Cyber-attack investigation in South Korea

Posted by () on Mar 24 2013
VERTIC Blog >> Verification and Monitoring
Larry MacFaul, London
What happened: On Wednesday 20 March, The Guardian reported that several media companies and banks in South Korea were hit by a suspected cyber-attack at around 14:00 local time. The companies’ IT systems were disrupted, and ATMs and mobile banking services were also impacted. Lim Jong-in, Dean of the Graduate School of Information Security, Korea University, told the Associated Press ‘It's got to be a hacking attack’…‘Such simultaneous shutdowns cannot be caused by technical glitches.’
What was the response: South Korea’s communications agency responded by raising its cyber-attack alert level and by increasing staff resources focusing on the situation.  An on-site investigation was also started. The following day, it was reported that the incident was being characterized as a co-ordinated cyber-attack that appeared to come from a Chinese internet protocol (IP) address.
Difficulties in verification/attribution: However, by Friday, South Korean authorities backtracked from pinpointing China as the origin of the attack. The Korea Communications Commission said that an IP address linked to the incident belonged to a computer at one of the South Korean companies that was attacked. The error apparently arose from the fact that the IP address was used solely on the company's internal network but was identical to a public Chinese address (though, in any case, this in itself may not have immediately provided conclusive evidence on the origin of the attack since IP addresses can be manipulated by hackers).
Media reports indicate that it may take weeks, or even longer, to carry out the investigation into the incident.  Nevertheless, investigators are reported as saying that their analysis of malware and servers indicates that the attack was probably organised from abroad. And unsurprisingly, suspicions have turned towards the DPRK.
It is no secret that verifying or attributing the source of a cyber-attack can be highly challenging. Even if a level of certainty that is satisfactory to those carrying out an investigation has been reached, it can be hard to achieve closure if the accused is simply able to deny involvement, as can be the case in cross-border cyber-attacks.   In the meantime, the media, businesses and the public can speculate on the motive and capacity to carry out such an attack. Assuming that the attack was intentional and its effects were generally those that the perpetrator had intended, who would want to disrupt a number of South Korean banks and broadcasters, and who has the capacity to do so?  Perpetrators could, perhaps, fall into four categories: the DPRK government; DPRK supporters (but not directly associated with the government); another government; or someone else entirely.  Without getting rather more involved in the investigation, it is difficult to systematically assess all the possible motives and actors, other than the DPRK. However, since suspicions have fallen on the state, it is worth a quick look at the events on the Korean peninsula that are currently being highlighted as pertinent to this incident.  
The DPRK’s customarily harsh rhetoric against South Korea and the US continues, though appears to be getting worse. North Korea is certainly very unhappy with sanctions resulting from its recent nuclear test. Furthermore, it was reported that last week, the DPRK accused the US and South Korea of organising cyber-attacks against it.   
For its part, the South claims that DPRK was responsible for around six attacks between 2009 and 2012. McAfee, the computer security firm, has suggested North Korean involvement in a 2011 cyber-attack against South Korean government and banking sectors. In addition, the North has been accused of jamming GPS signals, impacting flights in South Korean airspace.  
Does the DPRK have the capacity to carry out sophisticated cyber-attacks? And is it currently strengthening whatever capacity it has? Opinion appears to be divided, at least on the first point. In 2012 Army General James Thurman, the commander of U.S. Forces Korea told a congressional hearing that ‘North Korea employs sophisticated computer hackers trained to launch cyber infiltration and cyber-attacks.’ Others believe the state’s capacity is overestimated. Mandiant, the cyber security company, has provided an interesting list of what it feels it can reliably say about cyber capabilities in the North.  
One might also ask what the point of a particular attack (of any sort) is, and see if that can help in attributing its source. An attack like that carried out on Wednesday might be a live test of the perpetrator’s offensive capabilities, and the victim’s defensive capabilities. Or it could be a tentative demonstration of strength or a provocation—though somewhat obscured by the lack of clarity on who the perpetrator is.
Of course, difficulties in attribution and verification are not unique to cyber space, though the nature of this realm does present new challenges. With increasing cyber flashes in the world’s hot spot issues (China–US relations, Iran’s nuclear programme) and the Korean peninsula, it seems a good time to reemphasize the need for three activities:   threat and vulnerability assessments for national critical infrastructure as well as prevention and recovery plans; confidence building measures among countries and internationally agreed ways of reacting and responding to various types of attack; and, of course, continued work on methodologies for tracing and verifying attacks. These areas require not only cross-border coordination and development, but also cross-sector cooperation, as much of the capacity and infrastructure in cyber space is privately run.

Last changed: Mar 24 2013 at 1:20 PM