The South Korean government says it suspects hackers in North Korea were behind a series of cyber attacks last month.
The attacks took place on June 25, the anniversary of the beginning of the Korean war, and continued for several days. When they began, several South Korean government and private-run websites were defaced or taken offline.
The main evidence behind the South’s accusations was the discovery of an IP address linked to North Korea and similarities in software code between the June 25 attack and previous attacks, the Ministry of Science, ICT and Future Planning, said Tuesday.
IP addresses are unique numeric identifiers assigned to every device on the Internet that underpin routing of traffic on the network. All known North Korean IP addresses — there are 1,280 of them — are controlled by the Ministry of Posts and Telecommunications or Star, an affiliated Internet service provider.
Computer security company Fortinet analyzed the June 25 attack and said many of the websites that were taken offline were not directly attacked. Instead, hackers attacked servers that translate human-memorable Internet addresses, like www.example.com, into numeric IP addresses, like 10.234.12.76.
The servers, called DNS or domain name system servers, are queried everytime a human-memorable address is typed into a browser, added to an email or followed from a link. Because the numeric IP address is what’s actually used to send, route and receive data, computers need to know that before anything can happen.
Therefore, if the DNS server isn’t available, it’s impossible to connect to the target website, even if the target website is available.
The attacks on South Korean sites coincided with a previously announced attack on North Korean-related websites by members of the international hacking collective Anonymous. The group launched a series of denial of service attacks that made it difficult to access the sites for several days. Leaders of the Anonymous attacks denied on Twitter any link to the actions against South Korean websites.
One of the attacks targeted the website of the South Korean president and resulted in the site being offline for most of the day.
North Korea’s attempts to block the flow of information from the outside world to its people are well know and well documented, but much less known is South Korea’s attempts to keep its citizens from having unrestricted access to media from North Korea.
The country’s national Internet firewall makes it fairly easy to keep curious South Korean eyes away from sites like the Korean Central News Agency and Rodong Sinmun, but what about radio waves that travel freely across the border?
It turns out the South Korean government doesn’t want its people listening to those either. A network of jamming transmitters blocks reception of North Korean radio broadcasts in Seoul and the surrounding areas, but it’s not quite as complete as the Internet blockade.
In late May I traveled to Seoul to document the current state of South Korea’s radio jamming and discovered it’s enough to stop casual listeners from tuning into the news, music and propaganda that comes from Pyongyang each day, but it’s a low barrier.
There’s a surprisingly easy way to get around the jamming and listen to North Korea’s two major radio networks: the Korean Central Broadcasting Station and Pyongyang Broadcasting Station, even in downtown Seoul. A little travel also gave me a chance to hear a couple of FM radio stations: Pyongyang FM Broadcasting Station and Echo of Unification.
The findings are split across a couple of articles on NK News, which should be accessible to subscribers and non-subscribers alike. You can also find audio recordings of the radio stations and the jamming.
Two ham radio operators hoping to get permission to set up a temporary amateur radio station in North Korea have returned from a trip to the country and have plans to visit again.
Paul Ewing (N6PSE) and David Flack (AH6HY) of the “Intrepid DX” group wrote that they will refine their proposal and “continue to communicate with the Ministry of Foreign Affairs and the Ministry of Posts and Telecommunications.”
The two want permission to lead two groups of twelve people each on a two week expedition to the DPRK. While inside the country, they plan to operate an amateur radio station and make contacts with ham operators around the world.
Getting government permission for the plan is, of course, essential.
During their June trip, the two entered the DPRK in Namyang, near Tumen, and traveled as far south as Panmunjon, before leaving the country at Wonjong, near Rajin.
“The purpose of the visit was to meet with DPRK Government Representatives in Pyongyang and to survey and assess various potential Dxpedition venues throughout the country. Particular attention was paid to terrain and the availability of reliable power,” they wrote on the “P5 Project” blog.
The project is named for North Korea’s radio callsign prefix “P5.” Because the country has no licensed amateur operators, contacting a P5 radio station is extremely rare. If the group manage to get permission of their plan, they should receive a temporary P5 call sign and there will likely be strong demand to communicate with the station from overseas ham operators.
“Our goals are to provide a much needed P5 contact to the entire amateur radio community world-wide,” they wrote.
The two are now planning a second visit and, in what could be a savvy political move, have added a representative of the Chinese amateur radio community to their group: Fan Bin (BA1RB).
(For background on the project and previous attempts to operate ham radio stations from North Korea, see “Ham radio operators hope to put North Korea on the air” from June 11.)
A hacking group called “DarkSeoul” was behind some of this week’s attacks on South Korean websites, according to researchers at computer security company Symantec.
