Attacks/Breaches
6/25/2013
10:46 AM
50%
50%

Anonymous Attacks North Korea, Denies Targeting South

Groups claiming to represent Anonymous launch separate DDoS attacks and defacements against both North and South Korean websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Government websites in both North Korea and South Korea have been targeted by attackers claiming to be operating under the banner of the Anonymous hacktivist collective. But are elements of the group behind both sets of attacks?

The online attacks against South Korean websites began Tuesday morning, local time, on the anniversary of the start of the Korean War (1950-'53). Targeted sites included the country's presidential office (known as Cheong Wa Dae or the Blue House), other government agencies as well as media groups, reported South Korean news agency Yonhap.

"It is verified that not only Cheong Wa Dae and the Prime Minister's office but also some media outlets were hacked," an official at the National Police Agency's cyber terror response team told Yonhap. "It seems that a massive cyber attack has started."

One of the hacked sites contained the following defacement: "Great leader Kim Jong-un," referring to the leader of the North Korean regime, which is based in Pyongyang. For a 10-minute period, another defacement included a picture of South Korean president Park Geun-hye with the following message: "We Are Anonymous. We Are Legion. We Do Not Forgive. We Do Not Forget. Expect Us."

[ This isn't the first time North Korean websites have been targeted. Read Anonymous Takes Down North Korean Websites. ]

South Korean government officials said none of the attacks had hacked into the country's military networks, and that they had yet to identify the attackers. But official Anonymous channels have denied having any involvement in the attacks. "We didn't Hack any #SouthKorea websites," announced the Japanese branch of Anonymous Tuesday in a tweet.

The obvious culprit in the attacks would be North Korea. A wiper malware attack against multiple South Korean banks and broadcasters in March 2013 that erased 48,000 hard drives, for example, was traced to a Pyongyang-based attacker. Previous online attacks against South Korean sites, in 2009 and 2011, were also traced to Pyongyang.

If North Korea did launch the most recent attacks, it may have been a preemptive move before planned Anonymous attacks, which began as scheduled Tuesday. The attacks were announced last week as part of the ongoing Anonymous "#OpNorthKorea" campaign. A list of targets published via Pastebin included multiple North Korean government websites, the official North Korean News Agency, airline Air Koryo and numerous businesses.

Anonymous recommended that attackers employ such distributed denial-of-service (DDoS) attack tools as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, and what the group dubbed the "OWASP Layer 7 DDOS Tool."

As part of Tuesday's attacks, "independent penetration tester" JokerCracker, along with AnonymousTjTeam (aka Anonymous Tijuana), claimed via Twitter to have defaced more than 270 North Korean government website pages.

In a statement addressed "to the tyrants of the North Korean government," Anonymous repeated its demand for Kim Jong-un to step down. "The only power you have are missiles and nuclear," it said. "We are more powerful than that. You cannot destroy ideas with missiles."

According to an attack FAQ published in April, as part of #OpNorthKorea, Anonymous has claimed to be working with small cells in North Korea to create a "ninja gateway" that would bridge the country's quite small Internet -- known as "Kwangmyong" -- with the Internet at large.

Meanwhile, earlier this month Anonymous claimed to have completed the ninja gateway and to have infiltrated multiple North Korean sites. "We completed [several] attacks on your internal websites and inside your local intranets," read a statement released by Anonymous. None of those claims have been verified, but the group promised to release related documents Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

CVE-2015-0235
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0312
Published: 2015-01-28
Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

CVE-2015-0581
Published: 2015-01-28
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related t...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.