hankyoreh

chief of the Internet Incidents Response Division at the Korea Internet Security Agency

By Lee Soon-hyun and Park Hyun-chul, staff reporters

The South Korean government announced that its investigation into the Mar. 20 simultaneous cyberattacks on broadcasters and financial organizations has revealed that the North Korean General Bureau of Reconnaissance (GBR) was behind the disturbances.

The joint government and civilian cyber attack response team held a briefing at the Ministry of Science, ICT and Future Planning in Gwacheon, Gyeonggi Province, on Apr. 10. “The cyber attack on the broadcasters and financial institutions that took place on Mar. 20 had been in the works for at least eight months,” the team said. Among the broadcasters were KBS, MBC and YTN and Jeju, Shinhan and Nonghyup were among the banks. “It shows the same hacking techniques used by GBR in several attempts it has made to hack South Korean networks.”

Starting in Jun. 2012, six PCs in North Korea were used to access the networks of financial institutions and upload a virus, the joint response team said. It also reported that of the 49 domestic and international routes used in the attack, 22 had internet addresses that matched those used by North Korea in hacking activity since 2009.

However, there is some uncertainty about the grounds for fingering North Korea as the culprit and about which organization was behind the announcement.

“This presentation was led by the National Intelligence Service (NIS),” said one government official. “All of the material that was used in the press briefing was prepared by the NIS.”

Furthermore, the cyber terror response center operated by the police, which is trying to determine who the culprit is, did not take part in the presentation.

“The police investigation is being conducted separately from the investigation by the joint response team,” said an officer with the National Police Agency. “We are not yet able to say with certainty where the hacking originated.”

On Apr. 11, the government will hold a meeting to discuss ways to increase cyber safety. Fifteen government agencies will participate, including the Ministry of Science, ICT and Future Planning, the Financial Services Commission, and the Ministry of National Defense.

The joint response team said that it had discovered traces of the first attempt to connect to a South Korean computer on Feb. 22 in order to deliver the remote control command to a PC infected with a North Korean internal IP address (175.45.178.××). At least six PCs located inside North Korea had accessed the financial associations in question 1,590 times to upload the viruses since Jun. 28, 2012, the team also said.

“On Mar. 21, the day after the attack, the firewall and web server log records were deleted in order to remove traces of the hack, but the remote terminal log record remained intact,” said Jeon Gil-su, chief of the Internet Incidents Response Division at the Korea Internet Security Agency (KISA). “This made it possible to verify [the North Korean IP addresses].”

In other words, the hackers tried to cover their tracks to commit the perfect crime, but the North Korean IP addresses were exposed for a few seconds or minutes because of technical issues with the network.

During the briefing on the same day, there was a dispute in regard to the timing of the announcement, and who was behind it. A reporter asked whether it was appropriate to announce the culprit without involving the police, who are currently engaged in an investigation to catch the culprit. Responding to this question, Jeon said, “I am just explaining the results of our analysis. I am not in a position to speak to the relationship between agencies.”

When asked whether it is true that the NIS had led the presentation, Jeon said, “Please understand that there is some sharing of responsibilities among the agencies.”

Certain members of the police force have said that it is premature to conclude that the cyber attack on the broadcasters and financial organizations that occurred on Mar. 20 was the work of North Korea. Because of this, the police took a dim view to presenting the results of the investigation by the joint civilian, government, and military cyber crisis response team, sources say.

“It is true that evidence has been found suggesting that North Korea was behind the hack, but there are still a lot of things we need to look into,” said a source with the police on Apr. 9, who spoke on condition of anonymity. “The joint response team should not have presented their findings so soon.”

The police source suggested that the group had overlooked the possibility of operating under disguised IP addresses.

“When hackers from a third country launch a cyber attack, they can attack through computers that are connected with North Korea,” the source said. “They could have used that method to disguise the real attack IP, which is what can be called ‘IP laundering’. The findings should be presented after possibilities such as this have been completely explored.”

The police currently investigating the incident are also considering whether some other country routed their attack on South Korean computer networks through North Korean computers, sources say.

Another police source indicated his suspicion about the claim made in this presentation that North Korea has routed its attacks through the same IP addresses since 2009, claiming that this is not accurate.

“Were the overseas routes really directly set up by North Korea, or were they routes that can be used by multiple unspecified parties? It isn’t right to assume that they all belong to North Korea without verifying it,” the source said. “When international hackers create an attack route, they also share it with each other. Before deciding what the facts are, we need to analyze the hard disk of the attack route server ourselves.”

On the same day, the police expressed their pessimism about the presentation of the investigation findings by the joint response team, saying that more prudence is called for, a source said.

“Back in Dec. 16, 2012, when accusations were being made about the involvement of an NIS employee in the presidential election, investigation results were presented before the investigation itself had been concluded,” a police source said. “It’s important to remember the public opinion backlash that occurred when contradictory investigation findings came out later.”

Some members of the police force believe that the NIS, which participated in the joint response team, may have been pushing for the presentation. They think the NIS did this because it is hoping that the cyber terrorism prevention bill that was brought to the floor on Apr. 9 by Seo Sang-gi, a lawmaker with the Saenuri Party (NFP), will pass. One of the key provisions of the law is that it puts the NIS in charge of responding to national-level cyber attacks.

“The joint response team is separate from the police investigation,” said an officer in the police cyber terror response center. “We are not in a position to make any comments on the matter. We have not yet reached a stage where we can say where the attack originated.”

Please direct questions or comments to [english@hani.co.kr]