Investigators have traced a co-ordinated cyber attack that paralysed tens of thousands of computers at six South Korean banks and media companies to a Chinese internet protocol address, but it is still unclear who orchestrated the attack, authorities in Seoul said.
The discovery did not erase suspicions that North Korea was to blame. An IP address can provide an important clue as to the location of an internet-connected computer but can easily be manipulated by hackers operating anywhere in the world. The investigation into Wednesday’s attack could take weeks.
Only one of the six targets, Shinhan Bank, was back online and operating regularly. It could be next week before the other companies have fully recovered.
North Korea has threatened Seoul and Washington in recent days over UN sanctions imposed for its Feb 12 nuclear test, and over ongoing US-South Korean military drills. It also threatened revenge after blaming Seoul and Washington for an internet shutdown that disrupted its own network last week.
North Korea “will never remain a passive onlooker to the enemies’ cyber attacks”, state media said last week.
“The US and its allies should be held wholly accountable for the ensuing consequences.”
The cyber attack did not affect South Korea’s government, military, or infrastructure, and there were no initial reports that customers’ bank records were compromised.
But it disabled scores of cash machines across the country, disrupting commerce in this tech-savvy country, and renewed questions about South Korea’s internet security and vulnerability to hackers.
The attack disabled some 32,000 computers at broadcasters YTN, MBC, and KBS, as well as three banks. Many of the computers were still down last night, but the broadcasters said their programming was never affected, and all ATMs were back online except for those at 16 branches belonging to Nonghyup Bank.
The attack may also have extended to the US. The website of the US-based Committee for Human Rights in North Korea was also hacked, with reports on satellite imagery of North Korean prison camps and policy recommendations to the US government deleted from the site, according to executive director Greg Scarlatoiu.
The initial findings from South Korean investigators were based on results from an investigation into one target, Nonghyup Bank. The investigation is continuing into the shutdown at the five other firms.
A malicious code that spread through the Nonghyup server was traced to an IP address in China, said Cho Kyeong-sik, a spokesman for the state-run Korea Communications Commission. Regulators said all six attacks appeared to come from “a single organisation”.
The Chinese IP address identified by the South Korean communications regulator belongs to internet services company, Beijing Teletron Telecom Engineering, according to the website tracking and verification service Whois. A woman who answered the telephone number listed on Beijing Teletron’s website denied the company was involved in the hack. She refused to identify herself or provide further information.
Beijing Teletron operates fibre-optic networks and provides internet services. It is the seventh-largest host of IP addresses in China. A subsidiary of the Shanghai-listed Dr Peng Telecom and Media Group, Beijing Teletron’s clients include government agencies and state media: the foreign ministry, the State Council Information Office, and People’s Daily, the Communist Party’s flagship news-paper.
Wednesday’s cyber attack does not fit the mould of previous attacks blamed on China. Chinese hacking, either from Beijing’s cyber-warfare command or freelance hackers, tends to be aimed at collecting intelligence and intellectual property — not simply at disrupting commerce.
© Irish Examiner Ltd. All rights reserved