A hacking group called “DarkSeoul” was behind some of this week’s attacks on South Korean websites, according to researchers at computer security company Symantec.
The company says the group was responsible for denial of service attacks on South Korean government websites and can be directly linked to similar actions in the past.
“We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack,”Symantec said on its Security Response blog. “These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the attacks on South Korean financial companies in May 2013.”
The same hacking group was behind the attacks that targeted U.S. and South Korean websites on the July 4 weekend in 2009, according to Symantec.
The attacks by DarkSeoul have been technically sophisticated on some occasions. But Symantec said it’s not possible to attribute the acts to those of a nation state, as the South Korean media has fingered North Korean state hackers in many of these cases, or simply a highly skilled group of agitators.
Nevertheless, the attacks are likely to continue, the company said.
“Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare — Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.”
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year.
Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called “OpNorthKorea” mission was most successful during its first few hours and then appeared to slowly tail off.
Denial of service attacks involve firing off requests for pages to websites. If enough requests can be sent, the site ends up overloaded and no one gets anything. Success of such an attack requires no hacking of the site itself, just enough people running attack software programs to overload the sites.
The remnants of the attack remain in slow load times for some sites, indicating some hackers are probably still trying targeting North Korean web servers but many have stopped.
Overall, the severity is much reduced from the last round, when global attention was focused on North Korean as it issued daily threats against South Korean and the United States.
The Attack Begins
There was some confusion over the precise starting time of the attack due to an error converting between local time and UTC/GMT.
#OpNorthKorea – 6/25 GMT 03 AM
12AM in Korean time.
03:00 UTC/GMT is actually 12pm local time, not midnight.
The targets of the attack were listed in an online file that was based on The North Korean Website List that resides on this site.
— Anonymous (@Anonsj) June 25, 2013
The start of the attacks appear to have triggered a couple of outage on the North Korean Internet, as can be seen in this graphic from Internet monitoring company Renesys. The first occurred at 3am local time and the second at just before 6am local time.
Korea Central News Agency (KCNA) and Rodong Sinmun in the DPRK, Choson Sinbo in Japan, the China-based Uriminzokkiri and the European-based Korea-DPR website of the Korea Friendship Assocation were among the main targets of the attacks.
But how successful were they?
Twitter began filling with “Tango Down” messages — signifying a website has been taken down — soon after the attacks began.
— Anonymous (@Anonsj) June 25, 2013
Were the sites really down, or just down for some users?
Frank Feinstein, who runs the KCNA Watch service, set up a page to track the success of attempts to connect to a host of North Korean related sites.
“While I don’t dispute the attacks have been successful, Anonymous have claimed many more sites to be ‘completely offline’ when they aren’t,” he said in comments to North Korea Tech. “I’m not sure how thorough they are with their checks but my data is often different from theirs.”
Feinstein runs several thousand proxy servers to repeatedly hit the KCNA website and grab the latest stories for his site. He used those to survey KCNA and a handful of other websites.
“Interestingly kcna.kp is not behaving very differently from the past weeks access logs. It seems to be standing up better than a lot of others,” he said. “From the selected North Korean sites I monitored, chosonsinbo.com was ‘down’ for a period of two hours, uriminzokkiri and ryugyongclip were also taken out.”
Uriminzokkiri was the target of a hack in April that resulted in details on the site’s 15,000 users being published on the Internet.
“kcna.kp was ‘totally unresponsive’ for less than 0.1 percent of the 24-hour period we have been monitoring it, which is within the margin of error,” he said. “Other sites have responded more strongly.”
Feinstein’s data, shown below, indicates an average response rate of around 40 percent during much of the attack period. At some points it dipped below 10 percent for the sites being monitored.
For just the KCNA website, Feinstein’s monitoring showed a response rate of just 6 percent over the last 24 hours for his 1,214 attempts to grab content. If those numbers are representative of the average Internet user, that means many didn’t manage to connect to KCNA. To them, the site would have appeared down.
North Korea’s Internet Connection
Ever since the DPRK first opened its connection to the Internet in 2010, the servers in Pyongyang have maintained their link with the rest of the world via China Unicom. About a year after it first connection, the DPRK added a backup route via satellite and things stayed the same until a couple of months ago.
Then, a third connection appeared via China Unicom Hong Kong. It appeared shortly after the April round of hacking attacks and the easy assumption was that it’s meant to help mitigate the attacks by providing another way for its servers to connect with users around the world.
