Groups claiming to represent Anonymous launch separate DDoS attacks and defacements against both North and South Korean websites.

Mathew J. Schwartz, Contributor

June 25, 2013

3 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013


Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)

Government websites in both North Korea and South Korea have been targeted by attackers claiming to be operating under the banner of the Anonymous hacktivist collective. But are elements of the group behind both sets of attacks?

The online attacks against South Korean websites began Tuesday morning, local time, on the anniversary of the start of the Korean War (1950-'53). Targeted sites included the country's presidential office (known as Cheong Wa Dae or the Blue House), other government agencies as well as media groups, reported South Korean news agency Yonhap.

"It is verified that not only Cheong Wa Dae and the Prime Minister's office but also some media outlets were hacked," an official at the National Police Agency's cyber terror response team told Yonhap. "It seems that a massive cyber attack has started."

One of the hacked sites contained the following defacement: "Great leader Kim Jong-un," referring to the leader of the North Korean regime, which is based in Pyongyang. For a 10-minute period, another defacement included a picture of South Korean president Park Geun-hye with the following message: "We Are Anonymous. We Are Legion. We Do Not Forgive. We Do Not Forget. Expect Us."

[ This isn't the first time North Korean websites have been targeted. Read Anonymous Takes Down North Korean Websites. ]

South Korean government officials said none of the attacks had hacked into the country's military networks, and that they had yet to identify the attackers. But official Anonymous channels have denied having any involvement in the attacks. "We didn't Hack any #SouthKorea websites," announced the Japanese branch of Anonymous Tuesday in a tweet.

The obvious culprit in the attacks would be North Korea. A wiper malware attack against multiple South Korean banks and broadcasters in March 2013 that erased 48,000 hard drives, for example, was traced to a Pyongyang-based attacker. Previous online attacks against South Korean sites, in 2009 and 2011, were also traced to Pyongyang.

If North Korea did launch the most recent attacks, it may have been a preemptive move before planned Anonymous attacks, which began as scheduled Tuesday. The attacks were announced last week as part of the ongoing Anonymous "#OpNorthKorea" campaign. A list of targets published via Pastebin included multiple North Korean government websites, the official North Korean News Agency, airline Air Koryo and numerous businesses.

Anonymous recommended that attackers employ such distributed denial-of-service (DDoS) attack tools as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, and what the group dubbed the "OWASP Layer 7 DDOS Tool."

As part of Tuesday's attacks, "independent penetration tester" JokerCracker, along with AnonymousTjTeam (aka Anonymous Tijuana), claimed via Twitter to have defaced more than 270 North Korean government website pages.

In a statement addressed "to the tyrants of the North Korean government," Anonymous repeated its demand for Kim Jong-un to step down. "The only power you have are missiles and nuclear," it said. "We are more powerful than that. You cannot destroy ideas with missiles."

According to an attack FAQ published in April, as part of #OpNorthKorea, Anonymous has claimed to be working with small cells in North Korea to create a "ninja gateway" that would bridge the country's quite small Internet -- known as "Kwangmyong" -- with the Internet at large.

Meanwhile, earlier this month Anonymous claimed to have completed the ninja gateway and to have infiltrated multiple North Korean sites. "We completed [several] attacks on your internal websites and inside your local intranets," read a statement released by Anonymous. None of those claims have been verified, but the group promised to release related documents Tuesday.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights