Posts tagged OpNorthKorea
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year.
Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called “OpNorthKorea” mission was most successful during its first few hours and then appeared to slowly tail off.
Denial of service attacks involve firing off requests for pages to websites. If enough requests can be sent, the site ends up overloaded and no one gets anything. Success of such an attack requires no hacking of the site itself, just enough people running attack software programs to overload the sites.
The remnants of the attack remain in slow load times for some sites, indicating some hackers are probably still trying targeting North Korean web servers but many have stopped.
Overall, the severity is much reduced from the last round, when global attention was focused on North Korean as it issued daily threats against South Korean and the United States.
The Attack Begins
There was some confusion over the precise starting time of the attack due to an error converting between local time and UTC/GMT.
#OpNorthKorea – 6/25 GMT 03 AM
12AM in Korean time.
03:00 UTC/GMT is actually 12pm local time, not midnight.
The targets of the attack were listed in an online file that was based on The North Korean Website List that resides on this site.
— Anonymous (@Anonsj) June 25, 2013
The start of the attacks appear to have triggered a couple of outage on the North Korean Internet, as can be seen in this graphic from Internet monitoring company Renesys. The first occurred at 3am local time and the second at just before 6am local time.
Korea Central News Agency (KCNA) and Rodong Sinmun in the DPRK, Choson Sinbo in Japan, the China-based Uriminzokkiri and the European-based Korea-DPR website of the Korea Friendship Assocation were among the main targets of the attacks.
But how successful were they?
Twitter began filling with “Tango Down” messages — signifying a website has been taken down — soon after the attacks began.
— Anonymous (@Anonsj) June 25, 2013
Were the sites really down, or just down for some users?
Frank Feinstein, who runs the KCNA Watch service, set up a page to track the success of attempts to connect to a host of North Korean related sites.
“While I don’t dispute the attacks have been successful, Anonymous have claimed many more sites to be ‘completely offline’ when they aren’t,” he said in comments to North Korea Tech. “I’m not sure how thorough they are with their checks but my data is often different from theirs.”
Feinstein runs several thousand proxy servers to repeatedly hit the KCNA website and grab the latest stories for his site. He used those to survey KCNA and a handful of other websites.
“Interestingly kcna.kp is not behaving very differently from the past weeks access logs. It seems to be standing up better than a lot of others,” he said. “From the selected North Korean sites I monitored, chosonsinbo.com was ‘down’ for a period of two hours, uriminzokkiri and ryugyongclip were also taken out.”
Uriminzokkiri was the target of a hack in April that resulted in details on the site’s 15,000 users being published on the Internet.
“kcna.kp was ‘totally unresponsive’ for less than 0.1 percent of the 24-hour period we have been monitoring it, which is within the margin of error,” he said. “Other sites have responded more strongly.”
Feinstein’s data, shown below, indicates an average response rate of around 40 percent during much of the attack period. At some points it dipped below 10 percent for the sites being monitored.
For just the KCNA website, Feinstein’s monitoring showed a response rate of just 6 percent over the last 24 hours for his 1,214 attempts to grab content. If those numbers are representative of the average Internet user, that means many didn’t manage to connect to KCNA. To them, the site would have appeared down.
North Korea’s Internet Connection
Ever since the DPRK first opened its connection to the Internet in 2010, the servers in Pyongyang have maintained their link with the rest of the world via China Unicom. About a year after it first connection, the DPRK added a backup route via satellite and things stayed the same until a couple of months ago.
Then, a third connection appeared via China Unicom Hong Kong. It appeared shortly after the April round of hacking attacks and the easy assumption was that it’s meant to help mitigate the attacks by providing another way for its servers to connect with users around the world.
Then, a couple of weeks before the long-planned June 25 attacks, it disappeared.
There’s no way of knowing why it appeared, just as there is no way of knowing why it was first added, but the original assumptions at least appear to be incorrect.
