*** TOPIC OF THE WEEK (Part 2)

South Korea Condemns North Korea for Cyber Attack on Bank

SEOUL (Yonhap) -- South Korea has condemned North Korea for a cyber attack that paralyzed the computer network of a South Korean bank last month, as Seoul's prosecutors said on May 3 that Pyongyang's intelligence organization was behind the attack.

   The North's General Bureau of Reconnaissance, in charge of espionage operations against Seoul, hacked into the computer system of South Korea's National Agricultural Cooperative Federation (Nonghyup) and deleted key computer files in the bank's servers, the prosecution said.

   The hackers remotely operated the laptop of an employee of a Nonghyup subcontractor after turning it into a "zombie computer" for the attack, it said.

   "This was an unprecedented act of cyber terror involving North Korea," Kim Young-dae, a senior prosecutor from the Seoul Central Prosecutors' Office in charge of the investigation, told reporters.

   But some questions remain about the incident. Some network security experts said it is difficult to conclude North Korea made the attack due to the lack of "hard evidence," saying Internet protocol (IP) addresses can be manipulated.

   Still, the South's Unification Ministry, which handles inter-Korean affairs, said in a statement that the North's hacking "is a provocation on our society and should be condemned." The ministry also urged Pyongyang to immediately stop its acts of cyber terrorism.

   The prosecutors' office said the hacking method used in the April 12 cyber attack on Nonghyup is similar to that used by North Korea for previous cyber attacks on key South Korean government and business Web sites in 2009 and in March of this year.

   One of the IP addresses of Chinese servers used to break into the Nonghyup network was identical to one used two months ago for the distributed denial-of-service (DDoS) attack that originated from North Korea, the office said.

   The laptop, owned by an employee of IBM Korea, the cooperative's computer network maintenance subcontractor, became a zombie computer after downloading North Korea's hacking programs, disguised as update files, from a file storage site in September 2010, the prosecution office said.

   Kim said that once the programs penetrated Nonghyup's computer system, they encoded malicious codes and files and hid their tracks, just as in the two previous DDoS attacks.

   The Pyongyang-hired hackers stole secret information on Nonghyup's computer network system while closely monitoring the laptop for the next seven months through the implanted programs, Kim said. On the morning of April 12, the hackers installed "delete" commands on the laptop and activated them three times hours later through a remote control, the prosecutors said.

   The command files attacked 273 servers out of 587, including those that control ATM transactions, Internet banking and credit card usage.

   Prosecutors said the North Korean hackers watched the entire process through the laptop and when they thought the attack was successful they deleted all data related to the attack.

   The prosecution said the incident is a new type of cyber terrorism that targets one private firm in an effort to destroy the financial foundation of South Korea's capitalist society.

   "We have no plan to prosecute Nonghyup officials, as the network disorder is attributable to North Korea. But the financial authorities or Nonghyup can discipline them for neglect of duty," the prosecution said in a statement.

   "We will also demand all government offices and agencies conduct thorough inspections on every computer they have to deal with this type of cyber attack."

   But some computer experts questioned the prosecution's announcement.

   "It's difficult to say that North Korea actually staged it," said a computer security expert, asking for anonymity. "IP addresses can be fabricated. There is no solid evidence that the hackers who attacked Nonghyup and the groups who performed the DDoS attacks in 2009 and 2011 are the same just because they used the same IP address."

   He added that it was still uncertain whether North Korea borrowed the IP address to manage the DDoS attack in 2009 or whether a third party possibly used the address to attack the Web sites.

   Experts also said that for the previous two attacks, the prosecution had only circumstantial evidence, not direct evidence to prove North Korea made them. They claim there was no clear evidence that the Chinese IPs used in the 2009 attack were lent to the North Korean Ministry of Post and Telecommunications, and even if they were, it was possible that someone else deliberately used them.

   They also said they can't understand how an IBM worker, a security expert, could not know for seven months that his laptop had become a zombie computer.

   "It is worrying that law enforcement authorities blame North Korea for cyber attacks whenever they fail to find the perpetrators," a security expert said.

   "An IBM official, who is a computer expert, didn't realize that his laptop had become a zombie computer. I can't understand it," another expert said, citing Nonghyup's lax computer security.

   The case set off concerns over local financial service firms' cyber security and protection of personal information, which were bolstered by a separate hacking incident into Hyundai Capital Services Inc., the country's leading consumer financial firm.

   Nonghyup's customers were unable to use the bank's ATMs or online or phone banking services during the first few days following the attack. The cooperative was only able to fully restore its services 18 days after the hacking, according to the bank.

   Some customers who complained of financial damage caused by the weeks-long system crash are expected to take legal action to demand compensation.

   Despite the controversy over the cyber attack, Seoul prosecutors said the pattern and methods of the April attack were identical to those used by North Korea. South Korea accused the North of launching cyber attacks on Web sites of government agencies and financial firms in March this year and last July.

   Intelligence officials in Seoul believe that North Korea has about 1,000 hackers in its cyber warfare unit under the command of the Reconnaissance General Bureau.

   The North's reconnaissance bureau is run by Kim Yong-chol, who is believed in South Korea to have been involved in Pyongyang's two deadly attacks last year -- the sinking of the Cheonan warship and the shelling of Yeonpyeong Island. The two attacks killed a total of 50 South Koreans, including two civilians.

   It is also widely believed that some of the North Korean hackers were based in Chinese cities, such as Beijing, Heilongjiang and Shandong, in an apparent bid to make it difficult to identify the attackers quickly, according to the intelligence officials.

   Last year, the South's Unification Minister Hyun In-taek told lawmakers, "It is a widely known fact that the source of cyber attacks via China is North Korea."

   Hyun, the South's point man on North Korean policy, said his government has acknowledged the "seriousness" of the North's cyber attacks.

   Along with special forces, long-range artillery and underwater forces, cyber attacks have been categorized as one of North Korea's "asymmetric military capabilities," according to the South's defense ministry.

   To guard against the North's growing cyber threats, South Korea's military launched the Cyber Command early last year.

   The information security command plans to more than double the number of its personnel to some 500, the defense ministry said.

   A ministry official said the Cyber Command wasn't involved in the investigation into the North's cyber attack on Nonghyup because the probe is out of the command's jurisdiction.

   However, the command is "closely cooperating with the National Intelligence Service and police to cope with cyber threats from North Korea," the official said.

  (END)