North Korean intelligence agency blamed for South Korea cyberattack


A South Korean police officer walks past the Cyber Terror Response Center in Seoul, South Korea, on March 21, 2013. South Korean investigators have traced a cyberattack on banks and broadcasters to North Korea's military intelligence agency.


Chung Sung-Jun

SEOUL, South Korea — The South Korean government says it has confirmed suspicions that North Korea was behind a cyberattack on several of its banks and broadcasters last month.

Seoul's official investigation traced the malware used to six personal computers in North Korea, the Korea Internet and Security Agency (KISA) said Wednesday.

Based on similarities with previous attacks, investigators say there is "a lot of evidence" to suggest that the March 20 incident was masterminded by the North Korean military intelligence agency, the Reconnaissance General Bureau.

"It was a premeditated, well-planned cyberattack by North Korea," a KISA spokesman told a press conference, adding that the strike had taken at least eight months to prepare.

More from GlobalPost: South Korea prepares for cyber warfare

Some 48,000 South Korean computers, servers and ATMs were affected by the attack, which shut down broadcasters KBS, MBC and YTN and brought the Shinhan, NongHyup and Jeju banks to a halt.

According to Seoul's investigation, the hackers had implanted malicious codes in the targeted computers months before, which, when the command was given, deleted stored data and distributed malware to other machines.

A total of 49 internet protocol addresses were involved in the attack, investigators said, 22 of which had been used in previous attacks by North Korea.

In addition, more than 30 of the 76 different codes recovered from hacked computers were identical to those deployed in other North Korean intrusions.

According to the Korea Herald, experts believe that Pyongyang's Reconnaissance General Bureau is "overseeing the operations of a special elite unit consisting of thousands of cyber warfare experts."

The hackers were apparently able to access the South Korean banks' networks more than 1,500 times between June 28, 2012 and the attack last month, though financial authorities assured that no bank records had been compromised.

Shortly after the intrusion came to light, South Korea's defense ministry announced it would start preparing for cyber warfare, increasing forces and developing different deterrence scenarios in conjunction with the United States.

Investigators in Seoul claimed the found code used in the current cyber-attack that was also used in previous cyber-hackings blamed on North Korea in 2009 and 2011. But the decision to reverse this finding comes as a surprise to many in Seoul. Two weeks ago, authorities noticed that the malware came from inside South Korea, reversing earlier speculation that the IP was based in China but committed by North Korean hackers.

Despite the South Korean government's claim, the details are still not clear. Many experts originally said the North Korean hack was not sophisticated and exposed already known and serious flaws in South Korea's IT security: The country already has the highest number of PCs infected with malware in the world. North Korea is an easy political target for blaming these hacks, and the mood in Seoul is to wait and see what investigators determine in their final report. Many South Koreans harbor a deep distrust of their government and are usually unwilling to accept these claims at face value.

More from GlobalPost: North Korea blames US, South Korea for 'intensive cyberattacks