Is NKorea behind cyber attack on SKorean bank?

South Korea’s Prosecutor’s Office concluded on April 2 that the North Korea is to blamed for last month’s cyber attack on the Nonghyup bank which forced it to shut down for several days and hobbled the banking service for over a week. But many South Korean IT experts and media outlets have refused to take in the Prosecutor’s version of the story.

The Seoul Central District Prosecutors’ Office reported in a briefing that hackers turned an IBM employee’s laptop into a “zombie PC” on last September and has been managing and controlling it since, gaining full access to the Nonghyup Internet banking service without any restriction. (Nonghyup outsourced Internet security to IBM) The Prosecutor’s Office reported that they have detected similarities between this Nonghyup case and the previous attacks, such as last March’s DDos attack on major South Korean websites. It said the mal codes were distributed and the Internet Protocol (IP) of a server used to control the zombie PC were identical and the crime was committed by the same hacker group who attacked major South Korean websites in 2009 and last March.

Hackers Do NOT Use Real IP Addresses

Mainstream media and IT expert, however, raised a series of questions on the authorities’ explanation, and stressed that it is preposterous to draw a conclusion from poor evidence and unconfirmed precedents. They pointed out that the IP addresses can be manipulated easily and hackers almost always use other IPs. They also added that the malicious software and code planted on the zombie PC are commonly found in the hacking world and do not exclusively belong to North Korea.

IT Expert’s Questionable Behavior

The IBM employee’s behavior also came under fire. IT experts commented that it is weird that a security expert had continued to use the infected laptop for over seven months without noticing that it had turned into a zombie, while even ordinary people clean up their personal computers regularly. This is especially true in Korea, as major sites suffered from several DDos attacks in recent years and public awareness on the zombie PC has been increased.

Media’s Talking Points

South Korea’s progressive news outlet, Presssian coalesced [ko] several major media’s responses and analyzed from which angles they have published their stories.

While one of largest conservative newspapers, the Chosun, sided with the authorities’ theory with a sensational subtitle — ‘North Korea hacker squad almost matching CIA team’. However, the DongA, one major conservative media outlet pointed out major controversial point. DongA commented that since the IP address cannot work as a irrevocably clear evidence and as we are yet not 100 percent sure that last DDos attack were actually carried out by North Korea, jumping to that conclusion would be similar to making “an assumption based on an assumption”.

The Hankook wrote “what kind of hacker uses his own IP address?” and added that in the North, the number of IP addresses is so limited that they barrow internet networks from China. The Kyunghyang wrote, “if it is really the North who did this, would they have used the exact same IP address which they used in last March’s DDos attack?”. An online-based media outlet specializing in IT, ZD Net Korea, after addressing similar points, analyzed that the attack patterns detected from last DDos attack are different from that of the Nonghyup attack, which worked in a more interactive way.