People who apparently took part in this weekend’s denial of service attacks against several major North Korean websites have promised there’s more to come.
The attacks hit sites including KCNA, Voice of Korea, the Committee for Cultural Relations with Foreign Nations and Air Koryo. They also targeted the Korean Friendship Association’s site although I wasn’t able to verify whether it went down.
A denial of service attack involves flooding a web server with so much traffic that it becomes overloaded and cannot respond to legitimate requests for pages. It’s different from the site being hacked, although the end result is similar in that users cannot access the pages.
As of lunchtime Monday Korean time, most of the sites are back online although the KCNA.kp remains impossible to access.
Many of those apparently involved in the attacks were posting on Twitter using the #OpNorthKorea hashtag. On Sunday, some of those messages indicted the coordinated attacks were winding down — for now.
April 19 corresponds to South Korea’s “April Revolution” of 1960 when students took to the streets and ultimately led then-President Syngman Rhee to resign. June 25 was the day in 1950 when the Korean War began.
The selection of those dates could be a hint that some of the attackers have South Korean roots.
The messages also included a new Twitter hashtag: #OpKoreanWar.
So, what did the attacks achieve? Inside North Korea, probably nothing more than an annoyance to the people running the websites. Ordinary North Koreans don’t have access to the Internet so those websites are purely intended for a foreign audience.
Probably those most affected were North Korea watchers and journalists who wanted to check the latest messages from the North Korean government, the majority of which reach most through the KCNA wire service.
The attacks were the latest in a string of Internet-related incidents in North and South Korea.
Although this round of attacks appears to have been prompted by North Korea’s declaration that “north-south relations will be put at the state of war and all the issues arousing between the north and the south will be dealt with according to the wartime regulations.”
The denial of service attacks are a digital version of something North Korean has been doing for years. Radio broadcasts from outside the country are regularly jammed by the country to prevent citizens from listening. The jamming involves broadcasting a strong signal on the same frequency as the radio station so its signal cannot be heard.
UPDATE: An earlier version of this story incorrectly stated June 15 was the birthdate of Kim Il Sung. That was incorrect. The correct date is April 15.
North Korea’s external shortwave radio broadcaster, Voice of Korea, joins many of the world’s international broadcasters in switching to a summer frequency schedule on Sunday.
Shortwave broadcasts change frequencies numerous times during the day to take advantage of atmospheric conditions that help their broadcasts can reach the intended targets. For this reason, it’s important to know when and where a station will appear.
Based on on-air announcements, this is the new schedule for English-language broadcasts that goes into effect on Sunday and will last for roughly the next six months.
All times are in UTC (GMT) and all frequencies in kilohertz.
0400-0500 to North East Asia on 7220, 9445 and 9730
0400-0500 to Central and South America on 11735, 13760 and 15180
0500-0600 to South East Asia on 13650 and 15105
0600-0700 to North East Asia on 7220, 9445 and 9730
1000-1100 to South East Asia on 11735 and 13650
1000-1100 to Central and South America on 11710 and 15180
1300-1400 to Europe on 13750 and 15245
1300-1400 to North America on 9435 and 11710
1500-1600 to Europe on 13750 and 15245
1500-1600 to North America on 9435 and 11710
1600-1700 to Middle East and North Africa on 9890 and 11645
1800-1900 to Europe on 13750 and 15245
1900-2000 to Middle East and North Africa on 9875 and 11645
1900-2000 to Southern Africa on 7210 and 11910
2100-2200 to Europe on 13750 and 15245
Notes: Voice of Korea continues to suffer from problems that sometimes mean scheduled broadcasts don’t appear or transmissions stop mid-sentence. The schedule above is that announced for the English-language service.
A full schedule, including details of broadcasts in French, German, Spanish, Chinese, Japanese and Russian, is expected in the coming days.
Most Voice of Korea items can be heard on the station’s website, although it does not carry a live stream or complete recording of each day’s program.
After this week’s decision by North Korea to stop answering a military hotline between border control posts at the Kaesong Industrial Zone, there remains just one known link through which North and South Koreans can still directly speak: an air traffic control connection between Seoul and Pyongyang.
The connection, a vital safety link for air traffic overflying the two countries, was first opened in 1998 when the DPRK opened its airspace to overflying aircraft. Before then, aircraft had to fly around the country and that meant longer flights and higher fuel consumption. Opening North Korean airspace was estimated to bring savings of $125 million a year for airlines at the time.