The company says the group was responsible for denial of service attacks on South Korean government websites and can be directly linked to similar actions in the past.
“We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack,”Symantec said on its Security Response blog. “These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the attacks on South Korean financial companies in May 2013.”
The same hacking group was behind the attacks that targeted U.S. and South Korean websites on the July 4 weekend in 2009, according to Symantec.
The attacks by DarkSeoul have been technically sophisticated on some occasions. But Symantec said it’s not possible to attribute the acts to those of a nation state, as the South Korean media has fingered North Korean state hackers in many of these cases, or simply a highly skilled group of agitators.
Nevertheless, the attacks are likely to continue, the company said.
“Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare — Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.”
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year.
Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called “OpNorthKorea” mission was most successful during its first few hours and then appeared to slowly tail off.
Denial of service attacks involve firing off requests for pages to websites. If enough requests can be sent, the site ends up overloaded and no one gets anything. Success of such an attack requires no hacking of the site itself, just enough people running attack software programs to overload the sites.
The remnants of the attack remain in slow load times for some sites, indicating some hackers are probably still trying targeting North Korean web servers but many have stopped.
Overall, the severity is much reduced from the last round, when global attention was focused on North Korean as it issued daily threats against South Korean and the United States.
The Attack Begins
There was some confusion over the precise starting time of the attack due to an error converting between local time and UTC/GMT.
#OpNorthKorea – 6/25 GMT 03 AM
12AM in Korean time.
03:00 UTC/GMT is actually 12pm local time, not midnight.
The targets of the attack were listed in an online file that was based on The North Korean Website List that resides on this site.
— Anonymous (@Anonsj) June 25, 2013
The start of the attacks appear to have triggered a couple of outage on the North Korean Internet, as can be seen in this graphic from Internet monitoring company Renesys. The first occurred at 3am local time and the second at just before 6am local time.
Korea Central News Agency (KCNA) and Rodong Sinmun in the DPRK, Choson Sinbo in Japan, the China-based Uriminzokkiri and the European-based Korea-DPR website of the Korea Friendship Assocation were among the main targets of the attacks.
But how successful were they?
Twitter began filling with “Tango Down” messages — signifying a website has been taken down — soon after the attacks began.
— Anonymous (@Anonsj) June 25, 2013
Were the sites really down, or just down for some users?
Frank Feinstein, who runs the KCNA Watch service, set up a page to track the success of attempts to connect to a host of North Korean related sites.
“While I don’t dispute the attacks have been successful, Anonymous have claimed many more sites to be ‘completely offline’ when they aren’t,” he said in comments to North Korea Tech. “I’m not sure how thorough they are with their checks but my data is often different from theirs.”
Feinstein runs several thousand proxy servers to repeatedly hit the KCNA website and grab the latest stories for his site. He used those to survey KCNA and a handful of other websites.
“Interestingly kcna.kp is not behaving very differently from the past weeks access logs. It seems to be standing up better than a lot of others,” he said. “From the selected North Korean sites I monitored, chosonsinbo.com was ‘down’ for a period of two hours, uriminzokkiri and ryugyongclip were also taken out.”
Uriminzokkiri was the target of a hack in April that resulted in details on the site’s 15,000 users being published on the Internet.
“kcna.kp was ‘totally unresponsive’ for less than 0.1 percent of the 24-hour period we have been monitoring it, which is within the margin of error,” he said. “Other sites have responded more strongly.”
Feinstein’s data, shown below, indicates an average response rate of around 40 percent during much of the attack period. At some points it dipped below 10 percent for the sites being monitored.
For just the KCNA website, Feinstein’s monitoring showed a response rate of just 6 percent over the last 24 hours for his 1,214 attempts to grab content. If those numbers are representative of the average Internet user, that means many didn’t manage to connect to KCNA. To them, the site would have appeared down.
North Korea’s Internet Connection
Ever since the DPRK first opened its connection to the Internet in 2010, the servers in Pyongyang have maintained their link with the rest of the world via China Unicom. About a year after it first connection, the DPRK added a backup route via satellite and things stayed the same until a couple of months ago.
Then, a third connection appeared via China Unicom Hong Kong. It appeared shortly after the April round of hacking attacks and the easy assumption was that it’s meant to help mitigate the attacks by providing another way for its servers to connect with users around the world.
Then, a couple of weeks before the long-planned June 25 attacks, it disappeared.
There’s no way of knowing why it appeared, just as there is no way of knowing why it was first added, but the original assumptions at least appear to be incorrect.
Here again is a graph from Renesys showing North Korea’s connection to the global Internet. The Intelsat connection (grey) disappeared around March this year. The China Unicom HK connection is shown in green.
