South Korea cyberattacks hold lessons for U.S.

Its not the source of an attack that matters, its how well you are prepared for them

U.S companies and government agencies can learn from the large-scale disruptions that have simultaneously hit several banks and media outlets in South Korea in the last 24 hours.

Early analyses by security firms suggest that the attacks were carried out using previously known vulnerabilities and exploits.

So while considerable attention is being paid to whether or not North Korea is behind the targeted attacks, the real lesson is that organizations have to address the vulnerabilities that leave them exposed, security analysts said.

"It really doesn't matter if the attacker is a nation-state or a cybercriminal or a hacktivist or a bored teenage kid," said John Pescatore, director of emerging security trends at the SANS Institute in Bethesda, Md. "You have to make sure you are at least at the due-diligence level for the well-known critical security controls. If you close the well-known vulnerabilities, you can stop any attacker using those techniques."

At least three broadcast networks and four major banks in South Korea reported moderate to severe disruptions earlier today.

A report in the New York Times quoted South Korea's Financial Services Commission as saying that two banks, NongHyup and Jeju, were temporarily paralyzed after several computers were infected with a virus that deleted data from their systems.

Services at Shinhan Bank, South Korea's fourth largest financial institution, were also disrupted while a fourth financial services firm said it was hit but suffered no damage.

Meanwhile an official from South Korea's Communication Commission told the Voice of America (VoA) that the disruptions at the media operations appear to have been caused by a virus that was distributed as a software update by a patch management system. The virus basically destroyed the master boot record (MBR) on computer hard drives, causing them to crash, according to the official quoted by the VoA.

In a blog post today, security firm Kaspersky said that its analysis indicated that attackers going by the handle "Whois Team" had used a previously known "Wiper"-style malware program to wipe data on infected computers. The malware is similar to last year's Shamoon malware, which was used to destroy more than 30,000 computers at Saudi oil giant Saudi Aramco.

Meanwhile, security firm Avast Software noted in a blog that its analysis of the attacks show that they originated from a legitimate South Korean website belonging to the Korea Software Property Right Council (SPC). According to the company, the attackers appear to have exploited a previously known Internet Explorer vulnerability (CVE-2012-1889) to infiltrate computers at the affected banks.

According to security firm Sophos, the malware used in the attack is Mal/EncPk-ACE or simply "DarkSeoul, a "not particularly sophisticated" piece of software that has been around for nearly a year. "For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a "cyberwarfare" attack coming from North Korea," the company blogged today.

Many have been quick to point to North Korea as the most likely source of the attacks and have noted that the disruptions could signal a dangerous escalation in tension between the two nations. The attacks, in fact, have prompted South Korea's military to raise its information surveillance status up by one level.

Suspicions about North Korea's role in the attacks have been heightened by the fact that the attacks come just a few days after North Korea suffered a prolonged Internet outage of its own. North Korea blamed the outage on the U.S. and South Korea.

Others have said there's little evidence yet to tie North Korea to the incidents and have pointed to more mundane causes -- such as an attack by cybercriminals looking for some quick publicity -- as a likely reason for the disruptions.

According to Avast, its analysis shows that the code used in the malware is distinctly Chinese and the attacks likely originated in China.

The choice of targets and the fact that North Korea has so far remained silent about the attacks is also noteworthy, said James Lewis, director and senior fellow at the Center for Strategic and International Studies in Washington.

"Usually (North Korea) is not quiet when it launches some kind of attack," Lewis said, And typically, the North Koreans have also tended to attack government targets in South Korea he said. "So, no (government) agencies, no proclamation, it's a bit anomalous," Lewis noted. "The DPRK usually does things for money or for politics; this would seem to get neither."

Lewis stressed that none of this rules out North Korean involvement either.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingThe New York TimesSANS InstitutesecurityMalware and Vulnerabilities

More about AvastKasperskySANS InstituteSophosTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place