S. Korea Says Cyber Attack From North Wiped 48,700 Machines

← Back to Stories (view on slashdot.org)

S. Korea Says Cyber Attack From North Wiped 48,700 Machines

Posted by Unknown on Wednesday April 10, 2013 @02:12AM from the retaliation-will-be-swift-and-ineffective dept.

wiredmikey writes "An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined that North Korea's military intelligence agency was responsible. An investigation into access records and the malware used in the attack pointed to the North's military Reconnaissance General Bureau as the source, the Korea Internet and Security Agency (KISA) said on Wednesday. To spread the malware, the attackers went through 49 different places in 10 countries including South Korea, the investigation found. The attacks used malware that can wipe the contents of a computer's hard disk (including Linux machines) and damaged 48,700 machines including PCs, ATMs, and servers."

46 of 186 comments (clear)

Min score:

Reason:

Sort:

Civillian cyber-casualties by Toe,+The · 2013-04-10 02:14 · Score: 2, Interesting

Just makes me wonder what war is turning into. Instead of bombing cities, I can see nations targeting unprotected civilian computers in enemy nations. Massive destruction ensues, even though it's imprecise. In other words: bombing, but without all the mess.
1. Re:Civillian cyber-casualties by Anon,+Not+Coward+D · 2013-04-10 02:16 · Score: 5, Insightful
  
  But I'm sure most civilians prefer an empty computer rather than being dead...
  
  --
  Sometimes it's better not having signature
2. Re:Civillian cyber-casualties by carlhaagen · 2013-04-10 02:18 · Score: 3, Insightful
  
  "but without all the mess" - as long as you don't count the mess that come with society's backbone starting to wobble. Our infrastructure's and societal functions' dependency on the Internet is grossly underestimated. This is a fact.
3. Re:Civillian cyber-casualties by Anonymous Coward · 2013-04-10 02:24 · Score: 4, Interesting
  
  Speaking as a civilian, I'd much rather prefer to both be alive and not have my livelyhood threatened, thanks. That's the worst false dichotomy I've heard all week and you should feel bad.
4. Re:Civillian cyber-casualties by camperdave · 2013-04-10 02:30 · Score: 4, Insightful
  
  Well, like the old saying goes: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
  
  --
  When our name is on the back of your car, we're behind you all the way!
5. Re:Civillian cyber-casualties by KGIII · 2013-04-10 02:39 · Score: 4, Interesting
  
  What I find amazing is that NK is technologically capable of causing that amount of damage both in terms of technology and infrastructure. I didn't believe they'd get enough bandwidth by using the soldiers to manually hand off the packets. I figured they'd be too busy eating grass and tree bark really.
  Okay, okay. So I'm only a little kidding. I'm still surprised they had the tech chops to pull that off OR that they were so poorly defended. It could go either way I suppose.
  
  --
  "So long and thanks for all the fish."
6. Re:Civillian cyber-casualties by Anonymous Coward · 2013-04-10 02:47 · Score: 2, Interesting
  
  If this is the evolution of war, then war has evolved to something that is distinctly more friendly to humanity.
  Your point is that war is bad. Sure it is. But the actual point is this type of war is less bad.
7. Re:Civillian cyber-casualties by Anonymous Coward · 2013-04-10 02:48 · Score: 2, Insightful
  
  If you're doing proper backups, your livelyhood shouldn't be threatened. But there ain't no restoring a dead person from backup.
8. Re:Civillian cyber-casualties by tqk · 2013-04-10 02:49 · Score: 3, Interesting
  
  But I'm sure most civilians prefer an empty computer rather than being dead.
  Most civillians are ignorant morons wrt computers. If that empty computer was used to locate (see story yesterday) the poorly secured, net connected SCADA box that controls the spillways of the hydroelectric dam upstream of your place, an empty computer is the least of your worries.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
9. Re:Civillian cyber-casualties by TWiTfan · 2013-04-10 02:58 · Score: 2
  
  NK is the subject of a lot of Western propaganda. As such, you usually only hear the bad stuff about them. Any tech progress they've made would never be reported in the Western press, of course. So I suspect they're a lot more technologically advanced than most of us realize. It was the same way with the USSR in the 50's. One of the reasons a lot of Americans were so shocked by Sputnik was that they had been hearing for years that the USSR was all gulags and poverty, and had no idea that they were so technologically advanced in astronautics.
  While life in NK is no-doubt pretty shitty for the average citizen, they have engineers and programmers just like everyone else (many of whom have probably studied in China and the West).
  
