South Korean broadcasters and banks were hit with a cyber attack at 2 PM local time on Wednesday, temporarily taking down computers inside companies like Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting Corp., Yonhap Television News and Korea Broadcasting System.
According to media reports, computers inside those companies failed to boot up following the attack, instead bringing up an image of three skulls with the message “"hacked by Whois Team."
Reuters reported late Tuesday night (South Korean time) that the attacker likely penetrated the companies’ networks through their internet service providers. One of the ISPs, LG Uplus, has said it believes its networks were hacked just prior to the attacks on the country.
The malware—which is already being called DarkSeoul— reportedly damaged nearly 32,000 servers across the country.
In an initial assessment of the malware, Sophos, computer security firm, identified it as, Mal/EncPk-ACE, and described the malware as “not particularly sophisticated.” In fact, the company said its products have been able to detect the virus for over a year, and that the attackers had not tried to obfuscate “the various commands in the malicious.”
That said, tracing the origin of the attack is likely to prove difficult. Just hours ago South Korean officials announced that the malware was traced to an IP address in China, with South Korean communication regulator, Park Jae-moon, telling reporters that: “Unidentified hackers used a Chinese IP address to contact servers of the six affected organizations and plant the malware which attacked their computers."
Park quickly added that this fact revealed little about the location and identity of the attacker, who could be routing the attack through IP addresses in other countries. “At this stage, we're still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open," Park said.
North Korea almost certainly tops the list of those possibilities. Pyongyang is believed to be behind at least two prior large cyber attacks on South Korea in 2009 and 2011.
Scott Snyder of the Council on Foreign Relations told The Diplomat in an email that, although authorities don’t know who was behind the attacks yet, Pyongyang’s successful asymmetric provocations usually have three characteristics: an element of surprise, ambiguity in attribution, and they are difficult to respond to proportionately in a manner that doesn’t escalate hostilities further.
Speaking of Tuesday’s cyber-attacks Snyder added, “This sort of attack would fulfill those characteristics; what remains is the question of whether there is proof that North Korea was behind it.”
Zachary Keck is assistant editor of The Diplomat. He is on Twitter: @ZacharyKeck.