(2nd LD) Gov't confirms Pyongyang link in March cyber attacks

(ATTN: ADDS details in para 15-17)
By Lee Minji

SEOUL, April 10 (Yonhap) -- Amid escalating tension on the Korean Peninsula, the South Korean government on Wednesday announced that North Korea was behind the massive hacking attack that paralyzed networks of local financial firms and broadcasters last month.

Three South Korean banks -- Shinhan, NongHyup and Jeju -- and their insurance affiliates as well as three TV broadcasters -- KBS, MBC and YTN -- were hit by the cyber attack as malicious code infected some 48,000 computers in their networks on March 20.

Following the initial attack, 58 YTN affiliate servers and 14 anti-Pyongyang Web sites, including those operated by North Korean defectors, also suffered another round of attacks on March 25 and 26.

"An analysis of cyber terror access logs, malicious code and North Korean intelligence showed that the attack methods were similar to those used by the North's Reconnaissance General Bureau, which has led hacking attacks against South Korea," Lee Seung-won, an official at the Ministry of Science, ICT & Future Planning, said in a press conference.

The ministry said South Korea plans to hold a state cyber security meeting on Thursday led by the head of the country's spy agency and attended by 15 government agencies.

Government officials said the North has prepared the attack plan since June last year by distributing malicious code through at least six PCs that accessed local networks a minimum of 1,590 times. Local networks were directly accessed from North Korea on 13 occasions out of the total, they added.

"North Korean PCs first used local infiltration routes to test the attack orders in February," said Chun Kil-soo, the head of the Korea Internet Security Center at the state-run Korea Internet & Security Agency.

Of the 76 pieces of malicious code used in the attacks, there were 18 bits of code exclusively used by North Korean hackers that had been used in previous hacking attempts, according to Chun.

The official also said that out of the 49 infiltration routes detected, including 25 local and 24 overseas routes, 22 were Internet addresses that the North has used since 2009 to launch hacking attacks on Seoul.

The announcement comes as North Korea is ratcheting up threats against Seoul and Washington ahead of an imminent missile test.

While critics almost immediately pointed fingers at Pyongyang, the government had kept mum on the communist state's involvement, saying it was in the process of a "multilateral" probe to track down "all possible infiltration routes."

Earlier in the probe, the communications watchdog said a Chinese IP address accessed NongHyup's update management server and generated malicious files, fueling speculations of the North's involvement.

The watchdog, however, retracted the announcement a day later and acknowledged that it had mistaken a private IP address used by NongHyup as an IP address allocated to China.

The March hacking attacks marks the latest attack in Pyongyang's growing pursuit of technological warfare. While the communist state has denied allegations, it has been blamed for a series of cyber attacks on the Web sites of South Korean government agencies and financial institutions in the past few years.

One of the biggest attack was on the JoongAng Ilbo in June 2012. The conservative media outlet came under a cyber attack that crippled its server and Web site. The National Police Agency later determined that North Korea was responsible for the attack.

NongHyup's computer network also crashed in September 2010 apparently from an attack by the North, according to prosecutors and the police.

In addition to the hacking attacks, the North has been disrupting global positioning system (GPS) signals since 2010, disrupting hundreds of South Korean commercial ships and flights in the border area.

North Korea is known to operate a cyber warfare unit of 3,000 elite hackers who are trained to break into computer networks to steal information and distribute malware.

mil@yna.co.kr
(END)