Attacks/Breaches
6/25/2013
10:46 AM
50%
50%

Anonymous Attacks North Korea, Denies Targeting South

Groups claiming to represent Anonymous launch separate DDoS attacks and defacements against both North and South Korean websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Government websites in both North Korea and South Korea have been targeted by attackers claiming to be operating under the banner of the Anonymous hacktivist collective. But are elements of the group behind both sets of attacks?

The online attacks against South Korean websites began Tuesday morning, local time, on the anniversary of the start of the Korean War (1950-'53). Targeted sites included the country's presidential office (known as Cheong Wa Dae or the Blue House), other government agencies as well as media groups, reported South Korean news agency Yonhap.

"It is verified that not only Cheong Wa Dae and the Prime Minister's office but also some media outlets were hacked," an official at the National Police Agency's cyber terror response team told Yonhap. "It seems that a massive cyber attack has started."

One of the hacked sites contained the following defacement: "Great leader Kim Jong-un," referring to the leader of the North Korean regime, which is based in Pyongyang. For a 10-minute period, another defacement included a picture of South Korean president Park Geun-hye with the following message: "We Are Anonymous. We Are Legion. We Do Not Forgive. We Do Not Forget. Expect Us."

[ This isn't the first time North Korean websites have been targeted. Read Anonymous Takes Down North Korean Websites. ]

South Korean government officials said none of the attacks had hacked into the country's military networks, and that they had yet to identify the attackers. But official Anonymous channels have denied having any involvement in the attacks. "We didn't Hack any #SouthKorea websites," announced the Japanese branch of Anonymous Tuesday in a tweet.

The obvious culprit in the attacks would be North Korea. A wiper malware attack against multiple South Korean banks and broadcasters in March 2013 that erased 48,000 hard drives, for example, was traced to a Pyongyang-based attacker. Previous online attacks against South Korean sites, in 2009 and 2011, were also traced to Pyongyang.

If North Korea did launch the most recent attacks, it may have been a preemptive move before planned Anonymous attacks, which began as scheduled Tuesday. The attacks were announced last week as part of the ongoing Anonymous "#OpNorthKorea" campaign. A list of targets published via Pastebin included multiple North Korean government websites, the official North Korean News Agency, airline Air Koryo and numerous businesses.

Anonymous recommended that attackers employ such distributed denial-of-service (DDoS) attack tools as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, and what the group dubbed the "OWASP Layer 7 DDOS Tool."

As part of Tuesday's attacks, "independent penetration tester" JokerCracker, along with AnonymousTjTeam (aka Anonymous Tijuana), claimed via Twitter to have defaced more than 270 North Korean government website pages.

In a statement addressed "to the tyrants of the North Korean government," Anonymous repeated its demand for Kim Jong-un to step down. "The only power you have are missiles and nuclear," it said. "We are more powerful than that. You cannot destroy ideas with missiles."

According to an attack FAQ published in April, as part of #OpNorthKorea, Anonymous has claimed to be working with small cells in North Korea to create a "ninja gateway" that would bridge the country's quite small Internet -- known as "Kwangmyong" -- with the Internet at large.

Meanwhile, earlier this month Anonymous claimed to have completed the ninja gateway and to have infiltrated multiple North Korean sites. "We completed [several] attacks on your internal websites and inside your local intranets," read a statement released by Anonymous. None of those claims have been verified, but the group promised to release related documents Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.