North Korea, China, hacktivists and script kiddies have all been blamed as officials and security researchers scramble to identify who crippled three South Korean banks and TV stations.

South Korea Cyber Attacks
An investigator entering the Cyber Terror Response Center of the Korean National Police Agency is reflected on a window in Seoul March 21, 2013. (Credit: Reuters)

At 2pm local time on Wednesday computers at South Korean television broadcasters KBS, MBC and YTN along with Shinhan, Nonghyup and Jeju banks ground to a halt, as malware installed on the systems meant they were unable to boot up properly.

While the TV stations were able to remain on air, the attack did affect online banking and the ATM networks of the banks involved.

The link between those who were attacked was not immediately obvious but the ISP who provides services to at least some of the organisations involved, LG U+, said it believed its networks had been attacked.

Considering the on-going tensions present on the Korean Penninsula, it was hardly surprising to hear North Korea named almost immediately as the primary suspect in these attacks.

South Korean news agency Yonhap reports on Thursday that the South Korean government is maintaining its belief that a state-sponsored attack from North Korea remains the most plausible explanation.

"[The government] is closely analysing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," said a high-ranking official of the presidential office Cheong Wa Dae who declined to be identified.

This is despite the Korea Communications Commission (KCC) earlier on Thursday confirming that part of the malicious code came from a Chinese Internet Protocol (IP) address. Yonhap says that some experts have pointed out that North Korea has used Chinese IP addresses previously in attacks on the South as a way of diverting attention.

The attackers, who go under the handle 'Whois Team' left the message below on the computers of some of the affected systems, highlighting the fact that a Wiper-style malware had been used to erase all the information on the affected computers' hard disks.

Whois Team attack on South Korea
The message left on some of the hacked computers at South Korean TV networks and banks on Wednesday.

Since the attack was carried out, security experts have been analysing the malware and the origin of the attacks in an to attempt to elicit some more information:


Previous state-sponsored cyber-attacks such as Stuxnet, Duqu and Flame have all used highly sophisticated pieces of software. In contrast, the malware used in this attack, dubbed DarkSoeul by Sophos, "is not particularly sophisticated" according to Graham Cluley, senior technology consultant.

Cluley goes on to say that Sophos' systems have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated.

"For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a 'cyber-warfare' attack coming from North Korea."


On its Securelist blog, Kaspersky's global research and analysis team come to the conclusion that no matter who was behind the attack, this was an act of cyber-terrorism:"

"In general, if the attacks target critical infrastructure, they can be considered cyber-terrorism. According to the definition of critical infrastructure, banks can be considered as such, therefore this counts as a cyber-terrorism attack."

However the blog goes on the discuss the nature of the attack, saying it was clearly designed to be "loud" whereas one of the main attributes of previous state-sponsored cyber-attacks like Stuxnet and Flame was their ability to function under the radar of those being attacked.

"This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," Kaspersky concludes.


As well as finding out who was behind the attack, one of the major questions remaining to be answered is how the attackers accessed the systems of the banks and TV networks invloved.

AlienVault Labs' Jaime Blasco has written some more detailed analysis of the attack and has uncovered one possible and highly plausible route the attackers may have taken.

The researchers at AlienVault, armed with some of the files names associated with this attack, decided to search for other pieces of malware that could generate those filenames and were related to South Korea.

Following a trail of infected domains, they concluded that hundreds of South Korean websites are pointing to a Chinese exploit kit called GonDad, with thousands of users compromised and becoming part of a botnet.

Blasco says that if the people behind the attack had access to this botnet, it would have been relatively easy for them to gain access to the computer systems at the TV stations and banks.

"[The attackers] could have gained access to hundreds if not thousands of South Korean systems and could have chosen which of the compromised systems were in interesting companies. Then they could manually upload another payload to each of the systems and the could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."

Blasco points out that while the malware and exploit kit involved seem to come from China, he warns that "the attackers could have bought/rent [them] on the black market."


While these security companies have attempted to analyse the attacks and draw their own conclusions about who carried out the attacks, the fact remains that we simply don't know. Many other security experts are remaining tight-lipped, refusing to speculate on who is behind the attacks without some more concrete evidence.

While more information is likely to emerge in the coming days or weeks, we may never know definitively who was behind this attack on South Korean banks and TV stations.

However with tensions on the Korean peninsula escalating, and cyber-attacks becoming more and more sophisticated, it is unlikely to be the last attack we hear about this year.