North Korea Still Chief Suspect In Cyber Attacks On South

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Evidence points to an unsophisticated, uncoordinated campaign

Despite evidence that the recent cyber attacks on South Korea were not sophisticated nor particularly coordinated, with no proof of nation state involvement, North Korea remains the number one suspect.

South Korea Seoul © SeanPavonePhoto / Shutterstock.com

Officials in South Korea claim to have traced attacks to an IP address in China, which has indicated to some additional evidence of the North’s involvement. Previous attacks alleged to have been carried out by the North were routed through China.

The Korea Communications Commission (KCC) said it was still working on finding the original source of the malware, which crashed systems at a handful of South Korean companies, including TV networks and banks.

Cyber attacks from Whois?

“At this stage, we’re still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open,” said Park Jae-Moon, the KCC director of network policy, in a statement to media.

Yet claims the attacks were likely state sponsored have been called into question by sceptical security professionals. A host of notable researchers pointed to the defacements left by the hackers.

The messages indicated they were English-speaking hacktivists, calling themselves the ‘Whois Team’. Below is a typical example:

WhoIs Attacks

Attempts to email the contacts listed on the defacements all returned delivery failures.

Sophos noted the unsophisticated aspect of the attacks, given the Trojan’s main function was to wipe machines’ Master Boot Record (MBR) – something that numerous other malware have done in the past. Major AV companies appear to be blocking the threat too.

Symantec suggested the cyber attacks “may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands”.

Trend Micro said it was aware of other attacks on South Korean firms, including banks. “The website of a major electronics conglomerate was defaced. In addition, the websites of several banks may have been compromised and exploits used to plant backdoors on the systems of visitors,” Trend said, in a blog post.

“At this point, there is no evidence that these attacks were coordinated or connected in any manner; the timing may have been purely coincidental or opportunistic.”

Are you a security expert? Try our quiz!