Then, a couple of weeks before the long-planned June 25 attacks, it disappeared.
There’s no way of knowing why it appeared, just as there is no way of knowing why it was first added, but the original assumptions at least appear to be incorrect.
Here again is a graph from Renesys showing North Korea’s connection to the global Internet. The Intelsat connection (grey) disappeared around March this year. The China Unicom HK connection is shown in green.
The previously announced June 25 attack on North Korean websites by hackers working under the “Anonymous” name took an unexpected turn on Tuesday when several South Korean sites were hit with attacks. The actions coincided with the release of what hackers said were stolen files on American military personnel.
The North Korean attack did start as scheduled and appears to have been initially successful. Most major North Korean websites are either inaccessible or difficult to access, indicating they are being hit by a denial of service attack. This involves overwhelming a web server with requests so it gets tied up and bonafide traffic doesn’t get through.
The Anonymous hackers had chosen June 25 because it’s the anniversary of the start of the Korean War. The plans had been announced a couple of months in advance and North Korea’s state-run news agency, KCNA, even ran a commentary over the weekend attacking their plans and rubbishing the group.
North Korean military documents
As part of the build-up to Tuesday’s attack, Anonymous said it had gained access to North Korea’s internal intranet system and stolen documents. The claim was met with skepticism and Anonymous said it would make a partial release of documents on Tuesday.
As of time of writing, that has not happened.
Confusion at start of attack
Perhaps a sign of the chaotic nature of the Anonymous hacker collective came shortly after the attacks got underway at midnight local time in Korea. One of the first targets turned out to be one of the most vocal Anonymous members on Twitter.
His own site was hit with a denial of service attack.
A follow up message indicated it had been the result of a mix-up, and a fellow Anonymous hacker had misunderstood the nature of the site.
Blue House Attack
For part of the day, the website of the South Korean president’s office, the Blue House, was defaced.
A YouTube user posting under the name “Bondra James” in a freshly created account uploaded a 2-minute video that appears to show the attack on the Blue House website taking place. A large “Anonymous” watermark covers part of the screen.
The computer being used in the video is named “AnonAR” and the user is employing a toolkit called “w3b_avtix.”
The toolkit apparently contains software to gain access to websites because within about 20 seconds of running the software, the attacker appears to be inside the South Korean president’s website. [Update: The video has been removed from YouTube as a violation of its policy on depiction of harmful activities.]
Other reports said attacks had hit the sites of broadcasters KBS and YTN, although they appear to have been recovered.
The attacks even reached outside of the Korean peninsula. Although the reason is unclear, OpNorthKorea hackers attacked a government website for Zibo City, a provincial city in Shandong, China.
US Military Lists
Coinciding with the attacks, several files containing personal data were uploaded to text-sharing websites, which allows users to post text messages anonymously.
Several files contained what appear to be the personnel records of members of the U.S. Army’s 3rd Marine Division, 25th Infantry Division and 1st Cavalry Division. The records contain a name, date of birth, rank, social security number and other information related to their service.
Together, the records appear to detail some 7,500 persons, but none of the dates on any of the records in the three files is later than 2009, so the lists could be old.
Also posted were a list of hundreds of names and birthdates claimed to be of Korean military members, user names and login details for accounts on the Blue House website and names, cell phone numbers and more for members of the ruling Saenuri party.
The veracity of all of the information could not be immediately confirmed.
(more to come)
Members of the international hacking collective Anonymous look set to launch a planned cyber attack on North Korean Internet properties at midnight local Korean time on Monday night.
The group has also promised to make public some details of documents gained from a claimed attack on North Korean internal servers.
In messages posted to Twitter on Monday, Anonymous members indicated the countdown for the next stage in their “OpNorthKorea” series of attacks is unchanged.
The exact nature of the attacks is not known, but Anonymous typically uses denial of service attacks. These involve flooding web servers with requests for pages — so many requests that the servers become overloaded and are difficult or impossible to load for bonafide users.
Denial of service attacks are different from hacks in that they don’t involve breaking into the web server and making any changes to the site.
The June 25 date, which marks the anniversary of the start of the Korean War, first came up in April when Anonymous last launched a round of attacks on North Korea. The action resulted in several major North Korean websites being offline for days.
Most were hit with denial of service attacks but at least one high-profile target was hacked. Uriminzokkiri, a China-based website that carries a large amount of North Korean media and propaganda, was broken into and details on its 15,000 users were posted on the Internet.
