North Korea’s top military agency was behind the series of cyber attacks against South Korean broadcasters and financial institutions that took place March 20-26, the Seoul government announced Wednesday.
The Ministry of Science, ICT and Future Planning said its initial investigation found that the attacks were masterminded by the Reconnaissance General Bureau, Pyongyang’s premier intelligence body that is reported to be overseeing the operations of a special elite unit consisting of thousands of cyber warfare experts.
The Cyber Terror Response Center at the Korean National Police Agency (Yonhap News)
Citing a large number of similarities between the March attacks and previous incidents carried out by North Korea, the joint response team said that Pyongyang was the most likely mastermind behind the incident.
The team, consisting of government, military and civilian organizations, also said that those responsible appeared to have implanted the codes used in the attack as many as eight months ago.
“The attacker gained control of personal computers or server computers within the target organizations at least eight months ago,” the ministry said. The ministry also announced that the government would hold a cyber security conference on Thursday as part of efforts to establish tougher cyber defenses against future attacks.
“After maintaining monitoring activities, (the attackers) sent out the command to delete data stored in the server, and distributed malware to individual computers through the central server.”
On March 20, the websites and internal networks of broadcasters KBS, MBC and YTN, and three financial institutions including Shinhan Bank and Nonghyup, experienced malfunctions due to malware that originated from overseas.
Less than a week later, attacks were carried out against organizations concerning North Korea and those operated by conservative groups, resulting in their data being deleted.
The investigation has shown that more than 30 of the 76 different types of code collected from equipment affected or involved in the last month’s attack were identical to those used in previous attacks.
In addition, 22 of the 49 internet protocol addresses involved in the attack were the same as those used in cyber attacks carried out by North Korea since 2009, the Science Ministry said.
The investigators also said that at least six computers located within North Korea accessed the financial institutions’ computer systems on 1,590 occasions since June 28, 2012.
Over the period, the North Korean hackers spread malware and extracted information stored in the affected computers.
By Choi He-suk (firstname.lastname@example.org