130321-kisa-01

South fingers North in March cyberattacks

South Korea’s government has concluded the March 20 cyberattacks that hit three of the country’s TV broadcasters and three of its banks were launched by attackers linked to the North Korean government.

The attacks began at 2pm local time on March 20 and caused the complete deletion of data on hard disk drives in roughly 48,000 personal computers inside broadcasters KBS, MBC and YTN, and the Shinhan, Nonghyup and Jeju Banks.

North Korean hackers were suspected almost immediately although unusually the government in Seoul wasn’t quick to point its finger. Officials launched an investigation and it was the preliminary conclusions of that work that were announced on Wednesday.

The main evidence appears to be the use of several Internet addresses either in North Korea or used in attacks blamed on the country in the past and the re-use of software code from previous attacks.

Yonhap News quoted Lee Seung-won, an official at the Ministry of Science, ICT & Future Planning, as saying, “An analysis of cyber terror access logs, malicious code and North Korean intelligence showed that the attack methods were similar to those used by the North’s Reconnaissance General Bureau, which has led hacking attacks against South Korea.”

The investigation uncovered more than 1,500 intrusions into the local networks of the affected companies from six computers since June 2012 indicating the attack was planned for sometime.

Of 76 pieces of malware used in various parts of the attack, a number were seen in attacks tied to North Korea in the past. Yonhap put that number at 18 while AP reported 30.

The attacks came after North Korea suffered almost two days of Internet connectivity problems. While the country came out and blamed the U.S. and its allies for the glitches, it’s still unclear if the problems were as a result of a hack or technical problems.

In recent days the country’s handful of websites have come under attack from hackers acting under the umbrella of “Anonymous.” They launched denial of service attacks against several of the most important state-run websites and broke into Uriminzokkiri, a leading North Korean propaganda portal that is based in China. This latter attack included the defacement of several sister websites, intrusion to the site’s Twitter and Flickr channels and the leaking of 15,000 user details.