South Korean Web Sites Are Hobbled in New Round of Attacks

Washington Post Foreign Service
Friday, July 10, 2009

TOKYO, July 9 -- South Korea was bombarded Thursday with a third wave of cyberattacks, which disrupted and in some cases halted access to government, banking and media Web sites.

Intelligence officials in Seoul, meanwhile, presented no hard evidence to support earlier suspicions that North Korea may have been behind the disruptions that have hit Web sites in South Korea and the United States in recent days.

The timing of Thursday's attacks, which began in the early evening, had been predicted by the country's largest computer security company, Ahnlabs. It said hackers had planted "malicious codes" in thousands of personal and business computers, which contained instructions to bombard seven Web sites in South Korea at 6 p.m. local time.

When the attacks began, however, there were many more targets than predicted. About half a dozen government Web sites not on the company's list, including those of parliament, the Defense Ministry and the Foreign Ministry, slowed down or temporarily stopped working.

South Korea's main spy agency said that the "level of the attacks was highly organized and meticulously planned," indicating the work of "certain organizations or state."

The National Intelligence Service did not, however, single out North Korea by name as a suspect. Agency officials had told some members of the National Assembly yesterday that North Korea was the prime suspect, according to news reports in Seoul.

The intelligence agency had been expected to elaborate on that conclusion Thursday before the intelligence committee in the National Assembly. The committee did not convene, however, because the main opposition party vetoed the session, according to Park Ji-won, a member of the committee and a senior member of the opposition.

The attackers appeared to have backed off U.S.-based targets. Alex Lanstein, senior security researcher at FireEye, a Milpitas, Calif.-based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit list Tuesday afternoon, after those sites began working with large Internet service providers to filter and block the attack traffic.

Experts said the bug that caused the attacks, called MyDoom, is fairly unsophisticated. But they also noted that the bug was being frequently reprogrammed to target different sites.

"This wasn't a computer program thrown out into the wild," said Peder Jungck, founder and chief technology officer of CloudShield, a California cybersecurity firm. "Someone was actively monitoring its success and changing the targets based on the response. There's a human on the other side playing chess with us."

The MyDoom bug first surfaced in January 2004 and was originally programmed to force all infected personal computers to attack the Web sites of SCO Group, a software company in Lindon, Utah, and Microsoft. Microsoft still has a standing reward offer of $250,000 for information leading to the arrest and conviction of the bug's author.

Staff writers Brian Krebs and Ellen Nakashima in Washington contributed to this report.

© 2009 The Washington Post Company