Update: Destructive Hacks Hit South Korean Media, Banks

Editor’s Note: Updated to include information from AlienVault on the attacks. – PFR 3/20/2013

Destructive cyber attacks against media outlets and banks in South Korea have ratcheted up tensions on the Korean Peninsula, with charges that the government of reclusive North Korea was behind the hacks.

According to a report in South Korea’s Yonhap News Agency, the attacks began at 2:00PM local time in South Korea and affected the computer networks of three broadcasters and two banks. Broadcasters KBS, MBC and YTN all reported that their computer networks were “halted” at that time. Shinhan Bank and Nonghyup made similar reports to the National Police Agency (NPA), according to Yonhap.

Unlike past distributed denial of service (DDoS) attacks that are believed to have been launched by the DPRK against the South, the latest incursions come at a time of extreme military tension on the peninsula, and caused damages to South Korean networks and IT systems. Video from South Korean television and photos posted on the social network Twitter showed computer terminals at South Korean broadcasters that were unable to boot, having had their hard drives erased. The attacks affected worker systems at the broadcasters, as well as computers used for video editing, making it difficult for the broadcasters to operate.

In a post on Wednesday, the security firm Alienvault said that analysis of malware that is believed to have been used in the attack suggests that the malware overwrote the Master Boot Record (MBR) of infected systems, replacing the MBR data with the word “HASTATI,” which was a word used to describe  sword- and spear-bearing light infantrymen in the ancient Roman army.

The attack followed an Internet outage in the staunchly Communist Democratic People’s Republic of Korea (DPRK) last week that cut Internet access to parts of the capitol city, Pyongyang. The North Korean government blamed the U.S. for that attack, though subsequent analysis by the firm Renesys suggests that it may have been caused by a problem within the DPRK.

The office of South Korean President Cheong Wa Dae told local media that it is looking into the possibility of North Korea’s involvement in the simultaneous network crash of the local broadcasters and banks, an official at the office said.

Cyber offensive capabilities are beginning to play a more prominent role in politics, said Jarno Limnéll, the Director of Cyber Security at the firm Stonesoft. Nations like North Korea may be demonstrating their cyber offensive capabilities in the hope that it deters attacks by others, he said.

“The defense policy of many countries is based on the assumption that if you’re able to expose strong enough military capabilities, the likelihood of being attacked decreases. Testing the cyber capabilities of other nations, and the use of offensive techniques are as such an increasingly recognised part of strategic influence and combat.”

The choice of targets – financial institutions and the media – are also consistent with a trend towards hacking and cyber attacks aimed at critical infrastructure, said Limnéll. But, he said, nations should tread carefully, because the downstream effects of cyber attacks are unpredictable. “In today’s digitally interconnected world there is huge potential for unpredictable side effects and collateral damage from aggressive actions. As such, fighting fire with fire is a dangerous tactic.”