Suspected North Korean cyberattack on a bank raises fears for S. Korea, allies
By Chico Harlan and Ellen Nakashima,
SEOUL — After nearly half of the servers for a South Korean bank crashed one day in April, investigators here found evidence indicating that they were dealing with a new kind of attack from an old rival: North Korea.
South Korean officials said that 30 million customers of the Nonghyup agricultural bank were unable to use ATMs or online services for several days and that key data were destroyed, making it the most serious of a series of incidents in recent months. But even more troubling was the prospect that a belligerent neighbor had acquired the tools to disrupt one of the world’s most heavily wired nations — and that even more damaging attacks could be in store.
“This was an unprecedented act of cyberterror involving North Korea,” said Kim Young-dae, a senior South Korean prosecutor in charge of the investigation.
Conclusively identifying who ordered a cyberattack is notoriously difficult. But Western analysts who studied the incident agreed that the aggressor was probably North Korea and described it as the first publicly reported case of computer sabotage by one nation against a financial institution in another country.
Cyberwarfare offers high potential for asymmetric threats, providing poor nations with easy opportunities to inflict damage on a richer, more developed rival. Such an attack is relatively cheap to launch, but playing defense is costly: After the incident, the South Korean bank pledged to spend $476 million by 2015 on network security.
“They are doing massive damage with simple means,” said Georg Wicherski, a researcher with U.S.-based McAfee Labs, who analyzed the attack. “This is Cyberwarfare 101.”
Ninety-five percent of South Koreans have high-speed Internet access — the highest rate on the planet. They bank, shop and store medical records online. And South Korea is spending billions of dollars to secure its extensive networks.
North Korea, by contrast, is an isolated, impoverished state in which only a select few have access to the Internet because leader Kim Jong Il, fearing its power to spread dissent, restricts its use. With little vulnerability to computer attacks, North Korea is free to focus on offense, which has relatively low costs and a potentially high impact.
Although North Korea has only rudimentary cyberattack skills, its growing expertise means it could someday target the South’s military networks, potentially endangering the secrets of close allies, including the United States, U.S. officials and experts say.
South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.
Investigators say the April bank attack occurred when a contractor inadvertently downloaded a malicious program onto a laptop computer, giving hackers the ability to control the computer remotely. Then, over a period of weeks or months, the hackers placed malicious code throughout the bank’s network, which allowed them — with the equivalent of a squeeze on a cyber-trigger — to make hundreds of servers crash at once.
North Korea has denied any role in the attack, saying in a statement carried by the state-run Korean Central News Agency that the South was “clinging to confrontation with its compatriots through crudely fabricated schemes.”
South Korean officials fear that North Korea has the intent — if not the capability, yet — to inflict more serious damage on critical networks. They point to the arrest last year of an alleged North Korean spy accused of trying to obtain confidential records of the Seoul railway system, which uses the same industrial software that was targeted by Stuxnet, a computer virus. Stuxnet damaged centrifuges in an Iranian nuclear plant in 2009 and 2010.
A North Korean cyberwarfare unit in 2009 penetrated a military network in Seoul, stole a computer password and used it to obtain sensitive data about the location of toxic-chemical manufacturers, said Lim Jong-in, dean of the Center for Information Security Technologies at Korea University, which trains the military in cyberdefense. He said the South has since hardened its military computer networks, but the North’s capabilities also are improving.
Cyberwarfare is the latest example of North Korea’s growing asymmetric capabilities, said Gordon Flake, executive director of the Mansfield Foundation, a think tank. He said that North Korea, “by most counts a failed state, is able to demand the attention of its much more successful neighbor to the south as well as other regions in the world” by developing programs in nuclear, chemical and biological weapons.
North Korea has trained at least 3,000 hackers in five years, said former North Korean computer science professor Kim Heung-kwang. Experts say the nation uses methods learned from the Chinese, who in their operations infiltrate as many systems as possible, in what is sometimes called the “thousand grains of sand” approach.
Kim, who taught hacking skills before defecting to South Korea, said North Korea identifies top math students in elementary school to allow for years of training, including classes on the finer points of code-breaking at one of four universities. Kim, whose account could not be independently verified, said that system produces about 50 recruits each year for the elite cyberwarfare Unit 121. They are then sent to China or Russia for additional training, he said.
Richard A. Clarke, a former White House cybersecurity and counterterrorism official who co-authored the 2010 book “Cyber War,” said North Korea, though much less sophisticated in its cyberwarfare ability than China and some other nations, could someday target the United States. “While a cyberattack on the United States seems like an irrational act for any nation state, North Korea regularly does things that seem like irrational acts,” he said.
South Korea blamed agents from the North for a “denial of service” operation July 4, 2009, that blocked access to at least 35 South Korean and U.S. government Web sites. In the incident, an army of zombie computers repeatedly accessed the sites, overwhelming servers to the point that they crashed. Commercial Web sites, including The Washington Post’s, also were affected.
In March, 29 South Korean government and corporate Web sites — including ones for the president and the Defense Ministry — crashed in another denial-of-service assault. Again, South Korea blamed North Korea.
The incident lasted 10 days, and it involved more than 100,000 zombie computers whose users had unknowingly downloaded malicious software. The software in the zombie computers was programmed to self-destruct on the final day, crippling the operating systems of hundreds of computers.
Dmitri Alperovitch, vice president of threat research for McAfee Labs, which examined the incident, said North Korea may have been trying to probe South Korea’s ability to respond to such an assault.
South Korean prosecutors said the April bank attack — which was more sophisticated than the denial-of-service operations because it required penetration of secure systems and deletion of data to disable servers — was staged from China, a common tactic because it allows North Korean hackers to avoid leaving a digital trail back to their nation.
“The bank attack was like shelling an island to create terror without attacking a high-value military target,” said McAfee’s Wicherski, in a reference to North Korea’s artillery attack on South Korea’s Yeonpyeong island in November.
Philip Kim, the chief executive and president of AhnLab, South Korea’s largest cybersecurity firm, said, “These days, the big pieces of South Korean society are all connected, and it’s very difficult to know which boundaries you have to protect. It’s an open war.”
Special correspondent Yoonjung Seo contributed to this report.