Here again is a graph from Renesys showing North Korea’s connection to the global Internet. The Intelsat connection (grey) disappeared around March this year. The China Unicom HK connection is shown in green.
The previously announced June 25 attack on North Korean websites by hackers working under the “Anonymous” name took an unexpected turn on Tuesday when several South Korean sites were hit with attacks. The actions coincided with the release of what hackers said were stolen files on American military personnel.
The North Korean attack did start as scheduled and appears to have been initially successful. Most major North Korean websites are either inaccessible or difficult to access, indicating they are being hit by a denial of service attack. This involves overwhelming a web server with requests so it gets tied up and bonafide traffic doesn’t get through.
The Anonymous hackers had chosen June 25 because it’s the anniversary of the start of the Korean War. The plans had been announced a couple of months in advance and North Korea’s state-run news agency, KCNA, even ran a commentary over the weekend attacking their plans and rubbishing the group.
North Korean military documents
As part of the build-up to Tuesday’s attack, Anonymous said it had gained access to North Korea’s internal intranet system and stolen documents. The claim was met with skepticism and Anonymous said it would make a partial release of documents on Tuesday.
As of time of writing, that has not happened.
Confusion at start of attack
Perhaps a sign of the chaotic nature of the Anonymous hacker collective came shortly after the attacks got underway at midnight local time in Korea. One of the first targets turned out to be one of the most vocal Anonymous members on Twitter.
His own site was hit with a denial of service attack.
A follow up message indicated it had been the result of a mix-up, and a fellow Anonymous hacker had misunderstood the nature of the site.
Blue House Attack
For part of the day, the website of the South Korean president’s office, the Blue House, was defaced.
A YouTube user posting under the name “Bondra James” in a freshly created account uploaded a 2-minute video that appears to show the attack on the Blue House website taking place. A large “Anonymous” watermark covers part of the screen.
The computer being used in the video is named “AnonAR” and the user is employing a toolkit called “w3b_avtix.”
The toolkit apparently contains software to gain access to websites because within about 20 seconds of running the software, the attacker appears to be inside the South Korean president’s website. [Update: The video has been removed from YouTube as a violation of its policy on depiction of harmful activities.]
Other reports said attacks had hit the sites of broadcasters KBS and YTN, although they appear to have been recovered.
The attacks even reached outside of the Korean peninsula. Although the reason is unclear, OpNorthKorea hackers attacked a government website for Zibo City, a provincial city in Shandong, China.
US Military Lists
Coinciding with the attacks, several files containing personal data were uploaded to text-sharing websites, which allows users to post text messages anonymously.
Several files contained what appear to be the personnel records of members of the U.S. Army’s 3rd Marine Division, 25th Infantry Division and 1st Cavalry Division. The records contain a name, date of birth, rank, social security number and other information related to their service.
Together, the records appear to detail some 7,500 persons, but none of the dates on any of the records in the three files is later than 2009, so the lists could be old.
Also posted were a list of hundreds of names and birthdates claimed to be of Korean military members, user names and login details for accounts on the Blue House website and names, cell phone numbers and more for members of the ruling Saenuri party.
The veracity of all of the information could not be immediately confirmed.
(more to come)
Members of the international hacking collective Anonymous look set to launch a planned cyber attack on North Korean Internet properties at midnight local Korean time on Monday night.
The group has also promised to make public some details of documents gained from a claimed attack on North Korean internal servers.
In messages posted to Twitter on Monday, Anonymous members indicated the countdown for the next stage in their “OpNorthKorea” series of attacks is unchanged.
The exact nature of the attacks is not known, but Anonymous typically uses denial of service attacks. These involve flooding web servers with requests for pages — so many requests that the servers become overloaded and are difficult or impossible to load for bonafide users.
Denial of service attacks are different from hacks in that they don’t involve breaking into the web server and making any changes to the site.
The June 25 date, which marks the anniversary of the start of the Korean War, first came up in April when Anonymous last launched a round of attacks on North Korea. The action resulted in several major North Korean websites being offline for days.
