Who was behind South Korean cyber-attacks?

Cyber-attacks on government sites and major financial institutions have become an annual event in recent years.

Cyber Attack On South Korea Traced To China
Media websites in South Korea proved themselves so vulnerable to the cyber-attack that only 10 percent of their websites were recovered within two days [Getty]

Lately there’s been a deluge of reports on the origins of the recent cyber-attack on major South Korean websites, and many agree that North Korea may have had a hand in it. In fact, there are few original analyses and even fewer of those that touch on certain aspects, that up until recently, have not been discussed in mainstream media.

It seems that cyber-attacks on South Korean government sites and major financial institutions have become an annual event in recent years. After the 2009 mass DDoS (Distributed Denial of Service) attack rattled the whole nation, others followed in 2010, 2011 and 2012.

And now, in 2013, 32,000 computers have been reportedly damaged. The attack struck the machines on March 20 and wiped the hard drives and master boot, and even put some ATMs out of operation.

How different? 

What is unique about this year’s attack is the fact that it demonstrated two things: first, that simple explanations and convenient truths trump a lengthy re-interpretation of events, and second, how truly vulnerable South Korean sites are.

This year’s attack was not at all sophisticated. Unlike the previous DDoS attacks, which were believed to have originated in North Korea, this hacking contained a spam message that triggered the wiping and overwriting of the hard drive.

Media websites proved themselves so vulnerable to the attack that only 10 percent of their websites were recovered within two days, whereas the Shinhan Bank took only two hours to get back to work. 

Some hacking attacks have very clear goals, such as extracting money, obtaining critical information or hobbling infrastructure, but not this one. A Foreign Policy article claimed the attack as a politically-motivated one which might have come either from North Korea, political activists (or so-called hacktivists) from China or South Korea, or even from the “Whois Team“, a new unknown group claiming to have carried out the attack. 

If the attacks were indeed from North Korea, there is no need to read anything into it. Their message and motive cannot be anymore clear. North Korea has been using all kinds of extreme war rhetoric offline for decades, with statements like “turning the South Korean capital into a sea of fire/blood”. This hacking could be just more blackmailing – only done online. 

Although blaming North Korea for the attack provides very convenient and believable explanations – compact enough to fit into saucy headlines – it is completely lazy and misleading. 

Even so, just days after the incident, almost everyone in the media seemed to agree – even most pro-government ones – that South Korean authorities screwed up big by blaming North Korea as the culprit before looking into the matter more closely. 

South Korea says North behind cyber-attacks

The government’s initial report claimed that the “attack originated from an IP address in China and somehow it was being linked to North Korea, thus North Korea is the culprit” (and by doing so, it effectively angered China). Later it was found that the attacker’s borrowed IP address actually came from one of the local banks. 

A local Korean newspaper reported:

Imagine a war situation. Banks and media networks are shelled simultaneously and bullets are coming from every direction. However, people (referring to the government) start going the wrong way (to find the culprit) even though they don’t know where the bullets are coming from.

This shows how best the South Korean government handled the situation. After tracking down the IP address, but not verifying whether it was the real or borrowed one, authorities jumped to a conclusion and made a contemptible rookie mistake. 

Prone to attacks

With North Korea, their motives for such an attack are obvious. But if it turns out to be just some anonymous attackers, it is difficult to discern what their motives could be in launching this latest cyber-assault. That said, it is now imperative that the focus turns to figuring out what made the attackers target South Korea, and what systemic flaws rendered the local websites helpless and more prone to the attack.

The National Intelligence Service report shows that “between 2008 and 2012 there were 73,030 cyber-attacks and only six of them are believed to be by North Korea”.

A previous report from the Korea Institute of Finance had warned that South Korean websites will see more frequent Advanced Persistent Threat (APT)-type attacks, just like any other country.  

This crisis could have been averted, especially by the broadcasting companies that were hit worst – they have always ignored the warnings on what could happen by not partitioning the network.  

Although South Korea is one of the most wired countries in the world, with its internet speed being the fastest, people who actually live in the country have a lot to complain about visiting local websites.

If a person has lived in other countries before, he/she will immediately notice how complicated and annoying it is to access online banking or any major websites in South Korea.

Most of the websites make it mandatory for users to install additional software to access their service. These tools – built to prevent fraud – ironically work in a way to prevent regular users from accessing the site and paving way for the hackers to fool around.

The omnipresent pop-ups, asking if the user wants to install software, can affect the behaviour.

When a user is denied access a million times after not clicking “yes” to the software installation, even the most prudent – and frustrated – may click “yes” without a second thought, ultimately contributing to the perfect storm of “Dark Seoul” that gripped the country on March 20. 

Yoo Eun Lee is a freelance journalist, blogger and new media specialist writing about North Korean issues and K-pop. She is also an editor at Global Voices covering Korea region. 

Follow her on Twitter: @yoonlee27