South Korea misidentifies China as cyberattack origin
Attack that hit 32,000 computers at 6 companies
South Korean investigators said Friday they had mistakenly identified aChinese internet address as the source of a cyberattack that paralyzed tens of thousands of computers at banks and broadcasters earlier this week. But they said they still believe the attack originated from abroad.
The error by South Korean regulators raises questions about their ability to track down the source of an attack that hit 32,000 computers at six companies Wednesday and exposed South Korea's internet security and vulnerability to hackers.
South Korean investigators said Thursday that a malicious code that spread through the server of one target, Nonghyup Bank, was traced to an Internet Protocol address in China. Even then it was clear that the attack could have originated somewhere else, because such data can easily be manipulated by hackers. Experts suspect North Korea was behind the attack.
The state-run Korea Communications Commission said Friday that the IP address actually belonged to a computer at the bank. The IP address was used only for the company's internal network and was identical to a public Chinese address.
"We were careless in our efforts to double-check and triple-check," KCC official Lee Seung-won told reporters. "We will now make announcements only if our evidence is certain."
Commission officials said an analysis of malware and servers indicates the attack was likely orchestrated from abroad. They didn't elaborate.
Yonhap news agency, in an analysis Friday, called the blunder "ridiculous" and said the announcement is certain to undermine the government's credibility.
North Korea suspected
Experts in Seoul suspect North Korea in the attack on broadcasters YTN, MBC and KBS, as well as Nonghyup and two other banks. Seoul alleges six cyberattacks by North Korea on South Korean targets since 2009. But the investigation will take weeks, and officials say they have no proof yet of Pyongyang's involvement.
South Korean officials say that Wednesday's attacks appeared to come from "a single organization" but they have yet to assign blame. North Korea hasn't yet mentioned the shutdown.
South Korea has set up a team of computer security experts from the government, military and private sector since to identify the hackers and is preparing to deal with more possible attacks, presidential spokesman Yoon Chang-jung told reporters earlier Friday. He didn't elaborate on the possibility of more attacks.
Determining who's behind a digital attack is often difficult. But North Korea is a leading suspect for several reasons.
It has unleashed a torrent of threats against Seoul and Washington since punishing UN sanctions were imposed for Pyongyang's Feb. 12 nuclear test. It calls ongoing routine U.S.-South Korean military drills a threat to its existence. Pyongyang also threatened revenge after blaming Seoul and Washington for a separate internet shutdown that disrupted its own network last week.
The cyberattack did not affect South Korea's government, military or infrastructure, and there were no initial reports that customers' bank records were compromised. But it disabled cash machines and disrupted commerce in this tech-savvy, Internet-dependent country.
All three of the banks that were hit were back online and operating regularly Friday. It could be next week before the broadcasters' systems have fully recovered, though they said their programming was never affected.