Among the Internet postings ahead of the attacks was an image of a mourner in front of the sarcophagus of Kim Jong Il. The image had been altered to give the mourner a Guy Fawkes mask, which is one of the most recognized symbols used by Anonymous members.
Ahead of the planned attack, North Korean state media launched a stinging attack on Anonymous.
The full text is currently difficult to access on the KCNA website, either because it’s already being attacked or because of controls put on connections by North Korea. Here’s the full text of the KCNA commentary:
Pyongyang, June 21 (KCNA) — The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack.
It announced that it would conduct hacking attack called “operation for infiltrating into interior of the north” with June 25 as an occasion and calculates this would help shake the social system in the DPRK.
Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology.
This provokes side-splitting laughter.
It singled out the DPRK, a focus of world attention, as a target of cyber terrorism in a bid to have Anonymous, a target of world criticism, recognized by the world.
It hacked into open servers of the DPRK without any secret data by use of poor hacking programs.
And now it is busy describing it as a sort of big technological feat.
What merits a more serious attention is that the U.S. and South Korean puppet forces are joining Anonymous in cyber terrorism as they are keen to isolate and stifle the DPRK politically, militarily and economically and carry out ideological and cultural poisoning operations against the DPRK.
It is by no means fortuitous that South Korean conservative media including Chosun Ilbo and Choongang Ilbo are echoing the anti- DPRK misinformation floated by those betes noires doing everything dirty.
The above-said facts indicate that Anonymous is not a simple hacking group making cyber attack for fun but political servants and an international terrorist group of forces hostile to the DPRK wire-pulled by the U.S. and South Korean intelligence service behind the scene.
Anonymous, in fact, knows nothing about the DPRK.
The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.
Nevertheless, it is misleading the world public opinion, creating impression that it discovered a sort of top secret on the basis of poor information provided by the U.S. and its puppet South Korean information organs by stealth.
Anonymous abuses IT, which should serve as a powerful means for developing human civilization, as a weapon for terrorism against a specified state.
This is a grave political provocation infringing upon the sovereignty and dignity of an independent country and an open challenge to the international community desirous of using everything created by modern science for independent development of countries and nations and welfare of humankind.
It is nothing but a charade for human scum of Anonymous to try to do harm to the social system in the DPRK as such group is not entitled to remain in the age of IT.
The world will clearly see what bitter cup of setback the Anonymous and other hostile forces behind it will have to drink.
The Korean Central News Agency (KCNA) has attacked claims by international hacker collective Anonymous that it managed to steal North Korean military secrets from computer servers. The attack came in a commentary on Friday, just days before Anonymous plans to launch a cyber-attack on North Korean websites.
Earlier this week, a Twitter user claiming to represent Anonymous hackers said the group had managed to infiltrate North Korean servers on the country’s domestic intranet and access sensitive information.
“We completed serveral attacks on your internal Websites and inside your local intranets,” the group said in a message posted to the Pastebin website, which allows users to post text messages without revealing their personal details.
“Previously we said we would penetrate the intranet and private networks of North Korea. And we were successful,” the message said.
“Your major missile documentation and residents, military documents show down is already in progress. Your attempt to cover this has been uncovered. We are partially sharing this information with the world.”
The veracity of the Anonymous claim is difficult to ascertain. The group has yet to post a single piece of information that could have been gained in an attack on North Korean servers and it seems unlikely that military secrets would be stored on servers accessible from the controlled but open domestic intranet.
But whether it’s managed to infiltrate domestic servers or not, its threat of an attack on June 25 certainly has the attention of KCNA.
“The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack,” the state-run news agency said in the commentary.
“It announced that it would conduct hacking attack called ‘operation for infiltrating into interior of the north’ with June 25 as an occasion and calculates this would help shake the social system in the DPRK. Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology. This provokes side-splitting laughter.”
The commentary is classic KCNA. Frst rubbish your opponent, then rubbish its claims.
Last time Anonymous turned its attention towards North Korea, the result wasn’t pretty. The country’s major websites — including that of KCNA — were inaccessible for days and the 15,000-member user database of Uriminzokkiri, a China-based site with close DPRK ties, was published.
Apparently referencing that hack, KCNA said:
“It hacked into open servers of the DPRK without any secret data by use of poor hacking programs. And now it is busy describing it as a sort of big technological feat.”
It’s probably safe to say that if North Korea didn’t have the full attention of Anonymous hackers, it does now.
KCNA went on to claim the Kwangmyong domestic intranet doesn’t exist.
“Anonymous, in fact, knows nothing about the DPRK. The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.”
North Korea’s domestic intranet has been well-documented and well-reported, both in the North Korean media and by outsiders who have used it within the country, so it’s existence isn’t in doubt.
Could there perhaps be confusion over the name? Is KCNA denying its existence on a technicality?
In 2002, KCNA reported on the development on the “Kwangmyong” system:
“In recent years it developed an information retrieval system Kwangmyong and established a computer network for science and technology to make a variety of information service.” — KCNA, “DPRK Central Information Agency for Science and Technology,” August 13, 2002.
And a year earlier The People’s Korea, a Tokyo-based English-language newspaper published by the DPRK-aligned Chosen Soren, reported on the Kwangmyong network too.
The broadcasts appeared in May and were being recorded by WRN from Voice of Korea’s daily English-language shortwave broadcasts. Voice of Korea puts out a daily hour-long program in English each day and it’s relayed several times to listeners around the globe.
The shortwave signal meant sometimes poor audio quality, but the WRN website was the only place on the Internet offering the program on-demand. Voice of Korea’s own website has news and music clips but not the entire broadcast.
At the time, WRN said it had started the service independently of Voice of Korea and stood ready to cease the service should it receive an objection from Pyongyang.
WRN hasn’t responded to a request for comment on the ending of the broadcast, although it appears unlikely the service would attract complaints from North Korea. By their nature, international broadcasters are established to send programs as widely as possible and the WRN relay would help accomplish that.
All that’s left on the WRN home page now is an error message, with no explanation of what happened.
For listeners who want to hear the daily broadcast, the only option left is shortwave radio. The current Voice of Korea schedule can be found in the resources section on this website.
A Twitter user claiming to speak on behalf of the Anonymous hacker collective says members of the group have succeeded in breaking into North Korean computer servers and stealing military documents.
“Previously we said we would penetrate the intranet and private networks of North Korea. And we were successful,” the group wrote in a news release posted on Pastebin, a website that allows anonymous posting of text documents.
“Your major missile documentation and residents, military documents show down is already in progress. Your attempt to cover this has been uncovered. We are partially sharing this information with the world,” the message read.
The claim is impossible to independently verify and to-date the group has share none of the information it claims to have obtained from its hacking activities. Nor did it clearly explain how it managed to penetrate North Korean military computer systems.
Hackers made references to accessing the domestic Kwangmyong intranet system, but a link from that system to a military computer network handling state secrets would represent a big hole in network security if it existed.
An additional Twitter message posted a screenshot of a web page from the domestic Kwangmyong intranet system but, as NKNews first discovered, the screenshot dates back at least 2006 when it accompanied a South Korean newspaper story.
The claims of infiltration come just days before a long-planned attack on North Korean Internet sites is due to take place. Anonymous hackers have been threatening for the last couple of months to mount a denial of service attack on North Koreans sites from midnight local time in Pyongyang on June 25.
The groups’s last coordinated round of attacks effectively removed the websites from the Internet by deluging them with so much traffic that legitimate users were unable to connect.
The group also posted this video:
The page appeared to have been around for at least a month and content included links to KCTV news bulletins on the YouTube channel of the China-based Uriminzokkiri website, photos and stories from the government’s Korean Central News Agency (KCNA) and some “behind the scenes” pictures from the TV station.
It was written as if it was being run from within the TV station in Pyongyang — something that appears to have fooled several major international news agencies — but a series of inconsistencies in the content made it much more likely to be the work of a North Korean fan in the west.
Early this week, after those inconsistencies were highlighted on NorthKoreaTech and South Korea’s National Police Agency said it was looking into blocking the page, the Facebook account went silent. The account was deleted by its owner, Facebook told NorthKoreaTech.
A lot of the media attention on the page focused on its livestreaming of Korean Central Television but, as noted here earlier, the two livestreams offered by the site weren’t actually original.
They were simply embedded versions of two streams that remain available.
The first is being carried by Ustream, a U.S.-based video streaming site, and appears to be provided from Japan by the General Association of Korean Residents in Japan (Chosen Soren). The second comes from Unification Broadcasting, a Seoul-based defector-run site that analyzes media coverage on both sides of the Korean border.