July 13, 2009 09:33
Computer security companies on Sunday said the culprits behind last week's cyber terror attacks were North or South Koreans or at least people who are very familiar with South Korean affairs.
AhnLab, Hauri and other IT security companies said the computer viruses that began executing their commands at midnight Friday were programmed to destroy 37 different types of files. Among files targeted for destruction were the "Hana Word" word processing program created in the mid 1980s by Hongjin Data Service and the "Hunminjeongeum" word processing program by Samsung Electronics.
Until the mid 1990s, ordinary South Koreans as well as the military and government agencies used "Hana Word," which was replaced by newer programs more than a decade ago. "Hunminjeongeum" is also program no longer used by ordinary people but remains the official word processing program within the Samsung Group.
Moon Jong-hyun, a staffer at IT security firm Inca Internet, said, "Since the virus targeted South Korean programs that are no longer used by most people, the hacker was either North or South Korean or someone who knows South Korea very well."
It will not be easy for the government to track the source of the distributed denial of service (DDoS) attacks that paralyzed the Internet in Korea all last week. First of all, the virus used to launch the DDoS attacks were programmed to delete their path of infection, and the viruses used in the fourth wave of attacks covered their tracks by destroying the hard drives of the so-called "zombie computers" that were hijacked to launch the attacks.
The National Intelligence Service believes North Korea was behind the latest attacks, but it is extremely difficult to prove this. North Korea does not use the official Internet domain address ".kp" that was allotted by the Internet Corporation for Assigned Names and Numbers. The North was apparently allotted the .kp domain in 2007 at its embassy in Germany, but the domain name is now owned by a German by the name of Jan Holtman. And it usually operates websites either by leasing lines from China or from overseas.
But the NIS is said to know many of the Internet protocol addresses that belong to North Koreans. One intelligence officer said, "Our investigation involves comparing and analyzing the IP addresses of North Korean hackers we are aware of and the IP addresses that were used during last week's attacks." The NIS is looking at individual North Koreans being behind the attacks.
Ha Tae-kyoung, the head of Open Radio for North Korea, said, "The incident in May when a hacker broke through the defense system of a South Korean bank and stole cash, appears to have been the work of a North Korean." But Ha added there must have been a person in South Korea who made the theft possible. One government source said, "There is the possibility that North Korea sympathizers in South Korea may have been involved in the latest attacks, which involved the creation of tens of thousands of 'zombie computers.'"
Experts say if the NIS is able to pinpoint the South Korean collaborator, then North Korea's involvement can be confirmed as well, but it will be difficult to prove this using technical analysis alone.
Meanwhile, things are returning to normal. An official at the Korea Communications Commission said, "There appears to be no signs of a fifth wave of attacks approaching." As of 6 p.m. on Sunday, a total of 928 computers had been reported damaged from the attack virus.
- Copyright © Chosunilbo & Chosun.com