Since the first large scale distributed denial-of-service (DDoS) attack in July 2009, the South Korean government has consistently accused North Korea of being the culprit behind other incidents. Specifically, it cites as responsible a hacking and cyber-warfare unit established in 2009 at the Reconnaissance General Bureau of the North Korean National Defense Commission.
In South Korea, the Korea Internet & Security Agency, the National Police Agency’s Cyber Terror Response Center and the National Intelligence Service blamed North Korea for five attacks:
· March 4, 2011: DDoS attacks target on eight bank and securities firm websites, six commercial web portals, and thirty-five government websites, including the president’s office, National Intelligence Service, Ministry of National Defense, National Police Agency, and United States Forces Korea.
· April 12, 2011: A malicious code is inserted into the internal network of the National Agricultural Cooperative Federation, which destroyed servers and disrupted online services for two weeks.
· June 9, 2012: JoongAng Daily News has its website defaced and malicious code uploaded to the typesetting system for newspaper production with a stolen ID, delaying publication of the newspaper for the day.
· March 30, 2013: Malicious code is inserted into the networks of three banks and three major media corporations by “WhoIs” hackers, destroying the hard disk drives of 32,000 computers. Four or five days are needed to achieve a full recovery.
· June 25, 2013: DDoS attacks are launched against the websites of the president’s office, National Intelligence Service, and ruling party. Personal information of website users is leaked, together with data on U.S. and Korean soldiers. Seven hours are needed to recover from the DDoS.
Yet there is evidence to suggest that the South Korean government has jumped to an early conclusion in some cases, given its routine “naming and shaming” of North Korea as part of the ongoing tensions. That leaves open the possibility that the real perpetrators are escaping undetected while the focus of attention remains on Kim Jong-un’s hacker unit. It is important to realize that politically motivated threats are not just external; South Korea has its own internal political dissidents.
Questionable Government Investigation
The South Korean government offers two main reasons why North Korea is behind the cyber attacks in recent years. First, domestic and foreign IP addresses known to be used by North Korea were discovered, along with malicious code from North Korea. The foreign IP address are located in China, which lent them to the North Korean government. Pyongyang borrows servers because of its lack of Internet infrastructure and strict controls over the domestic Internet environment. However, these are not definitive indicators of guilt. The average teenage hacker is capable of obfuscating or spoofing an IP address, or copying malicious code from other hackers who have shared it via hacking forums or from other sources. Moreover, hackers rarely use their own computers, but those of others they control by inserting malware to avoid detection.