North Korea re-used old malware code in March cyberattack against South

The North Korean military was not only behind last month’s unprecedented cyber-assault on South Korean TV stations and banks, it left behind enough evidence of its involvement to make attributing blame an open and shut case, officials have alleged.

Ever since the 20 March attacks, their highly targeted nature has made North Korea suspect number one, but the detailed evidence presented in a Seoul news conference is still noteworthy.

Investigators alleged that the North had used six PCs to launch the remote attacks, attempting to hide their origin behind up to 1,000 foreign IP addresses. Thirteen of these probes were directly traced to North Korea.

The key piece of evidence was that of 76 samples of malware code used in the attacks, 18 had been used by the North Koreans in previous attacks, as had a further 22 IP addresses that were part of a 2009 attack.

Lee Seung-won, an official at the Ministry of Science responsible for ICT, was even able to name the notorious department of the North Korean military that planned the attacks from their alleged inception in June 2012.

"An analysis of cyber terror access logs, malicious code and North Korean intelligence showed that the attack methods were similar to those used by the North's Reconnaissance General Bureau, which has led hacking attacks against South Korea," he was quoted as saying by local news agencies.

The scale of the attacks deserves its 'unusual' rating  even in an era that is becoming more familiar with the reallity of cyberwar.

Officials said that nearly 49,000 South Korean PCs were affected across a range of financial and media firms, with the malware setting out to destroy data by making hard drives unbootable.

A key giveaway for South Korean investigators was that 14 anti-Pyongyang websites were also attacked, a targeting unlikely by any other agency.

According to investigators, no data was stolen during the attacks.

The attacks were clearly planned well in advance. A key piece of evidence for this is that patch management systems in a number of the victim companies were hijacked to distribute at least some of the malware, something that would have taken considerable effort and time.

That is probably what was being referred to in another Ministry of Science comment.

“After maintaining monitoring activities, [the attackers] sent out the command to delete data stored in the server, and distributed malware to individual computers through the central server.”

South Korea officials have yet to explain how a coordinated takeover of separate patch management systems happened without that being detected.

Rumours have suggested that moles inside the companies must have been sued to facilitate some parts of the attack plan.

The Ministry has said it will issue a more detailed report at a later date. Whatever its conclusions, if the North Koreans were behind the attacks, they have demonstrated a high degree of the lateral thinking necessary for well-executed cybercrime.

Two years ago reports emerged that North Korea had sent its best and brightest hackers for training at foreign colleges.

This story, "North Korea re-used old malware code in March cyberattack against South" was originally published by

Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon