South Korea Backtracks On China Cyber Attack Link

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Communications regulator made a mistake in linking to China

The South Korean communications regulator has admitted a mistake in its early analysis of cyber attacks on a number of organisations, backtracking on a claim the hits were linked to an IP address in China.

Officials from the Korea Communications Commission (KCC) had claimed cyber attacks had been traced back to a Chinese IP, indicating to some that North Korea was the number one suspect. In the past, when North Korea was blamed for attacks on the South, it was suggested hackers were using servers in China to escape detection.

cyber war - Shutterstock: © jcjgphotographyCyber attack mistake

But today it emerged the regulator, during its investigation into the cyber attack on NongHyup Bank, found the IP address it thought was based in China was actually a virtual IP address used for internal purposes. It was only a coincidence the address matched one registered in China, Reuters reported

The finding would indicate the attackers had control of internal IP addresses.

The Commission said it was still likely a single group was responsible to the attacks on six organisations.

Around 32,000 machines were thought to have been hit, according to the state-run Korea Internet Security Agency.

Further analysis on the malware, which wiped Master Boot Records of PCs, has been released from a host of security firms. FireEye found it was time-based, meaning it was launched at a specified time.

“It had evasion capabilities. The malware also checked for AhnLabs anti-virus—a Korean product—and disabled it. This indicates that the attackers were explicitly targeting Korea,” the company wrote in a blog post.

“In the samples we analysed, “HASTATI” and “PRINCPES” were the two strings used by the malware. It is interesting to note that both these keywords seem to reference Roman armies. The PRINCPES string seems to be a spelling mistake and we speculate that it was actually a reference to the word ‘Principes’.”

Are you a security expert? Try our quiz!