Massive Data-Deleting Attack Hits South Korean Banks, Broadcasters
A photo tweeted March 20, 2013, from Seoul, South Korea, showing a message on a computer screen indicating that the computer's operating system has been deleted.
CREDIT: Luke Cleary/Twitter
South Korea's banks and broadcasters were hit today (March 20) by a massive, destructive cyberattack that some blamed on North Korean hackers. However, there's evidence that a group of amateurs may be involved.
The government-owned Korean Broadcasting System, the commercial Munhwa Broadcasting Corporation and the news channel YTN were all attacked, as were Shinhan Bank, the oldest bank in Korea, and the agricultural cooperative-run Nonghyup Bank.
The attacks occurred at a time of growing tension on the Korean peninsula. A month ago, North Korea tested a nuclear weapon. Earlier this month, Pyongyang unilaterally revoked the 1953 armistice agreement that ended the Korean War and threatened to attack the United States.
"We do not rule out the possibility of North Korea being involved, but it's premature to say so," a Korean Defense Ministry spokesman told reporters, according to Agence France-Presse.
The attack was much worse than a regular distributed denial-of-service (DDoS) assault on websites, which result in little damage. Instead, many affected computer systems had their files or operating systems deleted, rendering them inoperable.
Luke Cleary, an American reporter and producer at KBS World Radio, tweeted a photo of a computer screen reading, "BootDevice Not Found. Please install an operating system on your hard disk."
A hacking crew calling itself Whois Team claimed responsibility for the attacks, posting a video on a defaced website owned by the South Korean LG conglomerate.
"We have an interest in hacking," read a message scrolling on the video. "This is the beginning of our movement. User accounts and all data are in our hands. Unfortunately, We have deleted your data. We'll be back soon. See you again."
Experts at the Russian anti-virus firm Kaspersky Lab suspected that the attackers used a variant of the Shamoon worm, which damaged thousands of computers at the Saudi Aramco oil firm in August 2012. Shamoon may itself be a variation of Wiper, another worm that damaged computers at the Iranian oil ministry in the spring of 2012.
Experts researching Wiper in May 2012 stumbled across Flame, a super-sophisticated spyware package that had existed in the wild for at least five years and which may be the work of American intelligence agencies.
North Korean hackers have been blamed for numerous attacks on South Korean systems in the past few years, and it is thought Pyongyang has a special military unit set aside for such purposes.