Last year, I wrote about the satellite link between Pyongyang and Beijing that was installed by the International Air Transport Association (IATA) when the DPRK was brought into the Asian regional air traffic control network.
There’s some history in that article, but I recently stumbled across the transcript of a speech given in 2008 by former IATA Director General and CEO Pierre J. Jeanniot that provides a bit of the backstory.
It all started when Air Koryo expressed an interest in joining IATA. As IATA members stood to save money and fuel from access to North Korea’s airspace, Air Koryo’s application provided a way for discussions to open with the government in Pyongyang, said Jeanniot in the speech.
Getting the North Korean government to approve was one hurdle. A second was the out-of-date air traffic control center and a ban on communication with South Korea.
When the talks began, IATA discovered it had another advantage, said Jeanniot:
An additional factor in our favor … was the fact that North Korea was rather short of foreign currency … particularly US dollars … and they had not been aware that air traffic control centers … guiding airplanes through their airspace … could charge an appropriate fee … and thus earn valuable foreign currency. — Pierre J. Jeanniot, AGIFORS Symposium speech, September 26, 2008.
IATA explained to Pyongyang that it could earn foreign currency by opening a few well-defined corridors for aircraft that would pose no security threat for the country. Jeanniot said in the speech that IATA offered to advance the money, train air traffic controllers and modernize the control center.
That solved the first of the problems, but the lack of communications remained.
To overcome this particular constraint … IATA offered … – and subsequently received authorization –… to set up and operate the telephone lines between Pyongyang and Seoul … so that North Korea could continue to feel that they had not established any link with South Korea. — Pierre J. Jeanniot, AGIFORS Symposium speech, September 26, 2008.
From a presentation I received some years ago, here are a couple of pictures of the North Korean air traffic control system upgrade and the phone connection.
A new round of attacks against North Korean websites began Saturday, causing several to become unavailable.
The attacks appear to be part of a loosely coordinated effort by hackers to target North Korean sites after the country’s state-run media said relations with South Korea were “at a state of war.”
As of 3pm Korean time (0600 UTC) on Saturday, attempts to contact the Naenara, Korean Central News Agency, Air Koryo and Voice of Korea all failed.
The sites were hit with an apparent DDoS (distributed denial of service) attack in which the web servers are flooded with so much junk traffic from hackers that they become overloaded and cannot handle requests from normal users.
On Twitter, messages were being grouped with the #OpNorthKorea hash tag.
Some apparently calling for attacks on certain sites.
And others marking the successful takedown of a website.
At time of writing the third site on that list, korea-dpr.com, is still available. The site is the home page of Alejandro Cao de benos’ Korean Friendship Association and appears to be hosted in The Netherlands.
It’s impossible to know who is really behind the attacks, but judging by Twitter messages the cyber call to arms appears to have attracted a small group of people.
The attacks began several hours after state-run Korean Central News Agency (KCNA) said “From this moment, the north-south relations will be put at the state of war and all the issues arousing between the north and the south will be dealt with according to the wartime regulations.
The statement is the latest in an increasingly hard line of rhetoric from the DPRK. The last few days have seen North Korea directly threaten to attack the United States and its military bases while the U.S. has flexed its muscle by overflying South Korea with a B-52 and B-2 bomber.
Despite the heightening tensions, many observers don’t expect the DPRK to follow through with its threats and many again believe any such attack would attract a swift and hard response by South Korean and/or U.S. forces.
Several South Korean websites that specialize in reporting on North Korean issues were hit by cyber attackers on Tuesday, they said late the same day.
Daily NK and Free North Korea Radio both confirmed the attacks in articles posted on their sites. They were said to begin at 2pm local time (0500 UTC) and resulted in the sites being unavailable for some time.
“The attack was aimed at databases and was designed to blow away the entire system. Based on this, we can say that their target was clearly pre-ordained and the aim was to completely incapacitate it,” the Daily NK said in an article on its site.
Access to both sites has since been restored.
The Daily NK also reported that the websites of NKnet and NK Intellectuals Solidarity were also attacked. The former is currently online but the latter cannot be accessed.
