Hackers who hit South Korea used an old tactic

Share via
Los Angeles Times

Beijing -- The cyber warriors who paralyzed more than 30,000 computers in South Korea used a simple technique decades old, but showed a flair for the classical by including Roman military references in their programing.

Investigators said the simultaneous attacks at 2 p.m. Wednesday were traced to an IP address in Beijing, but that North Korea remained the leading suspect.

“(The government) is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack,” a senior South Korean official was quoted Thursday telling Yonhap, the official news service.


Pyongyang made no comment on the cyberattack in South Korea, but kept up its barrage of menacing rhetoric on Thursday, threatening attacks against U.S. military installations in Guam and Japan.

“The U.S. should not forget that the Andersen base on Guam where B-52s take off and naval bases on the Japan mainland and Okinawa where nuclear-powered submarines are launched, are all within the range of our precision target assets,’’ read a statement attributed to a North Korean army spokesman.

The malware was a relatively simple virus similar to one used last summer, purportedly by the Iranians, to attack Saudi oil giant Aramco. Despite the relative lack of sophistication, the programmers displayed some classical flair.

The word used to overwrite the master boot drive in the disabled computers was the Latin “hastati,” referring to a Roman light infantry, according to a South Korean security company. Another word that appeared in the programming was “principes,” a heavy artillery.

“It is not very sophisticated at all. Thing was one of the first viruses we saw in the 1980s, but nowadays people want to make money or steal secrets,” said Richard Bejtlich, chief of security at Mandiant, an Alexandria, Va.-based computer security firm. “People use this kind of virus only because they are immature or out of spite to cause damage to the victim.”

Known as a “wiper,’’ the malware starts by shutting down antivirus and security software. Then, it overwrites the master boot record on the hard disk. Then it does the same to other drives.


The computer then attempts to reboot, but is unable, leaving the user staring at a black screen.

The simultaneous attack timed for 2 p.m. disabled 32,000 computers at major South Korean broadcasters YTN, MBC and KBS, as well as three banks. ATMs around the country crashed. Many of the computers were still down Thursday and were expected to remain so for days.

Broadcasting was not impacted and the South Korean government reported no disruptions to its networks.

Given its chronic food and electricity shortages, North Korea has displayed surprising technical prowess recently. It successfully sent a small satellite into orbit in December – beating South Korea – and detonated its third nuclear device in February. North Korean defectors last year claimed that up to 3,000 graduates from the top universities had been recruited for a special hacking unit.

“The North Koreans are capable of doing it, but so are a lot of other people. If it’s not the North Koreans, people could have made it look like it was. They’re the perfect scapegoat,” said Martyn Williams, who writes a blog about North Korean technology.

For days leading up to the attack, North Korea had been threatening unspecified retaliation against the South because of joint military exercises with the U.S. military and for its support for U.N. sanctions. It also claims the U.S. and South Korea were behind an attack that shut down North Korean websites last week.