Attacks/Breaches
6/25/2013
10:46 AM
50%
50%

Anonymous Attacks North Korea, Denies Targeting South

Groups claiming to represent Anonymous launch separate DDoS attacks and defacements against both North and South Korean websites.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Government websites in both North Korea and South Korea have been targeted by attackers claiming to be operating under the banner of the Anonymous hacktivist collective. But are elements of the group behind both sets of attacks?

The online attacks against South Korean websites began Tuesday morning, local time, on the anniversary of the start of the Korean War (1950-'53). Targeted sites included the country's presidential office (known as Cheong Wa Dae or the Blue House), other government agencies as well as media groups, reported South Korean news agency Yonhap.

"It is verified that not only Cheong Wa Dae and the Prime Minister's office but also some media outlets were hacked," an official at the National Police Agency's cyber terror response team told Yonhap. "It seems that a massive cyber attack has started."

One of the hacked sites contained the following defacement: "Great leader Kim Jong-un," referring to the leader of the North Korean regime, which is based in Pyongyang. For a 10-minute period, another defacement included a picture of South Korean president Park Geun-hye with the following message: "We Are Anonymous. We Are Legion. We Do Not Forgive. We Do Not Forget. Expect Us."

[ This isn't the first time North Korean websites have been targeted. Read Anonymous Takes Down North Korean Websites. ]

South Korean government officials said none of the attacks had hacked into the country's military networks, and that they had yet to identify the attackers. But official Anonymous channels have denied having any involvement in the attacks. "We didn't Hack any #SouthKorea websites," announced the Japanese branch of Anonymous Tuesday in a tweet.

The obvious culprit in the attacks would be North Korea. A wiper malware attack against multiple South Korean banks and broadcasters in March 2013 that erased 48,000 hard drives, for example, was traced to a Pyongyang-based attacker. Previous online attacks against South Korean sites, in 2009 and 2011, were also traced to Pyongyang.

If North Korea did launch the most recent attacks, it may have been a preemptive move before planned Anonymous attacks, which began as scheduled Tuesday. The attacks were announced last week as part of the ongoing Anonymous "#OpNorthKorea" campaign. A list of targets published via Pastebin included multiple North Korean government websites, the official North Korean News Agency, airline Air Koryo and numerous businesses.

Anonymous recommended that attackers employ such distributed denial-of-service (DDoS) attack tools as Slow Loris for Python and Windows, the Low-Orbit Ion Canon, and what the group dubbed the "OWASP Layer 7 DDOS Tool."

As part of Tuesday's attacks, "independent penetration tester" JokerCracker, along with AnonymousTjTeam (aka Anonymous Tijuana), claimed via Twitter to have defaced more than 270 North Korean government website pages.

In a statement addressed "to the tyrants of the North Korean government," Anonymous repeated its demand for Kim Jong-un to step down. "The only power you have are missiles and nuclear," it said. "We are more powerful than that. You cannot destroy ideas with missiles."

According to an attack FAQ published in April, as part of #OpNorthKorea, Anonymous has claimed to be working with small cells in North Korea to create a "ninja gateway" that would bridge the country's quite small Internet -- known as "Kwangmyong" -- with the Internet at large.

Meanwhile, earlier this month Anonymous claimed to have completed the ninja gateway and to have infiltrated multiple North Korean sites. "We completed [several] attacks on your internal websites and inside your local intranets," read a statement released by Anonymous. None of those claims have been verified, but the group promised to release related documents Tuesday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.