South Korea learns more about cyber attacks, but instigators remain elusive

By Kelly Olsen, AP
Saturday, July 11, 2009

SKorea says attackers used IP address in 5 nations

SEOUL, South Korea — South Korea is learning more about the mysterious cyber attacks that targeted the country and its ally the United States, but the ultimate question of who the instigators are remained elusive.

The state-run Korea Communications Commission said Friday that it had identified and blocked five Internet Protocol, or IP, addresses in five countries used to distribute computer viruses that caused the wave of Web site outages in the two countries that began in the U.S. on July 4.

The IP addresses — the Web equivalent of a street address or phone number — may point to the computers that distributed the virus that triggered so-called denial of service attacks. In such assaults, floods of computers try to connect to a single site at the same time, overwhelming the server and making it inaccessible or unstable.

The addresses were in Austria, Georgia, Germany, South Korea and the U.S., a commission official said. He spoke on condition of anonymity because he is not authorized to speak to the media on the record.

Speculation over who was responsible for the attacks that targeted high-profile Web sites, including those of the White House and South Korea’s presidential Blue House, has centered on North Korea.

The country, Seoul’s rival for six decades for control of the heavily armed and divided Korean peninsula, has drawn repeated international rebuke in recent months for threats and actions widely seen as provocative by the international community.

Those include a nuclear test in May and short-range ballistic missile launches on July 4.

Though circumstantial evidence pointing to involvement by the North or those sympathetic to it has been trickling out since word of the attacks emerged earlier this week, the identity of the IP addresses provides little in the way of clarity.

It’s likely that the hackers, whoever they are, used the addresses to disguise themselves — for instance, by accessing the computers from a remote location. IP addresses can also be faked or masked, hiding their true location.

At any rate, South Korea’s move to block them helps prevent the computers from being used again to distribute viruses or to carry out denial of service attacks.

The commission official also said that South Korea blocked another 86 IP addresses in 16 countries that were used to spread different viruses that damaged hard disks or files in computers they contaminated. The commission said that 356 such cases were reported in South Korea by late Friday.

Most of the finger-pointing at North Korea has come from South Korea’s main spy agency, the National Intelligence Service — though not directly. Allegations have been relayed to the public by members of parliament’s intelligence committee who have been briefed on the attacks.

The lawmakers have said North Korea was suspected because of a threat it made in state media last month, in which it boasted of being “fully ready for any form of high-tech war.”

The conservative nature of some of the attacked sites— such as the ruling party and the office of President Lee Myung-bak — were cited as pointing to Pyongyang given their links with the government’s hard-line policies toward the North.

On Friday, the spy agency briefed lawmakers on circumstantial and technical reasons for believing North Korea could be behind the assaults, ruling party lawmaker Chung Chin-sup said without elaborating.

But the agency also cautioned it was too early to conclude the North was responsible because probes were still under way, according to Park Young-sun, another member of the intelligence committee.

Yonhap news agency, citing an unnamed participant in the briefing, said the spy agency told lawmakers that it suspects a technology research unit under the general staff of the North’s military is behind the assaults. The NIS declined to confirm the report.

South Korean media reported in May that North Korea was running a cyber warfare unit that tries to hack into American and South Korean military networks to gather confidential information and disrupt service. The Chosun Ilbo newspaper reported Friday that the North has between 500-1,000 hacking specialists.

North Korea has not responded to the allegations of its involvement in the Web site outages.

This particular attack could be on the wane. The rogue program that turned regular PCs into participants in the attack also carried instructions for key files to be deleted or changed starting Friday, said security researchers from Symantec Corp., the leading antivirus software maker. The computers would not work afterward.

Zulfikar Ramzan, a Symantec researcher, said he thinks most of the infected computers received the self-destruct code, but because each system is different, not all of them will stop working. It’s also possible that the perpetrators have control of more infected computers than the estimated 100,000 that took part in this week’s attack, he said.

Associated Press writers Jae-soon Chang, Kwang-tae Kim, Wanjin Park and AP photographer Jin-man Lee contributed to this report along with Technology Writer Jessica Mintz in Seattle.

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :