By Kim Oi-hyun
Allegations of a distributed denial of service (DDoS) attack on the National Election Commission (NEC) web site by a 27-year-old personal assistant of ruling Grand National Party Lawmaker Choi Gu-sik and his associates have prompted a series of questions by opposition party lawmakers.
Opposition party members are saying a parliamentary audit or special prosecutor’s investigation will be needed if the results of the police investigation are not satisfactory.
Democratic Party (DP) floor leader Kim Jin-pyo said, “Judging from all the circumstantial factors, it seems extremely unlikely that this was carried out entirely by a 27-year-old Level 9 assistant.”
The opposition is charging that the attack was likely to have been carefully planned, as the shutdown on the morning of the Seoul mayoral by-election on Oct. 26 disrupted voting by young commuters, particularly liberal-leaning young working people in the Gangbuk area, who were looking for information about voting site changes.
The time required for preparations also appears to have been considerable. Police have pinpointed the first telephone conversation on record between the personal assistant, identified by the surname Gong, and a 25-year-old accomplice identified as Gang as having taking place six months ago, around the same time as the July 4 GNP convention where Choi became head of the party’s publicity and planning office. This predates not only the by-election but also the Aug. 24 referendum on free school lunches that prompted the resignation of former Seoul Mayor Oh Se-hoon and forced the by-election. While it is impossible to conclude that the planning of the attack dates to this time, the evidence supports the possibility that it was premeditated.
The fact that the crime in question is subject to jail time also lends weight to speculation that some more powerful figure was involved.
Moon Yong-sik, head of the DP’s Internet communication committee, explained, “A hacking attack on a state agency carries a minimum sentence of close to two years in prison. We have seen cases in recent years.”
“If you talk to hackers or related businesses, they will tell you it would have cost at least several hundred million won,” Moon added. A Level 9 personal assistant earns less than two million won a month in salary.
Also drawing skepticism is the fact that if, as the GNP is claiming, the crime was an unpremeditated act by one person, the suspect would generally be expected to admit the crime and request leniency.
DP Lawmaker Baek Won-woo said, “The only conclusion we can draw about Gong continuing to deny the charges is that it is an effort to buy time to conceal the higher-ups involved and the money that changed hands.”
“We need to determine quickly and precisely whether there was someone up the line who ordered the attack, and whether there was compensation,” Baek added.
Observers also said the attack would likely have been expensive to arrange due to the high level of technical ability needed. Around the time of the local elections of June 2, 2010, the NEC announced that it had taken thorough steps to beef up its security in preparation for heavy traffic or a DDoS attack.
A representative example is the “Clean Zone” service from KT. In the event of a DDoS attack, the attacker’s connection would be diverted to the Clean Zone, thus protecting the NEC servers. Industry observers said this could neutralize a DDoS attack in the space of no more than 10 to 20 minutes.
The attack on the day of the by-elections, in contrast, lasted for more than two hours.
Baek Won-woo said, “I have heard it would have required 100 thousand computers. That they managed to do it with just 1,500 indicates that this is very complex technology.”
Also pointing to strong technical skills are accounts that the voting booth information menu was the only inaccessible area on the day of the election. Visitors said they were able to access the NEC site, but the voting booth database was not functioning properly. If this is true, it would suggest a more sophisticated approach of attacking a particular menu rather than the “simpler” approach of preventing access to the overall site.
The perpetrators also used a total of ten wireless Internet connections to evaded the police, including five T-Login and five WiBro connections.
An official with the police said, “This went beyond simply using zombie PCs and wireless Internet to launder IP addresses. It was a sophisticated attack.”
Industry analysts said that regardless of the perpetrators’ technical ability, all necessary information can be obtained if the access log is disclosed. For this reason, opposition party members are demanding disclosure of information about the time of the attack and the addresses attacked by zombie PCs, or at least an opportunity for private specialists and police to read it and take part in the investigation.
The NEC said the log cannot be disclosed because it is defined as confidential communication information according to the Protection of Communications Secrets Act.
“It may be possible to examine it as long as it goes no further than limiting reading by formal request through a National Assembly vote,” the commission explained.
Please direct questions or comments to [email@example.com]