South Korean organizations under cyber attack

A suspected cyber attack has paralyzed computer networks at three broadcasting organisations and two banks in South Korea. The organizations’ networks had been “partially or entirely crippled”, with some banking services including ATM machines also affected.

The cause of the problems remains unknown, and South Korean authorities are “now trying to determine the cause of the network paralysis”. While no government-related computer networks had been affected, officials stated it was not yet known whether North Korea was involved, but “We do not rule out the possibility of North Korea being involved,” said South Korean Defence Ministry spokesman Kim Min-seok.

Christopher Boyd, senior threat researcher at ThreatTrack Security

There have been numerous serious attacks on South Korean networks and systems over the last few years, from recent newspaper site defacements and the most recent network attacks to the so-called “Ten Days of Rain” DDoS attacks on multiple Government sites and the USFK in 2011.

While it’s tempting to attribute these attacks to the North given the current state of play in the region, many attacks are not so easy to pin down – the Ten Days of Rain used compromised machines inside South Korea to launch the DDoS attacks, and in 2009 the JoongAng Daily claimed that a South Korean man allegedly purchased infected games in North Korea, only to take them back and infect gamers – using them to DDoS the website of the Incheon International Airport.

Recent reports that North Korea itself claims to have been knocked offline by hackers does nothing to clarify the issue, and in this “tit-for-tat” environment we should be wary of attributing any blame until the full facts emerge.

Barry Shteiman, senior security strategist, Imperva

South Korea is known to be one of the biggest adopters of the Internet, where almost everyone is connected. That means also businesses, government and as we know from the latest incidents – Banks.

It is important to note that no specific origin of attack has been identified and therefore any assumptions on who initiated these attacks will be inaccurate by the very least. Nevertheless I believe it is safe to assume from reading into the available information, that the attacks were either DDoS attacks on their online infrastructure, or compromised insider attacks, where hackers regardless of origin, have compromised a user/device within the affected organizations, and were able to plant a malicious payload (Malware) within the walls of the organization. Once that is done, the Malware can propagate its way towards trusted peer systems and servers, allowing it to either crash them, or steal information and send it out via different methods.

We should recognize and assume that South Korea is just as advanced as any other country in the world, using the same controls to protect its sensitive data and users, and still they were brought to their knees by a cyber attack. And this is not the first incident world wide that we have seen this happen. I believe that what companies are missing with their protection strategies is the fact that the threats have moved. Companies have spent so much resource in protecting their networks, deploying antiviruses, and the latest firewalls, that hackers have moved onwards, evolved to where they feel the least resistance.

So while companies have the false sense of security by having invested in lots of classic security controls, hackers are attacking elsewhere. At the application tier, and at the polymorphic malware tier – rendering many of the existing solutions irrelevant for those attacks.

Ross Brewer, VP and MD for international markets, LogRhythm

South Korea is one of the world’s most technically aware societies and is often described as “The World’s Most Wired’ country. As such, it is especially critical for its organizations to have a deep understanding of their own IT systems in order to ensure that its networks are not only adequately protected, but should they be attacked – which seems inevitable in today’s era of cyber attacks – that any potential damage is effectively minimized in real time and evidence of the attack is correctly monitored.

The cause of yesterday’s network problems are still unclear and managed to infiltrate systems to the point of “crippling” them – indicating that these organizations didn’t have the visibility required to effectively monitor IT systems and identify and remediate any anomalous IT network behavior in real time.

Organizations need to be continually monitoring all of the log data generated by all of their IT assets in real time – which is where evidence of all IT network activity lies – to detect and respond to suspicious or unauthorized behavior the instant it takes place. Not only does this log data help firms identify hacks before any lasting damage can be done, it also provides vital forensic evidence about how and why these attacks happened in the first place.

The other serious issue is that there remains an enormous amount of uncertainty surrounding the origins of the attack. Without confirmation of the source of cyber attacks, inaccurate finger-pointing can and often occurs – and given the current diplomatic tensions between South and North Korea, this can lead to unwanted military involvement.

As such, further forensic analysis of the breach is required – but this cannot be achieved with traditional point security solutions, such as anti-virus or firewall tools. A holistic IT security strategy focusing on the continuous monitoring of IT networks provides the network visibility and intelligent insight needed for such deep forensic analysis. Only with this deep level of network visibility can organizations ensure cyber attacks are effectively mitigated and accurately attributed to the correct perpetrators.