The previously announced June 25 attack on North Korean websites by hackers working under the “Anonymous” name took an unexpected turn on Tuesday when several South Korean sites were hit with attacks. The actions coincided with the release of what hackers said were stolen files on American military personnel.
The North Korean attack did start as scheduled and appears to have been initially successful. Most major North Korean websites are either inaccessible or difficult to access, indicating they are being hit by a denial of service attack. This involves overwhelming a web server with requests so it gets tied up and bonafide traffic doesn’t get through.
The Anonymous hackers had chosen June 25 because it’s the anniversary of the start of the Korean War. The plans had been announced a couple of months in advance and North Korea’s state-run news agency, KCNA, even ran a commentary over the weekend attacking their plans and rubbishing the group.
North Korean military documents
As part of the build-up to Tuesday’s attack, Anonymous said it had gained access to North Korea’s internal intranet system and stolen documents. The claim was met with skepticism and Anonymous said it would make a partial release of documents on Tuesday.
As of time of writing, that has not happened.
Confusion at start of attack
Perhaps a sign of the chaotic nature of the Anonymous hacker collective came shortly after the attacks got underway at midnight local time in Korea. One of the first targets turned out to be one of the most vocal Anonymous members on Twitter.
His own site was hit with a denial of service attack.
A follow up message indicated it had been the result of a mix-up, and a fellow Anonymous hacker had misunderstood the nature of the site.
Blue House Attack
For part of the day, the website of the South Korean president’s office, the Blue House, was defaced.
A YouTube user posting under the name “Bondra James” in a freshly created account uploaded a 2-minute video that appears to show the attack on the Blue House website taking place. A large “Anonymous” watermark covers part of the screen.
The computer being used in the video is named “AnonAR” and the user is employing a toolkit called “w3b_avtix.”
The toolkit apparently contains software to gain access to websites because within about 20 seconds of running the software, the attacker appears to be inside the South Korean president’s website. [Update: The video has been removed from YouTube as a violation of its policy on depiction of harmful activities.]
Other reports said attacks had hit the sites of broadcasters KBS and YTN, although they appear to have been recovered.
The attacks even reached outside of the Korean peninsula. Although the reason is unclear, OpNorthKorea hackers attacked a government website for Zibo City, a provincial city in Shandong, China.
US Military Lists
Coinciding with the attacks, several files containing personal data were uploaded to text-sharing websites, which allows users to post text messages anonymously.
Several files contained what appear to be the personnel records of members of the U.S. Army’s 3rd Marine Division, 25th Infantry Division and 1st Cavalry Division. The records contain a name, date of birth, rank, social security number and other information related to their service.
Together, the records appear to detail some 7,500 persons, but none of the dates on any of the records in the three files is later than 2009, so the lists could be old.
Also posted were a list of hundreds of names and birthdates claimed to be of Korean military members, user names and login details for accounts on the Blue House website and names, cell phone numbers and more for members of the ruling Saenuri party.
The veracity of all of the information could not be immediately confirmed.
(more to come)
Members of the international hacking collective Anonymous look set to launch a planned cyber attack on North Korean Internet properties at midnight local Korean time on Monday night.
The group has also promised to make public some details of documents gained from a claimed attack on North Korean internal servers.
In messages posted to Twitter on Monday, Anonymous members indicated the countdown for the next stage in their “OpNorthKorea” series of attacks is unchanged.
The exact nature of the attacks is not known, but Anonymous typically uses denial of service attacks. These involve flooding web servers with requests for pages — so many requests that the servers become overloaded and are difficult or impossible to load for bonafide users.
Denial of service attacks are different from hacks in that they don’t involve breaking into the web server and making any changes to the site.
The June 25 date, which marks the anniversary of the start of the Korean War, first came up in April when Anonymous last launched a round of attacks on North Korea. The action resulted in several major North Korean websites being offline for days.
Most were hit with denial of service attacks but at least one high-profile target was hacked. Uriminzokkiri, a China-based website that carries a large amount of North Korean media and propaganda, was broken into and details on its 15,000 users were posted on the Internet.
Among the Internet postings ahead of the attacks was an image of a mourner in front of the sarcophagus of Kim Jong Il. The image had been altered to give the mourner a Guy Fawkes mask, which is one of the most recognized symbols used by Anonymous members.
Ahead of the planned attack, North Korean state media launched a stinging attack on Anonymous.
The full text is currently difficult to access on the KCNA website, either because it’s already being attacked or because of controls put on connections by North Korea. Here’s the full text of the KCNA commentary:
Pyongyang, June 21 (KCNA) — The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack.
