On March 20, 2013, a cyberattack brought chaos to several banks and media outlets in South Korea.
Then more ominously on December 23 last year, computers at the country’s nuclear operator were breached. Again cybercrime was suspected.
The source of these attacks? North Korea. And South Korean investigators say they have proof — the actual malicious codes used in the attacks. They shared this data with CNN.
The 2013 attack, known as “Dark Seoul,” paralyzed an estimated 48,000 computers at a number of major banks and broadcasters, disrupting network systems and wiping their hard disks clean.
“It would try to delete essentially all your files… then restart the system. You would come back up and nothing would be there,” Joshua James, a digital forensic expert, told CNN.
“If it infected more financial systems, it could have deleted all financial data in Korea. I mean, it is dangerous,” the visiting professor at Chuncheon’s Hallym University added.
Live footage of the breaches showed computer screens at the media companies completely down, while bank customers were unable to make withdrawals, or transfer money online.
“Dark Seoul” happened shortly after the North Korean government announced it would end the armistice agreement that brought the three-year Korean War to an end in July 1953 amid growing tensions with its neighbor.
The latest high-profile digital incursion, in December, attempted to steal data from South Korea’s nuclear operator, including plant blueprints and personnel information. Though investigators said no critical data was stolen, the attack raised serious concerns about the safety and security of the 23 nuclear power plants it runs.
The attack itself was described by James as a “spear-fishing” exercise where unsuspecting victims — retired and current employees of the nuclear operator — were prompted to open up a disguised document in their email.
“As soon as you double click on it, it starts running in the background of your computer where you can’t see … it’s also trying to open up your computer — what we call a back door — to give access to the infected system by the attacker,” he told CNN.
The attack, which James said was simpler than “Dark Seoul,” came just a few days after Sony Pictures said their systems has been “hacked,” another attack the South Korean authorities blamed on North Korea.
Proving who did it
“From a law enforcement or investigation side, we’re trying to actually trace back to who did it,” said James.
Seoul announced in mid-March that some of the IP addresses used in December incursion could be traced back to Shenyang, China, which can be easily accessed from the North Korean border. Codes used in the attack were said to be similar in pattern to those used by the North Koreans, South Korean authorities said.
“The malicious codes used in the attack were same in composition and working methods as “Kimsuky” codes known to be used by North Korea,” the prosecutor’s office that leads 17 other government agencies and Internet companies in the investigation said in the statement in March.
Pyongyang has dismissed the claims it launched these attacks, calling them a “plot and fabrication that can never win over the truth.”
But many experts say North Korea appears to be investing more in cyberwarfare because it is cheaper than spending on conventional weapons and can cause significant economic damage to its southern rival. Indeed South Korea’s Defense Ministry estimates that North Korea is operating a “cyberarmy” of 6,000 workers as it focuses on strengthening its asymmetrical warfare capability.
“Hacks are going on all the time, constantly — though how many actually make the news is a very small amount,” said James.
“How many are detected in general? I think the average person would have no clue they’ve been hacked.
“Organizations need to invest the same amount that hackers are investing to protect themselves and right now they’re not,” he added.
Many in South Korea believe not enough effort is being put into defending against cyberattacks. A report by the Korea Institute for Industrial Economics and Trade, a government-funded think tank, estimates that “Dark Seoul” caused about $820 million worth of damage.
Its report, published in 2014, predicted that by 2020, South Korea could be exposed to hacking attacks causing up to $25 billion in economic damage.