It appears that the recent cyber-attacks against South Korean banks and television networks may not have originated in China, the country's officials said Friday.
"We were careless in our efforts to double-check and triple-check," Korean Communications Commission official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain," Lee said.
On March 20, Korean television stations KBS, MBC, and YTN, as well as banking institutions Jeju, NongHyup, and Shinhan were infected with a malware which wiped data off hard drives, rending the systems inoperable. The KCC had previously said a Chinese IP address accessed the update management server at the NongHyup bank to distribute the "wiper" malware, which erased data from an estimated 32,000 Windows, Unix, and Linux systems across the six affected organizations.
It appears KCC mistook a private IP address used by a NongHyup system as a Chinese IP address because they were "coincidentally" the same, according to the Associated Press report. Officials have seized the system's hard drive, but it's not clear at this point where the infection originated.
"We're still tracking some dubious IP addresses which are suspected of being based abroad," Lee Jae-Il, vice-president of Korea Internet and Security Agency, told reporters.
Attribution is Difficult
Shortly after KCC claimed the attack originated from an IP address in China, South Korean officials accused North Korea of being behind this campaign. South Korea had accused its northern neighbor of using Chinese IP addresses to target South Korean government and industry web sites in previous attacks.
However, just a single IP address is not conclusive proof, considering there are plenty of other state-sponsored groups and cyber-criminal gangs using Chinese servers to launch attacks. There are also plenty of techniques attackers can use to hide their activities or make it seem like it is coming from some place else.
This mistake by KCC, while embarrassing for the South Korean government, highlights perfectly why it is so difficult to identify the origins and perpetrators of a cyber-attack. Attribution of attacks can be "extremely difficult," said Lawrence Pingree, a research director at Gartner.
The challenge lies in the fact that "counter-intelligence can be used on the Internet such as spoofing source IPs, using proxy servers, using botnets to deliver attacks out of other locations," and other methods, Pingree said. The malware developers can use keyboard maps of diffierent languages, for example.
"A Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution," said Pingree.
