Attacks/Breaches
6/25/2013
10:46 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Attacks North Korea, Denies Targeting South

Groups claiming to represent Anonymous launch separate DDoS attacks and defacements against both North and South Korean websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Government websites in both North Korea and South Korea have been targeted by attackers claiming to be operating under the banner of the Anonymous hacktivist collective. But are elements of the group behind both sets of attacks?

The online attacks against South Korean websites began Tuesday morning, local time, on the anniversary of the start of the Korean War (1950-'53). Targeted sites included the country's presidential office (known as Cheong Wa Dae or the Blue House), other government agencies as well as media groups, reported South Korean news agency Yonhap.

"It is verified that not only Cheong Wa Dae and the Prime Minister's office but also some media outlets were hacked," an official at the National Police Agency's cyber terror response team told Yonhap. "It seems that a massive cyber attack has started."

One of the hacked sites contained the following defacement: "Great leader Kim Jong-un," referring to the leader of the North Korean regime, which is based in Pyongyang. For a 10-minute period, another defacement included a picture of South Korean president Park Geun-hye with the following message: "We Are Anonymous. We Are Legion. We Do Not Forgive. We Do Not Forget. Expect Us."

[ This isn't the first time North Korean websites have been targeted. Read Anonymous Takes Down North Korean Websites. ]

South Korean government officials said none of the attacks had hacked into the country's military networks, and that they had yet to identify the attackers. But official Anonymous channels have denied having any involvement in the attacks. "We didn't Hack any #SouthKorea websites," announced the Japanese branch of Anonymous Tuesday in a tweet.

The obvious culprit in the attacks would be North Korea. A wiper malware attack against multiple South Korean banks and broadcasters in March 2013 that erased 48,000 hard drives, for example, was traced to a Pyongyang-based attacker. Previous online attacks against South Korean sites, in 2009 and 2011, were also traced to Pyongyang.

If North Korea did launch the most recent attacks, it may have been a preemptive move before planned Anonymous attacks, which began as scheduled Tuesday. The attacks were announced last week as part of the ongoing Anonymous "#OpNorthKorea" campaign. A list of targets published via Pastebin included multiple North Korean government websites, the official North Korean News Agency, airline Air Koryo and numerous businesses.

Anonymous recommended that attackers employ such distributed denial-of-service (DDoS) attack tools as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, and what the group dubbed the "OWASP Layer 7 DDOS Tool."

As part of Tuesday's attacks, "independent penetration tester" JokerCracker, along with AnonymousTjTeam (aka Anonymous Tijuana), claimed via Twitter to have defaced more than 270 North Korean government website pages.

In a statement addressed "to the tyrants of the North Korean government," Anonymous repeated its demand for Kim Jong-un to step down. "The only power you have are missiles and nuclear," it said. "We are more powerful than that. You cannot destroy ideas with missiles."

According to an attack FAQ published in April, as part of #OpNorthKorea, Anonymous has claimed to be working with small cells in North Korea to create a "ninja gateway" that would bridge the country's quite small Internet -- known as "Kwangmyong" -- with the Internet at large.

Meanwhile, earlier this month Anonymous claimed to have completed the ninja gateway and to have infiltrated multiple North Korean sites. "We completed [several] attacks on your internal websites and inside your local intranets," read a statement released by Anonymous. None of those claims have been verified, but the group promised to release related documents Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.