Attacks/Breaches
4/16/2013
11:31 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Takes Down North Korean Websites

Hacktivists knock five North Korean websites offline on the 101st anniversary of North Korea's founding.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

The hacktivist group Anonymous announced Monday that it's disrupted five North Korean websites.

"More of North Korean websites are in our hand. They will be brought down," read an Anonymous tweet issued via the seized Twitter account of Uriminzokkiri, which carries North Korean official government news.

That message was followed by a "tango down" declaration for uriminzokkiri.com. Subsequent messages announced that the North Korean websites ryugyongclip.com, minjok.com, paekdu-hanna.com and jajusasang.com had been hacked. The latter three websites were altered to feature a previously deployed caricature of North Korean leader Kim Jong-Un sporting pig ears and nose and a Mickey Mouse tattoo.

Anonymous Monday also posted to Pastebin a "members of minjok.com" data dump -- aka dox -- as well as a list of what it described as "members of paekdu-hanna.com." By Tuesday morning, all of the sites except for jajusasang.com appeared to either be offline or experiencing frequent disruptions. The Uriminzokkiri Twitter feed, meanwhile, hadn't been expunged of the Anonymous posts.

[ Botmaster known as "The Jester" targets North Korea in recent round of attacks. Read more at Anonymous-Linked Hacker Claims North Korea Win. ]

Anonymous has been defacing and disrupting North Korean websites -- which largely can be viewed only by people outside the country -- to protest the Pyongyang regime's military provocations, which have recently included a nuclear weapons test, a threatened medium-range ballistic missile test, a promise to restart a nuclear reactor and the declaration of war against South Korea.

The government of South Korea has also blamed North Korea for launching last month's "wiper" malware attacks that erased 48,000 hard drives and disrupted operations at banks and broadcasters. Government officials said they traced a hacker involved in the attacks to Pyongyang.

A spokesperson for the general staff of the Korean People's Army in North Korea labeled the attack attribution "rumors" and a "deliberate provocation," reported South Korea's Yonhap news agency.

The latest Anonymous disruptions, which occurred Monday, coincided with North Korea's celebrating the 101st "Day of the Sun" holiday, which commemorates the anniversary of the country's founder, Kim Il-Sung; Kim Jong-Un is his grandson. The holiday is traditionally celebrated with flowers. Unlike some previous years, however, the Pyongyang regime chose not to use the occasion to stage a military parade.

Anonymous has been calling on Kim Jong-Un to resign, threatening "first we gonna wipe your data, then we gonna wipe your badass dictatorship 'government.'"

This isn't the first time the hacktivist collective has disrupted Uriminzokkiri.com (Korean for "one nation"). Anonymous also recently seized control of Uriminzokkiri's Twitter and Flickr feeds and leaked what it said were 9,000 of the 15,000 user accounts -- including people's real names, usernames, addresses, birthdates and hashed passwords -- from the site's server, which is hosted in China.

In other website disruption news, the Syrian Electronic Army Monday claimed credit for taking over the Twitter feed for National Public Radio. "The good news is that NPR appears to have cleaned up the affected Web pages, some of which were carrying news of the explosions at the Boston Marathon," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

The Syrian Electronic Army didn't give a motive for its attack. "We will not say why we attacked @NPR ... They know the reason and that [is] enough," read a message posted to the group's Twitter feed. But obviously the group -- which reportedly supports Syrian President Bashar Assad's regime -- may be unhappy with NPR's Syria coverage.

In a statement released late Monday, NPR confirmed the attack, saying it commenced Monday at approximately 11 p.m. ET and that NPR's publishing system had been accessed and multiple headlines altered. "Late Monday evening, several stories on the NPR website were defaced with headlines and text that said 'Syrian Electronic Army Was Here,'" it said. Some of those headlines then propagated to stories that appeared on NPR members stations' websites.

"We have made the necessary corrections to those stories on NPR.org and are continuing to work with our member stations," NPR said, adding that it had regained control of its Twitter feeds.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.