SEOUL, South Korea — Computer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed Wednesday in attacks that some experts suspected originated in North Korea, which has consistently threatened to cripple its far richer neighbor.
The attacks, which left many South Koreans unable to withdraw money from ATMs and news broadcasting crews staring at blank computer screens, came as the North’s official Korean Central News Agency quoted the country’s leader, Kim Jong Un, as threatening to destroy government installations in the South, along with U.S. bases in the Pacific.
Although U.S. officials dismissed those threats, they also noted that the broadcasters hit by the virus had been cited by the North before as potential targets.
The Korea Communications Commission said Thursday that the disruption originated at an Internet provider address in China but that it was still not known who was responsible.
Many analysts in Seoul suspect that North Korean hackers honed their skills in China and were operating there. At a hacking conference in Seoul last year, Michael Sutton, the head of threat research at Zscaler, a security company, said a handful of hackers from China “were clearly very skilled, knowledgeable and were in touch with their counterparts and familiar with the scene in North Korea.”
But there has never been any evidence to back up some analysts’ speculation that they were collaborating with their Chinese counterparts.
“I’ve never seen any real evidence that points to any exchanges between China and North Korea, ” said Adam Segal, a senior fellow who specializes in China and cyberconflict at the Council on Foreign Relations,
Wednesday’s attacks, which occurred as U.S. and South Korean military forces were conducting major exercises, were not as sophisticated as some from China that have struck U.S. computers and certainly less sophisticated than the U.S. and Israeli cyberattack on Iran’s nuclear facilities. But it was far more complex than a “denial of service” attack that simply overwhelms a computer system with a flood of data.
The malware, called “DarkSeoul” in the computer world, was first identified about a year ago. It is intended to evade some of South Korea’s most popular anti-virus products and to render computers unusable. In Wednesday’s strikes, the attackers made no effort to disguise the malware, leading some to question whether it came from a state sponsor — such sponsors tend to be more stealthy — or whether officials or hackers in North Korea were sending a specific, clear message: that they can reach into Seoul’s economic heart without blowing up South Korean warships or shelling South Korean islands.
North Korea was accused of using both those techniques in attacks over the past three years.