  --
  The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
10. Re:Civillian cyber-casualties by KGIII · 2013-04-10 02:59 · Score: 2
  
  It is pretty clever. Someone linked to an autopsy down further in the thread. I'm kind of surprised though it does look like poor security practices were in place.
  
  --
  "So long and thanks for all the fish."
11. Re:Civillian cyber-casualties by RabidReindeer · 2013-04-10 03:02 · Score: 3, Insightful
  
  But I'm sure most civilians prefer an empty computer rather than being dead...
  Civilian computers are not the primary target. A military cyber-attack would primarily be focussed on leaving the target area without electrical power, water, transportation (including traffic lights) or communications, with its banking and financial capabilities damaged. Consider, for example, how Iran was targeted. Their nuclear centrifuges were deliberately made to spin "off-key" with the intent that the results would be useless and the centrifuges would be physically ruined.
  Obviously, if you can keep everyone busy trying to restore their personal computers and devices at the same time, it's a bonus. That way they're distracted from working on core infrastructure.
12. Re:Civillian cyber-casualties by cayenne8 · 2013-04-10 03:02 · Score: 5, Insightful
  
  How would your livelihood be threatened if your PC was wiped? I guess you don't keep regular backups, which is the most idiotic thing I have heard all week.
  It isn't so much a person's personal PC that is the danger, but of having his bank disrupted, and he can't get money. If food distribution is messed up, if drugs can't be accessed...all this stuff is interconnected.
  Let's see what happens when some extremely urban center gets hit, say like NYC...the power goes out, food can't get in/out, and see how long it takes for things to go bad really fast.
  Hell, with so many out there living cashless....what are they going to use for payment for things, if that system is down for awhile? That alone would bring a lot of misery, even if you discount the more tragic events I put forth above.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
13. Re:Civillian cyber-casualties by tqk · 2013-04-10 03:09 · Score: 3, Insightful
  
  I'm still surprised they had the tech chops to pull that off ...
  You can buy tech chops. Cf. Werner von Braun. There's always been plenty of people who're easily persuaded to supress any sense of morality or ethics that might get in the way of them getting the filthy lucre. Some (WvB again) aren't even after money.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
14. Re:Civillian cyber-casualties by nospam007 · 2013-04-10 03:16 · Score: 4, Funny
  
  "I can see nations targeting unprotected civilian computers in enemy nations."
  The South should immediately retaliate and wipe all the North's computers, both of them.
15. Re:Civillian cyber-casualties by NeverVotedBush · 2013-04-10 03:44 · Score: 3, Interesting
  
  Consider a live CD for the system connected to the net, and another PC (if necessary) that is isolated.
16. Re:Civillian cyber-casualties by hawkinspeter · 2013-04-10 03:49 · Score: 5, Insightful
  
  Unless you're a buddhist.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
17. Re:Civillian cyber-casualties by Anonymous Coward · 2013-04-10 03:50 · Score: 2, Funny
  
  Yeah that is convenient. Let me guess - you also wear a condom 24 hours a day "just in case".
18. Re:Civillian cyber-casualties by leonbev · 2013-04-10 03:53 · Score: 2
  
  With the number of Bitcoin fanatics currently on Slashdot, I'm sure that there would be at least one person here who would rather be dead than lose their wallet file with a $100,000 worth of cryptocurrency on it :)
19. Re:Civillian cyber-casualties by jabuzz · 2013-04-10 03:58 · Score: 5, Interesting
  
  Yeah just look at what happened at Royal Bank of Scotland last year. Some people at Ulster Bank (a subsidiary of RBS) where unable to access their account for the best part of a month.
  http://en.wikipedia.org/wiki/2012_RBS_computer_system_problems
  Now imagine that every bank is in the same situation as RBS along with VISA and Mastercard.
20. Re:Civillian cyber-casualties by jabuzz · 2013-04-10 04:20 · Score: 4, Insightful
  
  I would add that even having cash is no good if the power is out. These days even the till won't open, the scales won't weigh anything and the pump's won't pump the fuel. Heck even the water in the taps will stop flowing rather quicker than you might imagine without power.
  So while I do have emergency cash and both VISA and Mastercard credit cards I am realistic that in the event of a total failure it won't get me that far.
21. Re: Civillian cyber-casualties by Anonymous Coward · 2013-04-10 04:24 · Score: 2, Insightful
  
  Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges someone had to first physically infect the computers in the facility(windows based pc's) and then a technician had to connect to a seperate network that contained the PLC's controlling centrifuges and put a new program on them(the malware then spliced itself into the program while it was downloading). This kind of attack tookany years to plan out and cooperation from the company that manurfactured the PLC's(Siemens), and it required the tech reprogramming them, which would only happen because the system was still in it's software infancy.
  To apply this to something like a power station or a dam, someone would have to investigate the target and figure out exactly what control signals the PLc needed to output, then figure out how to infect it(highly unlikely because it depends on someone putting a new program on the PlC, in a proven system like a dam this is a rare occurance(less than once every 5 years probably)). And then the attack would only effect that one specific dam, no others. It would need to be redone for every attack.
  Simply disabling the control systems wouldn't do any physical damage because of the fail safes designed into systems.
  Compare that to simply bombing the dam and you'll find it'd not worth it in the least. The control malfunction is fixable, a bombed dam is not.
22. Re: Civillian cyber-casualties by tqk · 2013-04-10 05:24 · Score: 2
  
  Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges ... This kind of attack took [many] years to plan out and cooperation from the company that manurfactured the PLC's(Siemens), and it required the tech reprogramming them, which would only happen because the system was still in [its] software infancy.
  Yet the result was, it worked. Someone was sufficiently motivated for the long haul to make it happen. I prefer not to underestimate the opposition. Slim chances are a challenge; that's all. We have to be right all the time. They only have to be right once. That story yesterday talked about (tens of|hundreds of) thousands of machines whose security were trivially unsecured (factory admin username/passwords unchanged & machines networked). It showed that there's oodles of low-hanging fruit with little to no failsafes enabled.
  9/11 happened via a couple of months in flight simulators plus box cutters, combined with a lot of inertia on our part (poorly armoured cockpit doors). Look at the mess we've since created to prevent that sort of attack. Those bastards are now long dead, yet they're still winning that battle.
  Kim Philby almost lost his job because Stalin could not believe there were no British spies in Moscow. Was that paranoia, or due diligence?
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
23. Re:Civillian cyber-casualties by Tarlus · 2013-04-10 07:35 · Score: 3, Funny
  
  albiet in a state not necessarily the same as you were before
  Yeah, your timestamp and permissions might be missing.
  
  --
  /* No Comment */
The Scoop by camperdave · 2013-04-10 02:22 · Score: 5, Informative

Symantec has an analysis of the linux component. It relies on extracting a history of ssh connections from windows machines from an application called mRemote, an open source, multi-protocol remote connections manager.

--
When our name is on the back of your car, we're behind you all the way!
1. Re:The Scoop by lesincompetent · 2013-04-10 02:26 · Score: 2
  
  They didn't properly quote their bash variables. Oh the humanity!
2. Re:The Scoop by iggymanz · 2013-04-10 02:29 · Score: 5, Informative
  
  more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.
3. Re:The Scoop by a_n_d_e_r_s · 2013-04-10 02:39 · Score: 2
  
  Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.
  Thus no one sane accept ssh to root.
  
  --
  Just saying it like it are.
4. Re:The Scoop by jasnw · 2013-04-10 02:47 · Score: 2
  
  Evidently, mRemote is orphanware, although it appears it was forked into mRemoteNG. Sets up an interesting idea - what if mRemote was just a way to set up access to non-Windows systems from malware that first exploits one of the seemingly-endless entry points into Windows.
5. Re:The Scoop by mark-t · 2013-04-10 03:06 · Score: 2
  
  The problem isn't accepting ssh as root, per se, the biggest problem is having passwords for usernames on another system stored on an easily compromisable computer, especially ones with sudo rights.
  
  --
  File under 'M' for 'Manic ranting'
6. Re:The Scoop by RabidReindeer · 2013-04-10 03:07 · Score: 2
  
  Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.
  Thus no one sane accept ssh to root.
  While it's rarely possible to login directly as root via ssh on current *n*x systems, it is common to be able to elevate oneself once logged in as an ordinary user. Otherwise remote administration would not be possible.
  Conversely, root is not god if you have selinux switched on. Still immensely powerful, but not god.
7. Re:The Scoop by chispito · 2013-04-10 03:31 · Score: 4, Insightful
  
  more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.
  People with poor security do not *deserve* an attack.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
8. Re:The Scoop by Dr_Barnowl · 2013-04-10 03:34 · Score: 3, Informative
  
  Yup, this is why you should only accept standard user logins, let them use sudo if they need to administer the box.
Think of all of the StarCraft hours lost! by kannibal_klown · 2013-04-10 02:28 · Score: 4, Funny

Just think about all of those hours lost playing StarCraft.
In other news, the entire population of South Korea is now looking for that 1 StarCraft CD so they can install it on all their machines again.
Re:backups by PNutts · 2013-04-10 02:38 · Score: 2

NK waged war in 1950. What they just did was declare... Never mind, you've ignored history and current events until this point so I'll leave you with this.
Re:victims deserved it by ScentCone · 2013-04-10 02:38 · Score: 3, Insightful

victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?

