Posted : 2013-04-10 19:17
Updated : 2013-04-10 19:17

Pyongyang responsible for recent hacking attacks

By Kim Tong-hyung

North Korea was behind the series of cyber attacks that crippled the networks of South Korean television stations and financial companies last month, government sources confirmed Wednesday.

But the South Koreans couldn't have made the job easier for army hackers in Pyongyang, except for FedExing them their security codes.

According to an announcement by a government-led investigation team, agents from the North Korea Surveillance Bureau used Internet Protocol (IP) addresses from different countries to plant malicious programs in the affected computers around February.

The hijacked computers at broadcasters KBS, MBC and YTN and Jeju, Nonghyup and Shinhan banks wreaked havoc at the companies on March 20, paralyzing communications and customer service systems and inflicting significant financial damage.

The websites of the Ministry of Strategy and Finance, YTN and Daily NK, an online newspaper dedicated to North Korea-related issues, came under similar attacks on March 25 and 26.

Around 48,000 computers, servers and automated teller machines (ATMs) were infected or damaged by the attacks, which involved 76 types of malicious software developed by the North Koreans, government officials said.

''We have found that six computers based in North Korea connected to the computers of South Korean companies more than 1,590 times since June 28 last year and took information from them. A day after the attacks on March 21 this year, the North Korean computers destroyed traces of the attack routes,'' an official from the Ministry of Science, ICT (information and communication technology) and Future Planning said in a news conference.

''The recent hacking attacks were apparently planned for a long time and 22 of the 49 attack routes we managed to trace were identical to the routes that North Korea used in previous attacks. More than 30 of the 76 types of malicious software had been previously used by the North Koreans,'' he added, referring to the cyber attack on Nonghyup in 2011 that was also concluded to be a North Korean action.

The announcement effectively put an end to the were-they-or-weren't-they debate surrounding North Korean involvement in the recent attacks.

Experts who had doubted the link claimed that the country was unlikely to have sophisticated hackers capable of pulling off online attacks of such scale.

But the real problem for South Korea is that it requires only the minimum level of sophistication for hackers to breach its computers. An ill-advised policy decision made 15 years ago has deteriorated the country's computer security defense to a point where it's now as porous as Swiss cheese.

At the core of the shaky security environment has been a Microsoft monoculture in computer operating systems and Web browsers, blamed for sticking computer users with outdated technology and making them easy targets for cyber criminals.

Software companies have had critical influence on how the Financial Supervisory Service (FSS) and other regulators write the laws on Internet usage and electronic commerce. Since 1998, these laws have mandated all encrypted online communications be based on electronic signatures that are enabled through a public-key infrastructure.

Since the fall of Netscape in the early 2000s, Active-X, which only functions on Microsoft's Internet Explorer (IE) browsers, remains the only plug-in tool used to download these public-key certificates. This prevented users of non-Microsoft browsers like Firefox and Chrome from banking and buying products online and accessing e-government services. And Apple Macs were frequently reduced to fashion items.

The biggest problem of Active-X-installed programs is that they create an illusion of security when there is none.

Instead of providing a security-based model, Active-X relies on simple ''yes'' or ''no'' confirmations by the user over downloading programs and controls. This is a risky arrangement, since Active-X tools require full access to the operating system and are often abused by hackers to intercept the user's control of a computer.

Officials have admitted the malicious software used by the North in the recent attacks penetrated the computers through XecureWeb, an Active-X program developed by Seoul-based software firm Soft Forum, which is used to enable electronic banking functions.

Common sense says that anti-virus firms such as Soft Forum and AhnLab, the industry kingpin, should be leading campaigns to educate the public and reduce the reliance on Active-X.

In reality, they have been actually encouraging the use of this risky technology, forcing users to download their security programs through Active-X plug-ins instead of through file downloads.

It's hard to deny that these firms profited by extending the country's computer security problems rather than fixing them. What's weirder is that, in a country knee-deep in a computer security mess, Ahn Cheol-soo, the founder of AhnLab who perfected this destructively opportunistic business model, is considered by some as a political savior.

관련 한글 기사

"3·20 해킹 8개월전부터 공격 준비"

정부 내일 국가사이버안전전략회의..재발방지 대책 논의

지난달 20일 발생한 KBS·MBC·YTN 등 방송사와 농협·신한·제주은행·NH생명보험·NH손해보험 등 금융기관에 대한 사이버 테러는 북한의 소행이라는 공식 조사결과가 나왔다.

?사이버테러의 공격 경로를 추적한 결과 북한 내부의 인터넷 주소가 나왔고 접속 흔적을 제거하려고 시도한 사실도 발견됐다.

이번 사건을 조사해 온 민·관·군 합동대응팀은 10일 오후 미래창조과학부 브리핑실에서 기자회견을 열어 이런 내용을 포함한 조사 결과를 발표했다.

합동대응팀은 피해 업체의 감염 장비와 국내 공격경유지 등에서 수집한 악성코드 76종을 분석하고 수년간 국가정보원과 군에 축적된 북한의 대남해킹 조사결과를 종합적으로 반영해 이런 추정을 내놨다.

공격자는 최소한 8개월 이전부터 목표 기관 내부의 PC나 서버를 장악해?자료를 절취하고 전산망의 취약점을 파악하는 등 지속적인 침투·감시를 해 온 것으로 드러났다고 합동대응팀은 밝혔다.

조사결과 지난해 6월 28일부터 최소한 6대의 북한 내부 PC가 1천590회의 접속을 통해 금융기관에 악성코드를 유포하고 PC에 저장된 자료를 절취한 것으로 드러났다.

?올해 2월 22일 북한 내부 인터넷프로토콜(IP)주소(175.45.178.XXX)에서 감염PC를 원격으로 조작하는 등 명령 하달을 위한 국내 경유지에 시험 목적으로 처음 접속한 흔적도 발견됐다.

정부는 이번 공격이 북한 정찰총국의 소행일 가능성이 크다고 보는 것으로 알려졌다.

악성코드 76종 중 파괴용은 9종밖에 없었으나 사전 침투·감시용은 67종에 이르렀다. 이는 공격이 사전에 치밀하게 준비된 것임을 보여 주는 것으로 합동대응팀은 분석했다. 피해를 본 서버·PC, ATM 등은 모두 4만8천여대에 달했다.

?북한 해커가 고유하게 사용 중인 감염PC의 8자리 식별번호와 감염신호 생성코드의 소스 프로그램을 분석한 결과 과거와 같은 것이 18종 발견됐다.

지금까지 파악된 공격 경유지는 국내 25곳, 해외 24곳이고, 이 중 국내 18곳, 해외 4곳이 2009년 이후 북한이 대남 해킹에 사용한 것과 IP주소가 일치했다.

조사 결과 공격자는 백신 등 프로그램의 중앙배포 서버를 통해 PC 파괴용 악성코드를 표적기관 내부의 전체 PC에 일괄 유포하거나 서버 저장자료 삭제 명령을 실행한 것으로 확인됐다.

대응팀은 지난달 20일 방송사·금융기관 전산장비 파괴뿐만 아니라 닷새 뒤 발생한 '날씨닷컴' 사이트를 통한 무차별 악성코드 유포, 지난달 26일의 14개 대북·보수단체 홈페이지 자료 삭제와 YTN 계열사 홈페이지 자료서버 파괴 등도 동일한 주체에 의해 일어난 것으로 추정했다.

이 사건들이 연쇄적으로 일어난 사이버테러라는 추정은 악성코드 소스가 일치하며 공격 경유지가 재사용됐다는 점을 근거로 한 것이다.

정부는 사이버테러 이후 추가공격에 대비해 국정원, 경찰청, 한국인터넷진흥원의 조사 모니터링 인력을 평시 대비 3배 이상으로 확대하는 한편 총 1천781개 주요 홈페이지를 대상으로 악성코드 여부를 점검했다.

정부는 11일 국가정보원장 주재로 미래창조과학부, 금융위원회, 청와대 국가안보실 등 15개 정부기관 관계자가 참석하는 '국가사이버안전전략회의'를 열어 재발 방지 대책을 논의키로 했다.

  • 1. Korean-Nigerian model breaks through barriers
  • 2. Korea concerned about Trump's 'America first' policy
  • 3. Homosexuality missing from sex education
  • 4. [TV Review] 'Infinite Challenge' to go off air for seven weeks
  • 5. EXO tells how to keep visage unblemished
  • 6. Seoul already paying enough for USFK
  • 7. Father and son found dead in Macau's Galaxy casino complex
  • 8. Why the rich breathe easier in China's smog
  • 9. Korea needs low-key global diplomacy
  • 10. Netmarble hits jackpot with 'Revolution'