South Korea Cyberattack Not Launched via Chinese IP Address (Updated)

Update: The Korean Communications Commission has announced that its original attribution was a mistake, and that the IP address involved in the attack actually belongs to one of the targeted companies. The attack is still believed to have originated abroad, however.

Original post: South Korean authorities have revealed that malware used in a major cyberattack against Korean banks and broadcasters has been traced to an IP address in China. (For a detailed description of the attack, see Sean Gallagher’s account at Ars Technica.) The attack came amid North Korean threats of “catastrophic” retaliation if the U.S. persisted in flying B-52 bombers over the peninsula, however, and Pyongyang is widely regarded as the chief suspect. From Choe Sang-hun at The New York Times:

The Korea Communications Commission said Thursday that the disruption originated at an Internet provider address in China but that it was still not known who was responsible.

Many analysts in Seoul suspect that North Korean hackers honed their skills in China and were operating there. At a hacking conference here last year, Michael Sutton, the head of threat research at Zscaler, a security company, said a handful of hackers from China “were clearly very skilled, knowledgeable and were in touch with their counterparts and familiar with the scene in North Korea.”

But there has never been any evidence to back up some analysts’ speculation that they were collaborating with their Chinese counterparts. “I’ve never seen any real evidence that points to any exchanges between China and North Korea, ” said Adam Segal, a senior fellow who specializes in China and cyberconflict at the Council on Foreign Relations.

From Bloomberg News:

“Discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there,” said Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University. “Who else would be making this kind of attack at this scale and timing other than North Korea?”

[…] “It’s highly probable that North Korea used Chinese IPs for the attacks,” said Lim Jong In, dean of Korea University’s Graduate School of Information Security. “These are sentimental attacks, aimed at spreading confusion to the whole society by paralyzing media and financial institutions. But it will take some time to exactly track who’s behind this as China is unlikely to actively cooperate.”

At Reuters, Ju-min Park described the difficulty of assessing North Korea’s cyberwarfare capabilities:

Jang Se-yul, a former North Korean soldier who went to a military college in Pyongyang to groom hackers and who defected to the South in 2008, estimates the North has some 3,000 troops including 600 professional hackers in its cyber unit.

[…] The North’s professional “cyber-warriors” enjoy perks such as luxury apartments for their role in what Pyongyang has defined as a new front in its “war” against the South, Jang told Reuters.

[…] “North Korea can’t invest in fighter jets or warships, but they have put all their resources into raising hackers. Qualified talent matters to cyber warfare, not technology,” said Lee Dong-hoon, an information security expert at Korea University in Seoul.


Subscribe to CDT


Browsers Unbounded by Lantern

Now, you can combat internet censorship in a new way: by toggling the switch below while browsing China Digital Times, you can provide a secure "bridge" for people who want to freely access information. This open-source project is powered by Lantern, know more about this project.

Google Ads 1

Giving Assistant

Google Ads 2

Anti-censorship Tools

Life Without Walls

Click on the image to download Firefly for circumvention

Open popup

Welcome back!

CDT is a non-profit media site, and we need your support. Your contribution will help us provide more translations, breaking news, and other content you love.