Attacks/Breaches
4/5/2013
10:36 AM
50%
50%

Anonymous Seizes North Korean Twitter, Flickr Feeds

Breach follows joint DDoS attack with botmaster The Jester in retaliation for North Korea's declaration of war against South Korea.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Twitter and Flickr accounts run by the government of North Korea were seized and defaced Thursday by elements of the Anonymous hacktivist collective.

The North Korea Twitter feed, which normally includes Korean-language posts, Thursday saw five English-language tweets posted, referring to a number of North Korean websites that were reportedly "hacked." The photograph on the Twitter feed was replaced with an image of two monochrome figures in Anonymous masks dancing a tango, together with the hacktivist catchphrase "Tango Down" in red letters.

The North Korean Flickr feed, meanwhile, was defaced Thursday to include a $1 million "wanted poster" containing a caricature of Kim Jong-un, depicting him with pig ears and nose, and a Mickey Mouse tattoo on his stomach. The poster labeled him as a "nuke nuke Mickey lover" and accused him of "threatening world peace with ICBMs and nuclear weapons" as well as "the worst human rights violation in the world."

[ Are hackers exercising a constitutional right? Read Anonymous Says DDoS Attacks Like Free Speech. ]

By Friday, the Flickr feed's administrators appeared to have regained control of their account, although the Twitter feed was still displaying the English-language Anonymous posts.

North Korea first established an official Twitter presence in 2010 as part of a social media push that included creating a YouTube account. But experts on North Korea believed that very few people inside North Korea enjoy access to the services, given blocks in place on accessing foreign websites.

The social media seizure campaign was preceded by a data dump, or dox, from Anonymous, accompanied by a Tuesday declaration calling on 30-year-old Kim Jong-un to resign, as well as for "uncensored internet access for all the citizens" and the establishment of "a free direct democracy in North Korea." That data dump was made in response to rising tensions in the Korean peninsula, and North Korea issuing a declaration of war Saturday against South Korea, followed by the Pyongyang regime promising Sunday to quickly restart a nuclear reactor in the country.

"To Kim Jong-un: So you feel the need to create large nukes and threaten half the world with them? So you're into demonstrations of power?, here is ours," read the Anonymous statement, which included a link to alleged sample records -- including usernames, email addresses and hashed passwords -- stolen from the Uriminzokkiri ("Our Nation") website run by North Korea's central news agency. Hosted in China, the site distributes news and propaganda from the Pyongyang regime. Anonymous claimed to have obtained 15,000 user credentials for the site in total.

That dox followed distributed denial of service (DDoS) attacks launched Saturday by South Korean elements of Anonymous, working with the botmaster known as The Jester. "Tango Down -- Air Koryo -- North Korea's official airline. Flight schedules, office locations, a company history," read a related tweet from The Jester (‏@th3j35t3r). Other sites disrupted via DDoS attacks included the official website of the Democratic People's Republic of Korea (North Korea), the government's Committee for Cultural Relations with Foreign Countries (Friend.com.kp) and the Korea Computer Center (Naenara) websites.

The Jester seems to have an on-again, off-again relationship with Anonymous, bringing his botnet to bear on sites he deems worthy of disruption, such as the Westboro Baptist Church or in support of the 2010 Operation Payback attacks against PayPal, MasterCard, and other organizations perceived to be blocking the flow of donations to WikiLeaks.

Under the banner of "OpFreeKorea," Anonymous has announced plans to launch a second wave of doxing and DDoS disruptions against North Korea on April 19, unless their demands are met.

E2 is the only event of its kind, bringing together business and technology leaders looking for new ways to evolve their enterprise applications strategy and achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/U, and more. Register for E2 Conference Boston today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/22/2013 | 2:39:04 AM
re: Anonymous Seizes North Korean Twitter, Flickr Feeds
I love that someone is putting the North Korea government in check. I would have loved to see the faces of the IT guys scrambling to regain control of their Twitter feeds. In all seriousness, Anonymous doe have a valid point here and it seems to be the only way to get that across and have a direct reaction forum North Korea. I guess there is a downside to trying to control a countries Internet privileges that it leaves the whole system that controls that open for attacks as well.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?