“This was an unprecedented act of cyberterror involving North Korea,” said Kim Young-dae, a senior South Korean prosecutor in charge of the investigation.
Conclusively identifying who ordered a cyberattack is notoriously difficult. But Western analysts who studied the incident agreed that the aggressor was probably North Korea and described it as the first publicly reported case of computer sabotage by one nation against a financial institution in another country.
Cyberwarfare offers high potential for asymmetric threats, providing poor nations with easy opportunities to inflict damage on a richer, more developed rival. Such an attack is relatively cheap to launch, but playing defense is costly: After the incident, the South Korean bank pledged to spend $476 million by 2015 on network security.
“They are doing massive damage with simple means,” said Georg Wicherski, a researcher with U.S.-based McAfee Labs, who analyzed the attack. “This is Cyberwarfare 101.”
Ninety-five percent of South Koreans have high-speed Internet access — the highest rate on the planet. They bank, shop and store medical records online. And South Korea is spending billions of dollars to secure its extensive networks.
North Korea, by contrast, is an isolated, impoverished state in which only a select few have access to the Internet because leader Kim Jong Il, fearing its power to spread dissent, restricts its use. With little vulnerability to computer attacks, North Korea is free to focus on offense, which has relatively low costs and a potentially high impact.
Although North Korea has only rudimentary cyberattack skills, its growing expertise means it could someday target the South’s military networks, potentially endangering the secrets of close allies, including the United States, U.S. officials and experts say.
South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.
Investigators say the April bank attack occurred when a contractor inadvertently downloaded a malicious program onto a laptop computer, giving hackers the ability to control the computer remotely. Then, over a period of weeks or months, the hackers placed malicious code throughout the bank’s network, which allowed them — with the equivalent of a squeeze on a cyber-trigger — to make hundreds of servers crash at once.