attacks on July 7, 2009, and March 4 of this year.”

Prosecutors stated that a notebook computer belonging to an employee of the company managing the Nonghyup server became a so-called “zombie PC” after being infected in September 2010 by malicious code distributed by the North Korean Reconnaissance General Bureau, and that North Korea subsequently operated the notebook remotely to attack the Nonghyup computer network.

North Korea did not initially target Nonghyup, but the bank was exposed as a result, prosecutors explained.

As bases for this conclusion, prosecutors cited the fact that one of the IP addresses for the server ordering the attack was confirmed to be administered by the North Korean Reconnaissance General Bureau, along with the strong similarity between the malicious code and distribution methods with previous DDoS attacks concluded to be North Korea’s doing.

Some experts at security companies reacted with skepticism to the prosecutors’ contentions. One expert questioned the explanation that the parties behind the attack used the same overseas command server employed by hackers in the DDoS attacks for operating zombie PCs, noting that its IP address was blocked through the Korea Internet Security Agency.

A computer systems design expert said, “The back door program on the notebook used in the attack could not function if linked with Nonghyup’s internal network, which is cut off from the Internet.”

The argument is that it would have been effectively impossible for an outside party to precisely determine and attack Nonghyup’s computer system structure and work currents and those notebooks authorized for top access without assistance from an inside party.

When questioned about their evidence of North Korea’s direct involvement, prosecutors reiterated that they could not disclose the information because it was related to national security.

    

Please direct questions or comments to [englishhani@hani.co.kr]