Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How South Korea Traced Hacker To Pyongyang

Apparent mistake exposed the March bank hacker's IP address, which investigators traced to a North Korean address.

A hacker's technical blunder allowed South Korean investigators to trace back recent attacks against the country's banks and broadcasters to an IP address located in North Korea's capital, Pyongyang.

While the identity of the hacker isn't known, on February 20, the attacker inadvertently exposed his or her IP address (175.45.178.xx) for a few minutes, apparently after experiencing technical difficulties, reported South Korea's Yonhap News Agency.

According to the state-run Korea Internet & Security Agency in Seoul, the IP address was traced to the Ryugyong-dong residential district of Pyongyang. The IP address is registered to a company called Star Joint Venture (Star JV), which is North Korea's sole service provider, and also administers the country's top-level ".kp" domain.

Star JV is a joint venture between the Pyongyang regime that rules North Korea -- officially known as the Democratic People's Republic of Korea (DPRK) -- and Loxley Pacific Company, a Thai company that bills itself as a telecommunications system integration and solutions provider. Bangkok-based Loxley Pacific didn't immediately respond to an emailed request for comment -- sent outside of business hours in Thailand -- about South Korean investigators having attributed the recent bank and broadcaster cyberattacks to a network hosted by Star JV.

[ Tension escalates between North and South Korea. See South Korea Charges Alleged Hackers. ]

Officials at the Korea Internet & Security Agency said that because the IP address exposure appeared to be accidental, they think it's legitimate and wasn't spoofed, reported Yonhap. Furthermore, the IP address was logged 13 times in the course of South Korean investigators cataloging North Korean systems that accessed the attacked South Korean financial firms' systems. They said such access had occurred 1,590 times since June 2012.

The IP address finding has implications beyond just the March 20 wiper malware attacks. "The North Korean IP address made it clear that the North is behind not only the latest hacking but also previous hacking attacks," Kim Seung-joo, a professor at the Graduate School of Information Security at Korea University, told Yonhap.

After three weeks of analysis, South Korean government officials only Wednesday said they'd traced the March 20 malware attacks to North Korea, based not only on the IP addresses and domains used to launch the attacks, but also on the use of relatively outdated hacking tools and malware, much of which had been seen previously only in attacks sponsored by Pyongyang. The attacks, which targeted three South Korean banks and three broadcasters, resulted in disruptions to online banking, mobile banking and ATM networks.

Interestingly, the bank malware attacks were launched shortly after North Korea lost Internet connectivity on March 13 and 14. A statement issued at the time by the Pyongyang-run Korean Central News Agency blamed the outage on a U.S. and South Korean cyberattack, claiming that the DPRK had been targeted by "intensive and persistent virus attacks."

Without a doubt, the outage was atypical. "It should be noted that although North Korea's Internet is small, it is very stable," said Doug Madory, senior research engineer for Renesys, in a blog post. "Until [March 13 and 14], North Korean outages had been very rare."

But it's not clear whether the disruptions resulted from hack attacks launched against North Korean infrastructure, or simply internal glitches. Notably, North Korea only has four networks, all of which are routed by Star JV using a direct link to mainland Chinese service provider China Unicom, as well as via satellite communications provider Intelsat, and the outage affected both.

"Since it affected both Internet transit connections (China Unicom and Intelsat), it stands to reason the disruption was on the North Korean side," Madory said. "So perhaps it was networking equipment deeper in the North Korean network which suffered the outage."

"Was it the result of a cyber attack? Maybe," he said. "It could also have been a power failure, equipment failure or a misconfiguration by a network admin."

In related news, Pyongyang Monday bolstered the country's Internet connectivity by adding another connection to China Unicom, this time via a link to Hong Kong. "The new connection appears to [provide] a third way for traffic to reach the country, although much is unclear," reported journalist Martyn Williams, who maintains the North Korea Tech website. "It's not immediately clear if it represents a third physical connection or [is] only happening on the network level, and at present there's no way to know if it serves as an additional backup or will become an important connection."

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/15/2013 | 2:08:43 AM
re: How South Korea Traced Hacker To Pyongyang
Knowing a thing or two about organizations with multiple connectivity types/carriers, it stands to reason that the North Korean outage was caused on their side.

Now, there are any number of things that can cause an outage - but for two days, sounds a bit out there. What if this was an inside job in order to give DPRK a justification for making an attack?

I figure someone at the console just typed in ATH0 and that's all it took...

Andrew Hornback
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.