What, is your junior high school out on lunch break right now? Go outside and get some exercise, and quit wasting time building up an interior justification for the future bad shit you're going to do to other people when you get your own computer and stuff.

--
Don't disappoint your bird dog. Go to the range.
Re:victims deserved it by iggymanz · 2013-04-10 02:41 · Score: 4, Insightful

logic fails you. these cyber attacks are preventable by proper security practices - the internet is a hostile place and there is no excuse for laziness in security by IT people. Do you keep your money stacked on the sidewalk in front of your house overnight, or do you make some effort to keep thieves from easily snatching it? your attitude is the problem we in IT face
Re:victims deserved it by Anonymous Coward · 2013-04-10 02:56 · Score: 2, Insightful

victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?
And people who leave the logins set to the factory default account=Admin, password=1234, aren't to blame, either.
Nonetheless, they will provide examples that we may call "Natural Selection At Work".
"PermitRootLogin yes" fixes it .. or not by Sloppy · 2013-04-10 02:57 · Score: 3, Interesting

If I understand correctly (do I?) the way it attacked Linux systems was that some people use a ssh client, where they literally have a preference or setting stored, for logging into the Linux machine as root. User clicks something (which does the equivalent of "ssh root@whatever" and the software automatically supplies a key or passphrase) and the next thing they see is a root bash prompt. Wow.
If that's right, then assuming your Linux machines still have

PermitRootLogin no
in /etc/ssh/sshd_config, then your setup isn't compatible with this malware. You'll need an updated version of this malware.
All machines should have "PermitRootLogin no" and if yours doesn't, you're doing something very very strange. Maybe you should go check that, right now. It'll take .. seconds.
That said, things still aren't very rosy. Presumably the user of this ssh client would also have non-root passwords or keys stored too, to get non-root access. But how many of us usually login as a user with some sudoers powers? And how many of us have a very lazy sudoers configuration, where you're literally allowed to just do "sudo -s" and get a root shell, by only having to type in your password again?
So my earlier "joke" about you needing an updated version of malware, might not really be all that much of a joke.
Tighten up your sudoers file if you can. And whether you can or not, have ssh use key authentication instead of password authentication, so that no remote clients can, or need to, have your password stored in them.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. Re:"PermitRootLogin yes" fixes it .. or not by Sloppy · 2013-04-10 04:13 · Score: 2
  
  And exactly how does key authentication stop the malware loging onto remote machines.
  It doesn't. What it would stop, is the malware (once logged in) having an easy-to-guess sudo password. sudo doesn't care if you know the ssh key and are therefore allowed to log in; it wants a password (not an ssh key) before it'll let you rm -rf /.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
2. Re:"PermitRootLogin yes" fixes it .. or not by petermgreen · 2013-04-10 04:38 · Score: 3, Informative
  
  Even that doesn't do much, if the attacker has control of your user account and your user account can create psuedo terminals (and if you cant create psuedo terminals then you can't use anything like xterm or screen) then they can easilly change your bash profile to add a directory under your homedir to the path. Then add malicious su and sudo wrappers in there which record the credentials.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Problem fixes itself by gnasher719 · 2013-04-10 03:15 · Score: 5, Interesting

All the vulnerable machines were wiped. So now there are no vulnerable machines anymore. Second attack will be much harder. And the percentage of Korean users doing proper backups will probably be growing :-) (Not that I'm saying people in Korea are more negligent with backups than others).
Re:This is the problem with using hacking as a wea by Sloppy · 2013-04-10 03:25 · Score: 2, Funny

Rice farmers in North Korea are not vulnerable to hacking.
Have you audited all your rice's genes? A leaked Monsanto report said most versions have a buffer-overflow bug somewhere in chromosome 6, but they didn't say exactly where. Unless North Korea buys their seed rice from Theo De Raadt...

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Re:Elite hackers from NK? Pull the other one. by Dr_Barnowl · 2013-04-10 03:35 · Score: 2

I will never think of the word "norks" quite the same again.
Re:Elite hackers from NK? Pull the other one. by tqk · 2013-04-10 03:42 · Score: 2

Wonder if North Korea was the original target, and the malware leaked out into the wild.
I wonder if the miscreant just used NK to carry out the attack, in order to incriminate them. I'm lookin' at you, CIA. I must say I'm also a bit surprised to learn that NK allows any connection to the net outside its borders, especially to SK (the enemy).

--
"Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
Re:This is the problem with using hacking as a wea by Sloppy · 2013-04-10 05:07 · Score: 2

If you think my comment actually had a point, then you missed the point. :-)

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.