Chinese cyber attack on South Korea

[Gyp 111]

Chinese cyber attack on SKorea - bdnews24.com

A hacking attack on the servers of South Korean broadcasters and banks originated from an IP address based in China, officials in Seoul said on Thursday, raising suspicions the intrusion came from North Korea.

An unnamed official from South Korea's presidential office was quoted by the Yonhap news agency as saying the discovery of the IP address indicated Pyongyang was responsible for the attack on Wednesday.

A previous attack on a South Korean newspaper that the government in Seoul traced back to North Korea also used a Chinese IP address.

"We've identified that a Chinese IP is connected to the organizations affected," a spokesman for South Korea's Communications Commission told a press conference.

The attack brought down the network servers of television broadcasters YTN, MBC and KBS as well as two major commercial banks, Shinhan Bank and NongHyup Bank. South Korea raised its alert levels in response.

Investigations of past hacking incidents on South Korean organizations have been traced to Pyongyang's large army of computer engineers trained to infiltrate the South's computer networks.

"There can be many inferences based on the fact that the IP address is based in China," the communications commission's head of network policy, Park Jae-moon said. "We've left open all possibilities and are trying to identify the hackers."

It took the banks hours to restore operations. Damage to the servers of the TV networks was believed to be more severe, although broadcasts were not affected.

About 32,000 computers at the six organizations were affected, according to the South's state-run Korea Internet Security Agency, adding it would take up to five days to fully restore their functions.

North Korea has in the past targeted South Korea's conservative newspapers, banks and government institutions.

The biggest hacking effort attributed to Pyongyang was a 10-day denial of service attack in 2011 that antivirus firm McAfee, part of Intel Corp, dubbed "Ten Days of Rain". It said that attack was a bid to probe the South's computer defenses in the event of a real conflict.

North Korea last week said it had been a victim of cyber attacks, blaming the United States and threatened retaliation.

 

[GR!FF!N]

I wonder,why in every major hacking recently Chinese Ip was used??generally hackers use spoofed ip address.its like someone is leaving their card..

 

[xuxu1457]

About 14million Chinese IP are controled by foreign institutions, in which 72% of them are controled by US IP

http://www.cert.org.cn/publish/english/index.html

 

[conworldus]

It is obvious. China has no incentive to attack the South Korean banking system. We are facing serious cyber security issues, as foreign hackers use our IP address for illegal purposes.

China really should shut out foreign equipment vendors like Cisco. Just use Huawei.

 

[xuxu1457]

South Korea says hacking not from Chinese address - CNN.com
South Korea says hacking not from Chinese address
By K.J. Kwon, CNN
March 22, 2013 -- Updated 0846 GMT (1646 HKT)
Seoul, South Korea (CNN) -- The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim.
The Korea Communications Commission, a South Korean regulator, said that after "detailed analysis," the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code.
It said though that "the government has confirmed that the attack was from a foreign land."
An IP address is the number that identifies a network or device on the Internet.

CHina becomes scapegoat again, that's all, its normal put China become a scapegoat

 

[Okemos]

South Korea says hacking not from Chinese address - CNN.com
South Korea says hacking not from Chinese address
By K.J. Kwon, CNN
March 22, 2013 -- Updated 0846 GMT (1646 HKT)
Seoul, South Korea (CNN) -- The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim.
The Korea Communications Commission, a South Korean regulator, said that after "detailed analysis," the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code.
It said though that "the government has confirmed that the attack was from a foreign land."
An IP address is the number that identifies a network or device on the Internet.

CHina becomes scapegoat again, that's all, its normal put China become a scapegoat

mm I think China is responsible for humanity's suffering and mother Earth's blight! If you cannot find source of problem, it must be China since it's communist! Rise up, Chinese people, you have huge responsibility!

To be serious, constant baseless accusation and fear mongering will only make Chinese more united and more determined to improve our own country.

 

[armchairPrivate]

This has been debunked, folks.

South Korea misidentifies China as cyberattack origin

Go back to playing in your sandbox.

 

[siegecrossbow]

At least they are frank enough to admit that they've made a mistake. On the plus side, we can start blaming those evil Chinese hacking tools instead of a possibly disgruntled South Korean insider who is responsible for this mess:

