Attacks/Breaches
4/16/2013
11:31 AM
50%
50%

Anonymous Takes Down North Korean Websites

Hacktivists knock five North Korean websites offline on the 101st anniversary of North Korea's founding.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

The hacktivist group Anonymous announced Monday that it's disrupted five North Korean websites.

"More of North Korean websites are in our hand. They will be brought down," read an Anonymous tweet issued via the seized Twitter account of Uriminzokkiri, which carries North Korean official government news.

That message was followed by a "tango down" declaration for uriminzokkiri.com. Subsequent messages announced that the North Korean websites ryugyongclip.com, minjok.com, paekdu-hanna.com and jajusasang.com had been hacked. The latter three websites were altered to feature a previously deployed caricature of North Korean leader Kim Jong-Un sporting pig ears and nose and a Mickey Mouse tattoo.

Anonymous Monday also posted to Pastebin a "members of minjok.com" data dump -- aka dox -- as well as a list of what it described as "members of paekdu-hanna.com." By Tuesday morning, all of the sites except for jajusasang.com appeared to either be offline or experiencing frequent disruptions. The Uriminzokkiri Twitter feed, meanwhile, hadn't been expunged of the Anonymous posts.

[ Botmaster known as "The Jester" targets North Korea in recent round of attacks. Read more at Anonymous-Linked Hacker Claims North Korea Win. ]

Anonymous has been defacing and disrupting North Korean websites -- which largely can be viewed only by people outside the country -- to protest the Pyongyang regime's military provocations, which have recently included a nuclear weapons test, a threatened medium-range ballistic missile test, a promise to restart a nuclear reactor and the declaration of war against South Korea.

The government of South Korea has also blamed North Korea for launching last month's "wiper" malware attacks that erased 48,000 hard drives and disrupted operations at banks and broadcasters. Government officials said they traced a hacker involved in the attacks to Pyongyang.

A spokesperson for the general staff of the Korean People's Army in North Korea labeled the attack attribution "rumors" and a "deliberate provocation," reported South Korea's Yonhap news agency.

The latest Anonymous disruptions, which occurred Monday, coincided with North Korea's celebrating the 101st "Day of the Sun" holiday, which commemorates the anniversary of the country's founder, Kim Il-Sung; Kim Jong-Un is his grandson. The holiday is traditionally celebrated with flowers. Unlike some previous years, however, the Pyongyang regime chose not to use the occasion to stage a military parade.

Anonymous has been calling on Kim Jong-Un to resign, threatening "first we gonna wipe your data, then we gonna wipe your badass dictatorship 'government.'"

This isn't the first time the hacktivist collective has disrupted Uriminzokkiri.com (Korean for "one nation"). Anonymous also recently seized control of Uriminzokkiri's Twitter and Flickr feeds and leaked what it said were 9,000 of the 15,000 user accounts -- including people's real names, usernames, addresses, birthdates and hashed passwords -- from the site's server, which is hosted in China.

In other website disruption news, the Syrian Electronic Army Monday claimed credit for taking over the Twitter feed for National Public Radio. "The good news is that NPR appears to have cleaned up the affected Web pages, some of which were carrying news of the explosions at the Boston Marathon," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

The Syrian Electronic Army didn't give a motive for its attack. "We will not say why we attacked @NPR ... They know the reason and that [is] enough," read a message posted to the group's Twitter feed. But obviously the group -- which reportedly supports Syrian President Bashar Assad's regime -- may be unhappy with NPR's Syria coverage.

In a statement released late Monday, NPR confirmed the attack, saying it commenced Monday at approximately 11 p.m. ET and that NPR's publishing system had been accessed and multiple headlines altered. "Late Monday evening, several stories on the NPR website were defaced with headlines and text that said 'Syrian Electronic Army Was Here,'" it said. Some of those headlines then propagated to stories that appeared on NPR members stations' websites.

"We have made the necessary corrections to those stories on NPR.org and are continuing to work with our member stations," NPR said, adding that it had regained control of its Twitter feeds.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.