Law enforcement in South Korea probing a cyberattack against a leading online marketplace has accused hackers affiliated with North Korea of orchestrating the incident that led to the compromise of more than 10 million customer records.
Cyber police in the region, now investigating a hack against an Amazon-like shopping website called Interpark, reportedly traced a number of Internet Protocol (IP) addresses and malware samples to previously known North Korean cybercriminals, suggesting involvement of the reclusive regime.
The malicious samples, police said, were "identical" to those used by similar hackers in the past, but provided little technical evidence to back up such assertions.
On 22 July, Interpark first became aware its systems had been infiltrated and that names, addresses and phone numbers of roughly 10.3 million customers had been stolen two months earlier.
Police said the culprits, whose identities remain unknown, sent emails to Interpark executives demanding a ransom totalling three billion South Korean wons (£2, 025, $2,664) in bitcoin, an anonymising cryptocurrency, for the stolen customer data.
As first reported by The Korea Herald, language in the extortion emails reportedly included vocabulary used only in the North, another sign that was used as evidence of North Korean involvement – however, from a cybersecurity standpoint, easy to plant.
Interpark, which was the first major e-commerce firm to operate in South Korea after launching in 1996, has issued an apology to its customers impacted by the cyberattack.
"The hackers first gained access to an employee's computer, and identified email patterns that were familiar to the employee before sending an email that contained the malware (and) opening a back door, which is why the employee was fooled," a spokesperson told the Korea Herald.
Meanwhile, an official statement issued by the firm – which mentions an "advanced persistent threat" – stated: "On July 11, Interpark became aware that some of our users' information had been stolen by a hacker group through an advanced persistent threat attack, and reported the hack to the police the next day."
However, it took a further two weeks for the firm to disclose the hack to its customers, a move it has been roundly criticised for. The spokesperson said this was because Interpark and law enforcement "wanted to prevent the hackers from erasing their tracks or going underground as long as possible [...] once the leak was reported by the press, we decided to apologise to our customers right away."
The North Korean regime has always been a curious nation-state when it comes to hacking and cybersecurity. While not all experts are in agreement with the assessment, the FBI concluded that it was directly involved with the hack of Sony Pictures in 2014.
Furthermore, its dedicated hacking division, also known as Bureau 121, is reportedly being increasingly deployed to spy on or sabotage the nation's enemies.
One former member, called Jang Se-yul, speaking to Reuters, said the government-backed hackers are considered the "elite of the military". It is believed to consist of roughly 2,000 employees. "For them, the strongest weapon is cyber. In North Korea, it's called the Secret War," Jang said.