Attacks/Breaches
4/2/2013
10:24 AM
50%
50%

Anonymous Hits North Korea Via DDoS

Hacktivists disrupt government and airline websites after North Korean government threatens to restart nuclear reactor, invade South Korea.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The Anonymous hacktivist collective announced that it's released sensitive data about -- aka doxed -- the government of North Korea over its threat to restart a nuclear reactor in the country.

The dox was announced in an "Anonymous hits N. Korea" message posted Tuesday to Pastebin, claiming that 15,000 membership records had been stolen from the website of North Korea's Kim Il Sung Open University, which is run from China.

The Pastebin post, which railed against the governments of both North Korea and the United States, demanded that the Pyongyang regime "stop making nukes and nuke-threats" and called for the resignation of the country's 30-year-old ruler, Kim Jong-un.

[ Should DDoS attacks be protected under the First Amendment? Read Anonymous Says DDoS Attacks Like Free Speech. ]

The post included six records supposedly stolen from the Uriminzokkiri website, including names, email addresses and hashed passwords. "Enjoy these few records as a proof of our access to your systems (random innocent citizens, collateral damage, because they were stupid enough to choose idiot passwords), we got all over 15k membership records of www.uriminzokkiri.com and many more," it said. Decrypted password hashes in the post included "123456" and "loveme."

The veracity of the doxed information couldn't be verified. One of the published email addresses, however, was for smart grid product vendor KEPCO KDN, which is part of Korea Electric Power Co. Three of the "example records" contained Korean names, while the other three were Chinese names, according to journalist Martyn Williams, who maintains the North Korea Tech website.

The alleged data dump followed a series of distributed denial-of-service (DDoS) attacks launched Saturday against the official website of the Democratic People's Republic of Korea (North Korea), the government-owned airline Air Koryo, as well as the government's Committee for Cultural Relations with Foreign Countries (Friend.com.kp) and the Korea Computer Center (Naenara) websites.

Those attacks were carried out under the banner of Operation North Korea (OpNorthKorea) by the South Korean branch of Anonymous, and were made in response to increasing threats from Pyongyang that it plans to attack South Korea.

Last month, broadcasters and banks in South Korea were hit by a series of highly targeted "wiper" malware attacks that deleted an estimated 32,000 hard drives. While North Korea is generally the first suspect behind any attack against South Korea, no evidence has been published to track the cyber attacks to Pyongyang.

Still, the rhetoric between the two Korean governments has been heating up. According to a recently released North Korean government statement carried by the official government Korean Central News Agency (KCNA), "the whole country is now throbbing with voices urging the start of a sacred war for national reunification." Meanwhile, North Korea's Central Committee announced Sunday that the country "is a full-fledged nuclear weapons state," and a spokesman for the General Department of Atomic Energy said that a reactor located at Yongbyon will be restarted and that the "work will be put into practice without delay," according to KCNA.

North Korea has faced United Nations sanctions after conducting a nuclear weapons test in February. But Kim Jong-un said Sunday that the country will no longer use its nuclear program as a bargaining chip. "The enemies are using both blackmail, telling us that we cannot achieve economic development unless we give up nuclear weapons, and appeasement, saying that they will help us live well if we choose a different path," KCNA quoted Kim as saying.

In the face of the increasing tensions, the White House said it's monitoring the situation. "We haven't seen actions to back up the rhetoric," White House spokesman Jay Carney told reporters Monday, reported Reuters.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Apprentice
4/5/2013 | 5:23:38 PM
re: Anonymous Hits North Korea Via DDoS
Of course, the irony is that Anonymous is anything but friendly with the U.S. government.
2duBob
50%
50%
2duBob,
User Rank: Apprentice
4/3/2013 | 7:56:21 PM
re: Anonymous Hits North Korea Via DDoS
Anonymous is poking an angry bear and you can be sure that North Korea considers anonymous as a "tool" of the US. (CIA?) Only time will tell if these types of actions are good or bad... but they are definitely extremely dangerous..
jries921
50%
50%
jries921,
User Rank: Apprentice
4/3/2013 | 2:46:16 AM
re: Anonymous Hits North Korea Via DDoS
Of course, one of the questions is... Why should North Korea require economic assistance from its supposed enemies; especially when it claims to have a superior economic system, and has for the last 60 years preached national self-reliance?

I'm hoping this is all bluff, but if North Korea breaks the armistice, then the war should not end until the North Koreans surrender, the Korean Communist Party is dissolved, and its senior leaders are all either dead or in custody.

Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:28:32 AM
re: Anonymous Hits North Korea Via DDoS
Get your popcorn ready - I was hoping that this day would come. Anonymous vs. DPRK (and possibly the PRC)... of course, the goading of the US at this point doesn't help.

Going a little afield from the story, it doesn't take a computer scientist to figure out that if a stealth bomber can reach operational theaters in Iraq and Afghanistan while based solely within the Continental United States, it wouldn't take much of a leap to assume that they can also reach North Korea.

It's also somewhat comforting to see that users in North Korea generally aren't smarter than those in the United States with respect to their password choices. I guess bad security practices know no boundaries...

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.