New clue in South Korea cyberattack reveals link to Chinese criminals

The source of the cyberattack that damaged 32,000 computers at several banks and television stations in South Korea Wednesday remains unclear, but the digital traces left behind have led one cybersleuth to suggest that it has clear links to Chinese cybercrime organizations.
Though South Korean investigators initially said they had traced the attack to an Internet address in China, they have since stepped back from that statement. Yet cybersecurity experts looking at file names, Internet domain names, and other digital detritus left behind by the attackers – which has been published on Korean technical blogs – are coming to their own conclusions.
The information posted online has led Jaime Blasco, a cybersecurity researcher in San Mateo, Calif., to suggest that the attackers gained access to the computers though a so-called “exploit kit” apparently designed by cybercriminals in China and often used to target South Korea.
RECOMMENDED: How much do you know about cybersecurity? Take our quiz.
The finding doesn’t implicate the Chinese government – or exonerate it. Nor does it provide any clarity on whether North Korea was involved – though some experts say the exploit kit is just the sort of cybercrime tool that North Korea might be inclined to purchase on the black market.
What Mr. Blasco’s investigation clarifies is how the damage was done – providing clues that could help crack the mystery of who was responsible.
“What we see are traces that the attackers used for their intrusion into the banks and other companies a criminal exploit kit written in China,” says Blasco, a researcher with AlienVault. “It would be easy for whoever did this attack to rent or purchase this exploit tool and then use it to get into the banks to leave behind the wiper malware.”
Want your top political issues explained? Get customized DC Decoder updates.
Researchers with Sophos, a cybersecurity company in Britain, on Wednesday identified the malware that did the damage: a destructive “wiper” program dubbed “DarkSeoul” that overwrites critical parts of the computer. Its origin has not been identified although the attack on its face bore a striking similarity to the wiper program used in an August 2012 attack on the oil firm Saudi Aramco.
What was not known was how did the attackers first infiltrated the banks’ networks, created digital backdoors, and then moved around those networks to deliver DarkSeoul.
So Blasco took the file names identified on the Korean technical blogs and then began painstakingly comparing them to a large database of known malware. What he discovered were numerous detailed matches with a single piece of Chinese malware called the Gondad exploit kit. The kit infects personal computers with a trojan program that opens a digital backdoor and hands over control of the infected computer to an attacker.
From that point, the computer becomes a “bot” or “zombie” that can be accessed and controlled by anyone who rented or purchased Gondad. The Gondad botnet has enslaved 400,000 computers in 89 countries, making it the 65th largest botnet in the world, according to AVG Technologies, an antivirus company based in Brno, Czech Republic. What’s notable is that 73 percent of all of Gondad victims worldwide reside in South Korea.
If whoever was behind Wednesday’s attacks had access to some of the Gondad exploit kit, they could have gained access to hundreds – or thousands – of compromised South Korean systems and then simply chosen which one they wanted to damage. That would have made it easy to deposit the dangerous DarkSeoul wiper payload, Blasco says.
That does not mean, however, that Chinese cyber criminals were behind the attack, even if it may have been facilitated by them, these experts say.
“Gondad comes from China without question,” Blasco says. “The programmers are from China, everything in that program is in Chinese. I think its very likely that the guys behind this used this exploit kit – maybe a hacktivist group that wants to harm the South Korean government or a nation-state group like North Korea.”
Many US experts would not be surprised if North Korea did just that.
“North Korea is really good at black market activities, good at smuggling,” says James Lewis, a cybersecurity expert who has examined North Korea’s cyber activities. “If they wanted to get into a black market for cyber stuff, they would be good at that.”
At this point, there are too many mixed signals to point the finger definitively at North Korea, he says. For example, a digital image of skulls was reported on some machines in the wake of the attack, which suggests hackivists might have been involved. Dr. Lewis remains to be persuaded that North was involved, though he admits it is possible.
“Given all that the North Korean government has said, and its threats, you can’t rule it out that they may have been involved,” he says.
Another recent finding provides interesting context to the claim that Chinese cyber criminal software was involved. On Tuesday, one day before the attacks, a cyberexpert in the Czech Republic posted a blog titled: “Analysis of Chinese attack against Korean banks.”
The author of the blog, Jaromir Horejsi of AVAST, said the hack was detected about two weeks earlier and was quite different from Wednesday’s attack. The purpose was apparently to gather banking login and password information from infected computers – not to wipe out computers. Moreover, the Chinese-written malware appeared to be custom written for that attack, not part of the Gondad exploit kit.
But there are intriguing similarities, including how the payloads were deposited onto victim networks from a server in Japan.
Yet whether North Korea or a hacktivist group – or someone else – is behind Wednesday’s attack, Gondad was likely just one of several software infiltration tools used to get in, plant the malware, and then trigger it at 2 p.m. local time.
“At this point I’m calling it a theory on how someone, maybe North Korea, might have used Gondad botnet and other exploit kits to get into these companies networks,” Blasco says. “But the only theory really is how you combine all the companies with the infrastructure of the different exploit kits. It’s really no theory at all that Gondad is involved. There’s plenty of evidence for that.”

 

[siegecrossbow]

As for the previous accusations on how North Korea is the one responsible... I currently work as a start up engineer at a major IT company (the one that built Watson) and one of my Colleagues work in the field of network security for servers. Although I am no where near talented enough to write viruses and hack websites myself I do happen to debug code at the assembly level. It is a major headache deducing what is wrong with your code when you have access to a database-full of hardware/software specs on the subject matter, Intel debugging tool which displays the C program right next to their corresponding assembly code, and a dozen senior engineers who have 15+ years of experience in their fields for reference. I guess my point is that hacking, which involves exploitation of code at the base level, takes a great deal of highly talented programmers who really know what they are doing. I simply refuse to believe that an attack of this sophistication could originate from a country whose number of 90s era computers could be counted with one hand. North Korea simply does not have the culture to nurture the people capable of this, with or without Chinese assistance.

 

[cirr]

95% of cyber attacks originate in the US。

If you don't believe the above statement，you either have been thoroughly brainwashed by the US‘s propaganda machine or are a complete id1ot。