A man walks while talking on his mobile phone in front of a logo of a Nonghyup bank in Seoul, Tuesday. Prosecutors said North Korean hackers broke into the computer network of the bank last month. / AP-Yonhap
By Kim Rahn
North Korea committed the cyber terrorist attack on Nonghyup that paralyzed its banking network for a week last month, the prosecution said Tuesday.
Announcing the interim outcome of an investigation, the Seoul Central District Prosecutors’ Office concluded that the attack was launched by the same group that hacked websites of government agencies and financial institutions in 2009 and last March.
Prosecutors said North Korea’s General Bureau of Reconnaissance had prepared for a long time for the attack. They reached the conclusion after analyzing 81 malignant codes found in the laptop of an IBM worker who was at Nonghyup’s IT center under an outsourcing contract.
His laptop became a “zombie PC,” infected with malicious software and programmed to conduct the attack, and served as the main tool for the hackers.
“We found programming methods that were also detected in the previous two cyber attacks, such as the method of encoding the malicious commands,” senior prosecutor Kim Yeong-dae said at a press briefing.
The way the codes were distributed was similar to that of the previous attacks, and the Internet Protocol (IP) of a server used to control the zombie PC was identical as the one used in the distributed denial-of-service (DDoS) attack in March. Nonghyup was one of the targets in both the former attacks.
The hackers made the laptop a zombie computer on Sept. 4 in 2010 and managed it for seven months, obtaining inside information and operating the file deletion command remotely, according to the prosecution.
“Nonghyup staffers including the IBM employee took laptops for system management in and out of the IT center without restriction,” Kim said.
The laptop became a zombie last July when the North made another cyber attack — which was not made public — and infected thousands of computers. “Among the computers, the North selected and has managed 201 which were connected to government or financial agencies. The Nonghyup laptop was one of the 201,” Kim said.
The perpetrator installed hacking and bugging programs in the laptop as well, and secured information on target IPs and system passwords.
In this manner they installed the command file in the laptop at 8:20 a.m. on April 12, and executed the file remotely through the Internet at 4:50 p.m. Second and third attacks followed, destroying 273 among Nonghyup’s 587 servers.
“They checked the success of their attack and the number of crashed servers. Then at around 5:20 p.m., they deleted all evidence including command programs from the laptop, making it difficult for us to trace,” the prosecutor said.
Kim said the attack probably required huge human and financial resources, considering the types of malicious codes, programming and distribution techniques and the length of preparation period.
“We investigated the IT center entry records and surveillance camera recordings to see whether Nonghyup insiders conspired with the hackers, but didn’t find any noticeable evidence,” he said.
Prosecutors noted the crash may not have happened if Nonghyup had strict regulations on system management.
“Workers were supposed to receive approval when taking computers in and out of the IT center, and when taking one out, the computer should have been reformatted. But those in charge didn’t. They also hadn’t changed system passwords since last July, while they were supposed to do so every month,” Kim said.
Questions still remain
But some network security experts say it is difficult to conclude North Korea made the attack due to the lack of “hard evidence,” saying IPs can be manipulated.
They say for the previous two attacks, the prosecution had only circumstantial evidence, not direct evidence to prove North Korea made them.
They claim there was no clear evidence that the Chinese IPs used in the 2009 attack were lent to the North Korean Ministry of Post and Telecommunications and even if they were, it was possible that someone else deliberately used them.
They also said they can’t understand how an IBM worker, a security expert, could not know for seven months that his laptop had become a zombie.
“It is worrying that law enforcement authorities blame North Korea for cyber attacks whenever they fail to find the perpetrators,” a security expert said.