In 2013, there were two major sets of cyberattacks on

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...

n targets attributed to elements within North Korea.

March

On 20 March 2013, six

n organizations suffered from a suspected

cyberwarfare Cyberwarfare is the use of cyberattack, cyber attacks against an enemy State (polity), state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, ...

attack. The organizations included three media companies ( KBS, MBC, & YTN) and three financial institutions ( The National Agricultural Cooperative Federation, Shinhan Bank, & Jeju Bank). The South Korean communications watchdog Korea Communications Commission raised their alert level on cyber-attacks to three on a scale of five.

North Korea North Korea, officially the Democratic People's Republic of Korea (DPRK), is a country in East Asia. It constitutes the northern half of the Korea, Korean Peninsula and borders China and Russia to the north at the Yalu River, Yalu (Amnok) an ...

has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. This attack also came at a period of elevated tensions between the two Koreas, following Pyongyang’s nuclear test on 12 February. South Korean officials linked the incident to a Chinese

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

, which increased suspicion of

as " telligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks." It was later revealed that the IP address did not originate from China but from the internal network of one of the attacked organizations. The attacks on all six organizations derived from one single entity. The networks were attacked by malicious codes, rather than distributed denial-of-service (DDoS) attacks as suspected at the beginning. It appeared to have used only hard drive overwrites. This

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

“damaged 32 000 computers and servers of media and financial companies.” The Financial Services Commission of South Korea said that Shinhan Bank reported that its Internet banking servers had been temporarily blocked and that and NongHyup reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased. Woori Bank reported a hacking attack, but said it had suffered no damage. This cyberattack “caused US$750 million in economic damage alone. (Feakin 2013)” Also, “ e frequency of cyber attacks by North Korea and rampant cyber

espionage Espionage, spying, or intelligence gathering, as a subfield of the intelligence field, is the act of obtaining secret or confidential information ( intelligence). A person who commits espionage on a mission-specific contract is called an ...

activities attributed to China are of great concern to the South Korean government. (Lewis 2013)”

June

The June 25 cyber terror is an information leak that occurred on June 25, 2013, that targeted Cheongwadae and other institutions. The hacker that caused this incident admitted that the information of 2.5 million Saenuri Party members, 300 000 soldiers, 100 000 Cheongwadae homepage users and 40 000

United States Forces Korea The United States Forces Korea (USFK) is a Unified Combatant Command#Subordinate Unified Command, sub-unified command of United States Indo-Pacific Command, U.S. Indo-Pacific Command (USINDOPACOM). USFK was initially established in 1957, and e ...

members had been leaked. There were apparent hacking attacks on

government A government is the system or group of people governing an organized community, generally a State (polity), state. In the case of its broad associative definition, government normally consists of legislature, executive (government), execu ...

websites. The incident happened on the 63rd anniversary of the start of the 1950-53

Korean War The Korean War (25 June 1950 – 27 July 1953) was an armed conflict on the Korean Peninsula fought between North Korea (Democratic People's Republic of Korea; DPRK) and South Korea (Republic of Korea; ROK) and their allies. North Korea was s ...

, which was a war that divided the

Korean peninsula Korea is a peninsular region in East Asia consisting of the Korean Peninsula, Jeju Island, and smaller islands. Since the end of World War II in 1945, it has been politically divided at or near the 38th parallel between North Korea (Dem ...

. Since the

Blue House Cheong Wa Dae (), also known as the Blue House in English, is a public park that was the former Office of the President of South Korea, executive office and residence of the president of South Korea. Located in Seoul's Jongno District, directl ...

’s website was hacked, the personal information of a total of 220,000 people, including 100,000 ordinary citizens and 20,000 military personnel, using the “ Cheong Wa Dae” website were hacked. The website of the office for Government Policy Co-ordination and some media servers were affected as well. While multiple attacks were organized by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks against the South Korean government websites were directly linked to the “DarkSeoul” gang and Trojan.Castov.

Malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012. It has contributed to multiple previous high-profile attacks against South Korea.

Timeline

At approximately 2013 June 25 9:10 AM, websites such as the Cheongwadae website, main government institute websites, news, etc. became victims of website change,

DDoS In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...

, information thievery and other such attacks. When connecting to the Cheongwadae homepage words such as 'The great

Kim Jong-un Kim Jong Un (born 8 January 1983 or 1984) is a North Korean politician and dictator who has served as supreme leader of North Korea since 2011 and general secretary of the Workers' Party of Korea (WPK) since 2012. He is the third son of Kim ...

governor' and 'All hail the unified chairman Kim Jong-un! Until our demands are met our attacks will continue. Greet us. We are anonymous' would appear with a photo of president

Park Geun-hye Park Geun-hye (; ; born 2 February 1952) is a South Korean politician who served as the 11th president of South Korea from 2013 until Impeachment of Park Geun-hye, she was removed from office in 2017. Park was the first and to date only woman ...

. The government changed the status of cyber danger to 'noteworthy' on June 25 10:45 AM, then changed it to 'warning' on 3:40 PM. Cheongwadae uploaded an apology on June 28. The Ministry of Science, ICT and Future Planning revealed on July 16 that both the March and June incidents corresponded with past hacking methods used by

. However, the attacked targets include a Japanese Korean Central News Agency site and major North Korean anti-South websites, and the hackers also have announced that they would release information of approximately 20 high-ranked North Korean army officers with countless pieces of information on North Korean weaponry.

Response

Following the hacking in June there was further speculation that

was responsible for the attacks. Investigators found that “an IP address used in the attack matched one used in previous hacking attempts by

Pyongyang Pyongyang () is the Capital city, capital and largest city of North Korea, where it is sometimes labeled as the "Capital of the Revolution" (). Pyongyang is located on the Taedong River about upstream from its mouth on the Yellow Sea. Accordi ...

.” Park Jae-moon, a former director-general at the Ministry of Science, ICT and Future Planning said, “82 malignant codes ollected from the damaged devicesand internet addresses used for the attack, as well as the North Korea's previous hacking patterns," proved that "the hacking methods were the same" as those used in the 20 March cyber attacks. With this incident, the Korean government publicly announced that they would take charge of the “Cyber Terror Response Control Tower” and along with different ministries, the National Intelligence Service (NIS) will be responsible to build a comprehensive response system using the “National Cyber Security Measures.” The South Korean government asserted a Pyongyang link in the March cyberattacks, which has been denied by Pyongyang. A 50-year-old South Korean man identified as Mr. Kim is suspected to be involved in the attack.

Appearance in the South Korean National Geographic

The South Korean

National Geographic ''National Geographic'' (formerly ''The National Geographic Magazine'', sometimes branded as ''Nat Geo'') is an American monthly magazine published by National Geographic Partners. The magazine was founded in 1888 as a scholarly journal, nine ...

published cyber terror as one of the top 10 keywords of 2013 due to these attacks.

Measures

* The government formed a joint civil-government-military cyber crisis response headquarters. * Security companies such as AhnLab and Hauri are implementing emergency updates or distributing dedicated vaccines to detect malware that causes problems in their products. The diagnosis given by each company is as follows. * AhnLab - Win-Trojan/Agent.24576.JPF (JPG, JPH), Dropper/Eraser.427520 * INCA Internet - ApcRunCmd.exe : Trojan/W32.Agent.24576.EAN / Othdown.exe : Trojan/W32.Agent.24576.EAO * Hauri - ApcRunCmd.exe : Trojan.Win32.U.KillMBR.24576 / Othdown.exe : Trojan.Win32.U.KillMBR.24576.A * Symantec - Trojan.Jokra 3* Sophos - Mal/EncPk-ACE (aka "DarkSeoul")

References

{{DEFAULTSORT:South Korean cyber attack 2013 in South Korea Cyberwarfare 2010s internet outages