It announced that it would conduct hacking attack called “operation for infiltrating into interior of the north” with June 25 as an occasion and calculates this would help shake the social system in the DPRK.
Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology.
This provokes side-splitting laughter.
It singled out the DPRK, a focus of world attention, as a target of cyber terrorism in a bid to have Anonymous, a target of world criticism, recognized by the world.
It hacked into open servers of the DPRK without any secret data by use of poor hacking programs.
And now it is busy describing it as a sort of big technological feat.
What merits a more serious attention is that the U.S. and South Korean puppet forces are joining Anonymous in cyber terrorism as they are keen to isolate and stifle the DPRK politically, militarily and economically and carry out ideological and cultural poisoning operations against the DPRK.
It is by no means fortuitous that South Korean conservative media including Chosun Ilbo and Choongang Ilbo are echoing the anti- DPRK misinformation floated by those betes noires doing everything dirty.
The above-said facts indicate that Anonymous is not a simple hacking group making cyber attack for fun but political servants and an international terrorist group of forces hostile to the DPRK wire-pulled by the U.S. and South Korean intelligence service behind the scene.
Anonymous, in fact, knows nothing about the DPRK.
The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.
Nevertheless, it is misleading the world public opinion, creating impression that it discovered a sort of top secret on the basis of poor information provided by the U.S. and its puppet South Korean information organs by stealth.
Anonymous abuses IT, which should serve as a powerful means for developing human civilization, as a weapon for terrorism against a specified state.
This is a grave political provocation infringing upon the sovereignty and dignity of an independent country and an open challenge to the international community desirous of using everything created by modern science for independent development of countries and nations and welfare of humankind.
It is nothing but a charade for human scum of Anonymous to try to do harm to the social system in the DPRK as such group is not entitled to remain in the age of IT.
The world will clearly see what bitter cup of setback the Anonymous and other hostile forces behind it will have to drink.
The Korean Central News Agency (KCNA) has attacked claims by international hacker collective Anonymous that it managed to steal North Korean military secrets from computer servers. The attack came in a commentary on Friday, just days before Anonymous plans to launch a cyber-attack on North Korean websites.
Earlier this week, a Twitter user claiming to represent Anonymous hackers said the group had managed to infiltrate North Korean servers on the country’s domestic intranet and access sensitive information.
“We completed serveral attacks on your internal Websites and inside your local intranets,” the group said in a message posted to the Pastebin website, which allows users to post text messages without revealing their personal details.
“Previously we said we would penetrate the intranet and private networks of North Korea. And we were successful,” the message said.
“Your major missile documentation and residents, military documents show down is already in progress. Your attempt to cover this has been uncovered. We are partially sharing this information with the world.”
The veracity of the Anonymous claim is difficult to ascertain. The group has yet to post a single piece of information that could have been gained in an attack on North Korean servers and it seems unlikely that military secrets would be stored on servers accessible from the controlled but open domestic intranet.
But whether it’s managed to infiltrate domestic servers or not, its threat of an attack on June 25 certainly has the attention of KCNA.
“The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack,” the state-run news agency said in the commentary.
“It announced that it would conduct hacking attack called ‘operation for infiltrating into interior of the north’ with June 25 as an occasion and calculates this would help shake the social system in the DPRK. Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology. This provokes side-splitting laughter.”
The commentary is classic KCNA. Frst rubbish your opponent, then rubbish its claims.
Last time Anonymous turned its attention towards North Korea, the result wasn’t pretty. The country’s major websites — including that of KCNA — were inaccessible for days and the 15,000-member user database of Uriminzokkiri, a China-based site with close DPRK ties, was published.
Apparently referencing that hack, KCNA said:
“It hacked into open servers of the DPRK without any secret data by use of poor hacking programs. And now it is busy describing it as a sort of big technological feat.”
It’s probably safe to say that if North Korea didn’t have the full attention of Anonymous hackers, it does now.
KCNA went on to claim the Kwangmyong domestic intranet doesn’t exist.
“Anonymous, in fact, knows nothing about the DPRK. The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.”
North Korea’s domestic intranet has been well-documented and well-reported, both in the North Korean media and by outsiders who have used it within the country, so it’s existence isn’t in doubt.
Could there perhaps be confusion over the name? Is KCNA denying its existence on a technicality?
In 2002, KCNA reported on the development on the “Kwangmyong” system:
“In recent years it developed an information retrieval system Kwangmyong and established a computer network for science and technology to make a variety of information service.” — KCNA, “DPRK Central Information Agency for Science and Technology,” August 13, 2002.
And a year earlier The People’s Korea, a Tokyo-based English-language newspaper published by the DPRK-aligned Chosen Soren, reported on the Kwangmyong network too.