Attacks/Breaches
4/12/2013
09:46 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous-Linked Hacker Claims North Korea Win

Botmaster "The Jester," whose DDoS attacks have targeted Westboro Baptist Church, PayPal and Mastercard, calls "tango down" on Pyongyang's new, third Internet connection.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
A botmaster who's launched distributed denial of service (DDoS) attacks against Westboro Baptist Church, as well as PayPal and MasterCard, this week announced new attacks against the Democratic People's Republic of Korea (DPRK), aka North Korea.

"'TANGO DOWN' -- Border Gateway Protocol CISCO IOS -- #DPRK," read a tweet from The Jester, aka "th3j35t3r." The hacktivist catchphrase tango down is army slang for "target down."

The Wednesday tweet linked to a "what it was" screenshot showing information for the disrupted 175.45.177.211 IP address, which is listed as being a Cisco IOS router registered to the DPRK that first came online March 30. The tweet also included a "why" link pointing to a Tuesday report on the North Korea Tech website about how North Korea recently added a third Internet connection to the country.

"The connection links just one of the DPRK's four blocks of Internet addresses," said journalist Martyn Williams, who maintains the North Korea Tech website. "The block in question isn't the one that hosts North Korea's handful of Web servers -- the ones that came under denial of service attack in the last few days. But it does host some computers, including an Internet gateway that serves as one of the ways traffic from inside North Korea gets to the rest of the Internet."

[ Congress has it wrong. Laws Can't Save Banks From DDoS Attacks. ]

The Jester's apparent takedown of North Korea's third Internet backbone followed DDoS attacks he'd launched against North Korea's official Air Koryo airline, as well as the government-run DPRK, Committee for Cultural Relations with Foreign Countries (Friend.com.kp) and Korea Computer Center (Naenara) websites.

The Jester is a self-described U.S. military veteran of Afghanistan now turned "hacktivist for good" who's dedicated to "obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys."

In December 2012, The Jester -- apparently in coordination with hacker "Cosmo The God" as well as the Anonymous hacktivist collective -- targeted Westboro Baptist Church, a controversial group which self-identifies as a church. After Westboro threatened to protest the funerals of people killed at the Sandy Hook Elementary School in Newtown, Conn., The Jester reported using DDoS attacks to disrupt approximately 10 of 19 different sites operated by the group.

Previously, The Jester had participated in the Operation Payback attacks against PayPal and MasterCard, and other sites perceived to be interrupting the flow of donations to WikiLeaks. While Anonymous had urged followers of Operation Payback to download a DDoS tool known as Low Orbit Ion Cannon (LOIC) and target offending sites, the sites were reportedly knocked offline only after The Jester brought his botnet to bear. Subsequently, investigators traced back and arrested numerous LOIC users.

Despite the occasional collaboration with Anonymous, The Jester appears to have an on-again, off-again relationship with the hacktivist collective. "To #Anonymous: You're all for 'free speech' right? But only when it's your opinion, you deny others 'free speech' w/ your attacks," read a tweet posted Thursday by The Jester.

Even so, both the Jester and Anonymous have recently been targeting North Korea -- The Jester using DDoS attacks, and Anonymous recently taking over and defacing Pyongyang's Twitter and Flickr accounts -- in collective protest against increasing provocations by the Pyongyang regime. Those provocations include conducting nuclear weapon tests, issuing an official declaration of war against South Korea, warning that foreigners should flee the country, as well as repositioning a medium-range missile launcher to put it within range of not only South Korea and Japan, but also Guam.

Thursday, South Korean government officials announced that a hacker's error allowed them to trace the March 20 wiper-malware attacks against multiple banks and broadcasters to an IP address (175.45.178.xx) tied to North Korea's capital, Pyongyang. Since June 2012, that IP address had been used 13 different times to access the systems ultimately targeted in the March 20 attacks.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joey Ortega
50%
50%
Joey Ortega,
User Rank: Apprentice
4/25/2013 | 6:41:41 PM
re: Anonymous-Linked Hacker Claims North Korea Win
Jester or a troll? You decide. Starts at 95:15 http://www.blogtalkradio.com/b...

Turned it into this lol :) https://itunes.apple.com/us/al...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio