North Korea-based hackers breached more than 140,000 computers of South Korean government agencies and firms, and allegedly planted malicious software in the systems. The hack, which was intended to lay the ground for an overall massive cyberattack has been thwarted, authorities in Seoul said.
The South Korean police reportedly teamed up with companies and other government agencies to disable the malware and prevent it from spreading, in what could lead to a large-scale cyberattack.
The IP address from where the hack originated has been tracked down to North Korea. The breach was intended to target the network management software used by approximately 160 companies and government agencies in South Korea. Moreover, the IP address from where the hack was initiated seemed to be the same one, which was used in a 2013 cyberattack on banks and TV stations in South Korea.
In the 20 March 2013 cyberattack, the hard drive of as many as 30,000 computers at Shinhan Bank, Jeju bank, Nonghyup Bank, Munhwa Broadcasting Corporation, YTN and the Korea Broadcasting System (KBS) were wiped out.
Meanwhile, Guillaume Lovet, threat response manager for cybersecurity firm Fortinet said, "In examining some of the code for the malware responsible for the attack, we've found that it refers to a RAT – a remote access tool. That's not a phrase a normal virus writer would use. That's more like a professional. My feeling is that the author of this is not a typical virus writer. So it could be a government-led attack."
The South Korea police's cyber investigation unit said that the hacking actually commenced in 2014, but was detected only in February this year, after Pyongyang stole information from two companies – the SK and Hanjin Group. The investigation unit said, "There is a high possibility that the North aimed to cause confusion on a national scale by launching a simultaneous attack after securing many targets of cyber terror, or intended to continuously steal industrial and military secrets."
In the latest hack, documents stolen from the two companies contained the blueprint of the wings of F-15 fighter jets, an official at the cyber investigation unit told Reuters. Out of the total 42,000 documents stolen, around 40,000 were defence-related.
However, a defence ministry official said that the stolen documents were not secret and that there was no security breach. A spokesperson at SK Holdings said that four group affiliates were affected by the hack.
South Korea has been on alert to fend off any cyberattack emanating from North Korea, especially after the country successfully tested a miniaturised hydrogen bomb in January 2016.