The other Korea’s specter loomed large among speculators and fingers pointers Wednesday morning when reports surfaced that the networks of several prominent South Korean banks and broadcasters dropped offline.
While talk of abandoning a 60-year-old Korean War ceasefire surfaced and tempers flared between the two Koreas, it is entirely unsurprising that accusing looks were cast toward the Democratic People’s Republic of Korea upon receiving news about a potential cyberattack targeting South Korea.
Of course, there is no way to say for certain at this point if North Korea is responsible for the computer outages at the popular KBS, MBC, and YTN television stations and Shinhan, NongHyup, and Jeje banks. North Korea, however, invited such suspicions with its typically aggressive and bizarre reactions to the American-led push for U.N. sanctions against the country stemming from recent nuclear tests performed there.
What we can say for certain, according to researchers from the security firm Alien Vault, is that the outages were indeed part of a cyberattack. According to an Alien Vault Labs report, compromised machines at the organizations in question were found infected with malware capable of overwriting the master boot records (MBR) of affected devices. Once compromised, machines shut down and would not reboot.
Further analysis revealed that the malware overwrote the MBR data with the word “Hastati,” a reference to the Latin word for a particular type of Roman infantryman. The code also contained the words “Princpes” and “Ncpes,” which appear to be misspelled references to the Latin word “Princeps,” which is used to describe the Roman Emperor as the “first citizen.”
The malware also searched for security tools like AhnLab Policy Agent and Hauri ViRobot on its hosts, disabling them with taskkill when possible.
The New York Times reported that KBS, MBC, and YTN maintained their normal broadcast schedules despite suffering from what they described as frozen computers. The Guardian in the UK reported the networks were unsure when their systems would come back online.
Shinhan Bank told the Times that it could not reach its Internet banking servers for a time, but that they had since restored operations. NongHyup and JeJe admitted that they had problems at a number of branches after the virus deleted files on infected machines, but they too managed to return to normalcy later in the day. The Times reported that the Woori Bank also claimed to have been targeted in an attack that ended up doing no damage.
South Korean officials neither confirmed to the Times nor ruled out the possibility that the attack emanated from the north.