The attacks came on the third anniversary of the sinking of the South Korean corvette Cheonan. The ship broke in two and sank near the maritime border with North Korea causing the deaths of 40 sailors and leaving six missing and presumed dead. North Korea denied involvement but an international investigation said the Cheonan sank after being hit with a torpedo fired from the North Korean submarine.
They are the latest in a recent series of cyber attacks and incidents in the two countries.
North Korea’s Internet connection was severely disrupted for almost two days from March 13 to March 15. The country’s state-run news agency, KCNA, accused the U.S. and its allies of launching an attack, but little evidence was provided or has been found to determine exactly what happened.
Then last week an estimated 26,000 PCs at three major South Korean TV broadcasters and three banks were hit by malicious software that wiped their hard disk drives. South Korean investigators are still looking into the attacks and have yet to determine their source.
The site previously required use of the player by users to hear its audio clips posted online (see, right), but that’s not now the case.
Users can now listen with Flash, and that opens the audio up for the first time to Mac and Linux users. It also means that Windows users who were uneasy about downloading a North Korean software package onto their computers can now listen to the audio.
Users don’t have to download the linked Flash package. Flash can be downloaded from Adobe, but is probably already present in most computers.
I don’t visit everyday, so I’m unsure exactly when the change was made, but the proprietary player was there in early February. I know because I asked a security expert to scan it for malware. At the time it was being identified by some anti-virus packages as malicious, but an in-depth security scan revealed no problems. It was likely a false-positive, I was told.
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing.
The National Police Agency said it has traced some of the malicious code to addresses in the United States and three European countries, according to Yonhap. No further details were released by the NPA.
The news comes after investigators last week publicly announced a Chinese address as linked to the attack, but then withdrew the accusation a day later. It turned out the address was correct and, when used on the global Internet it was located in a China, but in the context of this attack was being reused by Nonghyup Bank on its internal network.
The attacks hit at 2pm on March 20 and resulted in an estimated 32,000 machines at three broadcasters, KBS, MBC and YTN, and three banks, Kookmin Bank, Nonghyup Bank and Jeju Bank, being hit. The contents of the hard disk drive on many of the machines was wiped clean.
Part of the investigation is centered on discovering the source — especially a smoking-gun link to many people’s favorite suspect: North Korea — but it’s so far come up empty.
That’s because tracing the source of a cyber attack is really difficult, if not impossible, said Brian Laing, vice president of marketing and business development, at AhnLab’s office in Silicon Valley.
“It varies depending on the level of attacker,” said Laing, who said he has been involved in the technical side of cyber security since the 1990s.
Sometimes the IP address can directly locate a hacker, said Laing. He once found a hacker based at a university computer lab thanks to the address, but only because the hacker was directly accessing the server without routing his traffic through other machines or using obfuscation techniques. In that case, he was able to determine the precise terminal in the lab that was being used.
Often though today, it’s much tougher.
“Most of the time, people are going through a network of owned machines or they are bouncing [their data traffic] off various proxies and in and out of the Tor network, so it can be very difficult to ultimately trace it back to an IP address,” he said.
Proxy servers work as intermediate relays for traffic while the Tor network is a global system for anonymizing traffic. Tor makes it all-but impossible to discover the ultimate source of an attack.
The highly anonymous nature of Tor makes it popular with dissidents and people in authoritarian countries, but it’s also popular with hackers and those involved in illegal activities.
Laing said it doesn’t take a state-sponsored hacker to execute an anonymous attack these days. Often the software involved can be downloaded from hacker web sites.
“You’ve got multiple stories of kids downloading various botnet access, infecting small numbers of machines and then infecting other networks. You don’t even need an organization behind you,” said Laing.
So chasing IP addresses, if the attackers are clever, could be an exercise in futility.
But there are other ways to identify a hacker, or at least get an idea of who they are.
“You break down the code and see certain things in the code that tie back to the individual,” he said.
The software code will sometimes provide clues such as snippets of a certain language, styles of writing code or pieces reused from other attacks. All of those can help build up a profile of the author.
The increasing number of anonymous attacks and those launched for financial gain marks a big change in the threat landscape.
“I liken it to graffiti,” he said.
“Graffiti started and still is an art form, but it has devolved into people tagging their names wherever they can. Cyber attacking is the opposite. It was people blasting things out and defacing websites to gain standing and recognition, but now attackers are lying in wait and trying to remain undetected.”