Most were hit with denial of service attacks but at least one high-profile target was hacked. Uriminzokkiri, a China-based website that carries a large amount of North Korean media and propaganda, was broken into and details on its 15,000 users were posted on the Internet.
Among the Internet postings ahead of the attacks was an image of a mourner in front of the sarcophagus of Kim Jong Il. The image had been altered to give the mourner a Guy Fawkes mask, which is one of the most recognized symbols used by Anonymous members.
Ahead of the planned attack, North Korean state media launched a stinging attack on Anonymous.
The full text is currently difficult to access on the KCNA website, either because it’s already being attacked or because of controls put on connections by North Korea. Here’s the full text of the KCNA commentary:
Pyongyang, June 21 (KCNA) — The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack.
It announced that it would conduct hacking attack called “operation for infiltrating into interior of the north” with June 25 as an occasion and calculates this would help shake the social system in the DPRK.
Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology.
This provokes side-splitting laughter.
It singled out the DPRK, a focus of world attention, as a target of cyber terrorism in a bid to have Anonymous, a target of world criticism, recognized by the world.
It hacked into open servers of the DPRK without any secret data by use of poor hacking programs.
And now it is busy describing it as a sort of big technological feat.
What merits a more serious attention is that the U.S. and South Korean puppet forces are joining Anonymous in cyber terrorism as they are keen to isolate and stifle the DPRK politically, militarily and economically and carry out ideological and cultural poisoning operations against the DPRK.
It is by no means fortuitous that South Korean conservative media including Chosun Ilbo and Choongang Ilbo are echoing the anti- DPRK misinformation floated by those betes noires doing everything dirty.
The above-said facts indicate that Anonymous is not a simple hacking group making cyber attack for fun but political servants and an international terrorist group of forces hostile to the DPRK wire-pulled by the U.S. and South Korean intelligence service behind the scene.
Anonymous, in fact, knows nothing about the DPRK.
The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.
Nevertheless, it is misleading the world public opinion, creating impression that it discovered a sort of top secret on the basis of poor information provided by the U.S. and its puppet South Korean information organs by stealth.
Anonymous abuses IT, which should serve as a powerful means for developing human civilization, as a weapon for terrorism against a specified state.
This is a grave political provocation infringing upon the sovereignty and dignity of an independent country and an open challenge to the international community desirous of using everything created by modern science for independent development of countries and nations and welfare of humankind.
It is nothing but a charade for human scum of Anonymous to try to do harm to the social system in the DPRK as such group is not entitled to remain in the age of IT.
The world will clearly see what bitter cup of setback the Anonymous and other hostile forces behind it will have to drink.
The Korean Central News Agency (KCNA) has attacked claims by international hacker collective Anonymous that it managed to steal North Korean military secrets from computer servers. The attack came in a commentary on Friday, just days before Anonymous plans to launch a cyber-attack on North Korean websites.
Earlier this week, a Twitter user claiming to represent Anonymous hackers said the group had managed to infiltrate North Korean servers on the country’s domestic intranet and access sensitive information.
“We completed serveral attacks on your internal Websites and inside your local intranets,” the group said in a message posted to the Pastebin website, which allows users to post text messages without revealing their personal details.
“Previously we said we would penetrate the intranet and private networks of North Korea. And we were successful,” the message said.
“Your major missile documentation and residents, military documents show down is already in progress. Your attempt to cover this has been uncovered. We are partially sharing this information with the world.”
The veracity of the Anonymous claim is difficult to ascertain. The group has yet to post a single piece of information that could have been gained in an attack on North Korean servers and it seems unlikely that military secrets would be stored on servers accessible from the controlled but open domestic intranet.
But whether it’s managed to infiltrate domestic servers or not, its threat of an attack on June 25 certainly has the attention of KCNA.
“The international hacking group Anonymous is letting loose a string of rubbish regarding the DPRK as the goal of cyber attack,” the state-run news agency said in the commentary.
