Seoul tightens inquiry into cyber attacks

Police are investigating last week`s cyber attacks that severely slowed or disrupted dozens of South Korean government and business websites, amid rumors that North Korean hackers orchestrated them.

Key South Korean websites that came under attack included the presidential office, the Ministries of Defense and Foreign Affairs, commercial banks and a major newspaper. By Saturday, all those sites were back up and running normally.

The so-called "distributed denial-of-service" attacks invite massive amounts of computers to a single site simultaneously, leading a server to breakdown.

The police said yesterday that they began going through the hard disks of 21 "zombie computers" contaminated by the malignant codes and collected from the Seoul area.



"We believe we have secured enough zombie computers necessary for cross-analyzing the internet websites they visited, files they downloaded and e-mails exchanged," a Seoul police official said.

Once the police find the website that diffused the malignant code, it plans to track down the hackers responsible for the DDoS attacks from there.

The police are also tracing the marks of hackers from hard disks of four "update servers" where the contaminated computers automatically logged on and downloaded malignant codes.

The police confirmed earlier that the update servers were found in 86 IP addresses from 17 countries and that five of them were in South Korea.

The one remaining server in Korea is technically untraceable, the police explained.

The police are also examining the log-in records of the attacked websites.

The nation`s telecom regulator, the Korea Communications Commission, said the DDoS attack traffic reduced to a tenth after 6 p.m. on Friday, allowing most websites to normalize. The KCC blocked five Internet addresses found to have diffused the malignant codes.

The police and the National Intelligence Service said they have no hard evidence that North Korea launched the cyber attacks on 36 South Korean websites, including the presidential office of Cheong Wa Dae, for three days starting on Tuesday.

The NIS said, however, that there is ample circumstantial evidence that points to North Korean involvement in the attacks.

"A thorough investigation is under way to find out concrete evidence that the North is responsible for the attacks," the intelligence agency said in a statement, adding that it has yet to make a final conclusion.

Earlier, the spy agency was quoted as reporting to the ruling Grand National Party that it has obtained a North Korean document ordering its military hacking unit to "destroy" the South`s communication networks.

"The NIS obtained a document in which North Korea ordered on June 7 a hacking unit, `Number 100,` under the wing of the General Staff of the People`s Army, to destroy the South`s `puppet communication networks,`" a GNP official said after the meeting with the intelligence agency.

In the purported document, North Korea also ordered its military to develop hacking programs that conceal the identity of the attackers, according to the party official.

In a closed-door meeting with National Assembly`s information committee members a day earlier, the intelligence agency also pointed its finger to North Korea but did not present any concrete evidence, according to Park Young-sun, a lawmaker from the main opposition Democratic Party.

Another GNP official reportedly said that the IP of a North Korean surnamed Yoon under NIS surveillance was suspected of being used for the cyber attacks.

(sophie@heraldm.com)



By Kim So-hyun