South Korea has concluded their investigation into a devastating March 20, 2013 cyber attack that terrorized the nation and resulted in significant damage.
The malicious attack raises new questions about what constituted an act of war in the digital age as the strike, known as “Dark Seoul,” paralyzed an estimated 48,000 computers at a number of major banks and broadcasters, disrupting network systems and wiping their hard disks clean.
Live footage of the attack showed computer screens at the media companies completely down, while bank customers were unable to make withdrawals, or transfer money online, wreaking havoc on the economy.
“It would try to delete essentially all your files… then restart the system. You would come back up and nothing would be there,” said Joshua James, a cyberwar expert.
“If it infected more financial systems, it could have deleted all financial data in Korea. I mean, it is dangerous,” the professor added.
The attacks were similar to those used against Sony Pictures and North Korea is the likely culprit there, the motive being the film studio’s release of The Interview, a fictional account of a plot to assassinate North Korea’s dictator.
The investigation into a new attack on South Korea, which happened on Dec 23rd of last year, brought fresh evidence clearly showing the North’s involvement. Computers at South Korea’s nuclear operator were breached and again cyberwar was suspected.
The source of these attacks? North Korea. And South Korean investigators say they have proof — the actual malicious codes used in the attacks. They shared this data early Thursday morning.
Proof of who did it
“From a law enforcement or investigation side, we’re trying to actually trace back to who did it,” said James.
South Korea announced in mid-March that the IP addresses used in the December incursion could be traced back to Shenyang, China, which is easily accessed from the North Korean border.
For convincingly the actual code used in the attack, which were recovered by South Korean intelligence officials, were said to be very similar in pattern to those used by the North Koreans, according to South Korean authorities.
“The malicious codes used in the attack were same in composition and working methods as “Kimsuky” codes known to be used by North Korea,” the prosecutor’s office that leads 17 other government agencies and Internet companies in the investigation said in a statement.
Pyongyang has dismissed the claims it launched these attacks, calling them a “plot and fabrication that can never win over the truth.”
North Korea is operating a “cyberarmy” of 6,000 workers as it focuses on strengthening its asymmetrical warfare capability, particularly in cyberspace where it avoids going to war yet can still inflict damage on its enemies.
The case brings up an important question: at what point is hacking war? Should facilitators, in this case clearly China, also be held accountable?
While it is likely the South Koreans are working on a counter-attack the findings highlight the urgency of developing a set of international rules and norms for waging and identifying cyberwar.