“It announced that it would conduct hacking attack called ‘operation for infiltrating into interior of the north’ with June 25 as an occasion and calculates this would help shake the social system in the DPRK. Anonymous made up of riff-raffs dares hurt the social system of the DPRK, not content with doing bad things to demonstrate its technology. This provokes side-splitting laughter.”
The commentary is classic KCNA. Frst rubbish your opponent, then rubbish its claims.
Last time Anonymous turned its attention towards North Korea, the result wasn’t pretty. The country’s major websites — including that of KCNA — were inaccessible for days and the 15,000-member user database of Uriminzokkiri, a China-based site with close DPRK ties, was published.
Apparently referencing that hack, KCNA said:
“It hacked into open servers of the DPRK without any secret data by use of poor hacking programs. And now it is busy describing it as a sort of big technological feat.”
It’s probably safe to say that if North Korea didn’t have the full attention of Anonymous hackers, it does now.
KCNA went on to claim the Kwangmyong domestic intranet doesn’t exist.
“Anonymous, in fact, knows nothing about the DPRK. The Network Kwangmyong Anonymous claimed hacked into it does not exist in the DPRK.”
North Korea’s domestic intranet has been well-documented and well-reported, both in the North Korean media and by outsiders who have used it within the country, so it’s existence isn’t in doubt.
Could there perhaps be confusion over the name? Is KCNA denying its existence on a technicality?
In 2002, KCNA reported on the development on the “Kwangmyong” system:
“In recent years it developed an information retrieval system Kwangmyong and established a computer network for science and technology to make a variety of information service.” — KCNA, “DPRK Central Information Agency for Science and Technology,” August 13, 2002.
And a year earlier The People’s Korea, a Tokyo-based English-language newspaper published by the DPRK-aligned Chosen Soren, reported on the Kwangmyong network too.
A Twitter user claiming to speak on behalf of the Anonymous hacker collective says members of the group have succeeded in breaking into North Korean computer servers and stealing military documents.
“Previously we said we would penetrate the intranet and private networks of North Korea. And we were successful,” the group wrote in a news release posted on Pastebin, a website that allows anonymous posting of text documents.
“Your major missile documentation and residents, military documents show down is already in progress. Your attempt to cover this has been uncovered. We are partially sharing this information with the world,” the message read.
The claim is impossible to independently verify and to-date the group has share none of the information it claims to have obtained from its hacking activities. Nor did it clearly explain how it managed to penetrate North Korean military computer systems.
Hackers made references to accessing the domestic Kwangmyong intranet system, but a link from that system to a military computer network handling state secrets would represent a big hole in network security if it existed.
An additional Twitter message posted a screenshot of a web page from the domestic Kwangmyong intranet system but, as NKNews first discovered, the screenshot dates back at least 2006 when it accompanied a South Korean newspaper story.
The claims of infiltration come just days before a long-planned attack on North Korean Internet sites is due to take place. Anonymous hackers have been threatening for the last couple of months to mount a denial of service attack on North Koreans sites from midnight local time in Pyongyang on June 25.
The groups’s last coordinated round of attacks effectively removed the websites from the Internet by deluging them with so much traffic that legitimate users were unable to connect.
The group also posted this video:
A weekend attack on North Korean websites staged by members of the Anonymous hacker group appears to have caused some problems for the sites.
Connections to several major Pyongyang-based sites, including the Korean Central News Agency and Voice of Korea, were slow although successful in several tests done in the first few hours of the coordinated attack, which began at 1am GMT on Sunday.
Those results are in contrast to a previous series of attacks that took the sites offline for days. That difference was acknowledged by an Anonymous Korea Twitter message:
North Korea has reconfigured its Internet connection since the last round of major attacks. Previously its Internet servers were connected to the rest of the Internet via only two links: a link to China Unicom and a back-up satellite connection. Now a third link, to China Unicom Hong Kong, has been added.
It’s not clear if the difference in effectiveness this time around was due to the smaller scale of the attack or the new connection.
Since before this weekend’s attacks, Anonymous hackers have been promising a large campaign against North Korean sites on June 25, which is the anniversary of the start of the Korean War.
Members of the Anonymous hacking group say they are planning to re-launch attacks on North Korean websites from Sunday. [Updated. See below.]
In messages posted to Twitter, several Anonymous members said the “#OpNorthKorea” attacks would resume on May 12 from 1am GMT, that’s 10am in the morning Pyongyang time.
OpNorthKorea first began in late March, shortly after North Korean media said relations between it and South Korea were “at a state of war.” It took the form of a distributed denial of service (DDoS) attack, which involves flooding a website with so many requests for data that it becomes overloaded.
The attacks were successful in taking several major Pyongyang-based websites offline including Naenara, Korean Central News Agency, Air Koryo and Voice of Korea.
This next round of attacks are targeted at all websites that are run from Pyongyang, according to Twitter messages.
Missing from the Twitter list is Uriminzokkiri, the China-based site that hosts official media and produces its own propaganda.
Uriminzokkiri was hacked by Anonymous resulting in the defacing of its website and the leaking of names, addresses and email addresses of its 15,000 members.
In reaction to the hacking, Uriminzokkiri claimed that South Korea’s government and in particular the National Intelligence Service was actually behind the attack. There’s no evidence that is the case, but it does fit in with the North’s propaganda aims of blaming such incidents on the government of the South.
After the previous attacks, North Korea was seen to adjust its national connection to the Internet, adding a new link to China Unicom’s network in Hong Kong.
The connection appears to be an attempt to mitigate the DDoS attacks, but whether it works or not won’t be known until Sunday’s attacks begin.
North Korea Tech has a widget on the right-hand side of the home page that indicates whether major North Korean websites are online or offline.
Anonymous had previously said it would relaunch attacks on June 25, which is the the day in 1950 when the Korean War began.
A hit list of North Korean sites was also published, but it appeared to be based on an out-of-date list. Several of the sites listed have not been in operation for several years.
Seconds after this story ran, and apparently by coincidence, the Anonymous hacker listed above posted a Twitter message including Uriminzokkiri and other China-based websites.
An unidentified Internet user posting under the name of the Anonymous hacking collective has published a “hit list” of North Korean websites.
The list is said to be related to a coordinated attack that hackers appear to be planning for June 25. The action is part of “OpNorthKorea,” which previously took sites in North Korea and China offline in a series of distributed denial of service attacks.
The source of the list is unclear but it’s somewhat out of date. Some of the addresses on the list were previously used by North Korean-related websites, but are no longer active.
One of the sites listed, DKLotto.com, was an Internet-based lottery site run by a North Korean group in China but hasn’t been online since almost ten years ago. The address appears to have been picked up by a Japanese spam site related to credit card payments.
It’s unclear what will happen on June 25, but it appears at least some hackers will target North Korean websites. Other lists making the rounds on the Internet are based on the North Korean Website List on this site, which is more up to date.
Here are the sites from the list:
내나라 (http://www.kcckp.net/ko/, http://www.naenara.kp/ko/)
민족사랑의 장소 (http://www.krsrt.com)
실리 은행 (http://www.silibank.com)
우리 민족끼리 (http://www.uriminzokkiri.com)
자주 평화 민족대단결 (http://www.members.fortunecity.com/ym2)
재미동포 전국 연합회 (http://www.kancc.org)
조국 평화 통일 협회 (http://www.jpth.net)
조국 통일 21 (http://www.tongil21.com)
조선 우표(중국) (http://www.dprk-stamp.com)
조선 음악 (http://www.big.or.jp/~jrldr/)
조선 출판물 (http://www.dprk-book.com)
조선의 노래 (http://www.dprkoreamusic.com)
코리아 네트워크 (http://www.worldcorea.net)
코리아 북 센터(일본) (http://www.krbook.net)
통일학연 연구소 (http://www.onekorea.org)