Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

S. Korea Says Cyber Attack From North Wiped 48,700 Machines 186

wiredmikey writes "An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined that North Korea's military intelligence agency was responsible. An investigation into access records and the malware used in the attack pointed to the North's military Reconnaissance General Bureau as the source, the Korea Internet and Security Agency (KISA) said on Wednesday. To spread the malware, the attackers went through 49 different places in 10 countries including South Korea, the investigation found. The attacks used malware that can wipe the contents of a computer's hard disk (including Linux machines) and damaged 48,700 machines including PCs, ATMs, and servers."
This discussion has been archived. No new comments can be posted.

S. Korea Says Cyber Attack From North Wiped 48,700 Machines

Comments Filter:
  • Just makes me wonder what war is turning into. Instead of bombing cities, I can see nations targeting unprotected civilian computers in enemy nations. Massive destruction ensues, even though it's imprecise. In other words: bombing, but without all the mess.

    • by Anon, Not Coward D ( 2797805 ) on Wednesday April 10, 2013 @09:16AM (#43411801)

      But I'm sure most civilians prefer an empty computer rather than being dead...

      • by Anonymous Coward on Wednesday April 10, 2013 @09:24AM (#43411881)

        Speaking as a civilian, I'd much rather prefer to both be alive and not have my livelyhood threatened, thanks. That's the worst false dichotomy I've heard all week and you should feel bad.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          If this is the evolution of war, then war has evolved to something that is distinctly more friendly to humanity.

          Your point is that war is bad. Sure it is. But the actual point is this type of war is less bad.

          • In the American Civil War, Sherman destroyed anvils and railroads, burned crops, killed livestock, etc. Our society has become quite dependent on computerized organization for shipments of crops, livestock, and other goods. Destroying desktop computers can bring a company to its knees for a while.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          If you're doing proper backups, your livelyhood shouldn't be threatened. But there ain't no restoring a dead person from backup.

        • by gatkinso ( 15975 )

          I'll also take the wiped hard drive and non working ATM card over the 500 pounder coming through the living room window, thanks.

      • by tqk ( 413719 ) <s.keeling@mail.com> on Wednesday April 10, 2013 @09:49AM (#43412149)

        But I'm sure most civilians prefer an empty computer rather than being dead.

        Most civillians are ignorant morons wrt computers. If that empty computer was used to locate (see story yesterday) the poorly secured, net connected SCADA box that controls the spillways of the hydroelectric dam upstream of your place, an empty computer is the least of your worries.

        • by Anonymous Coward

          Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges someone had to first physically infect the computers in the facility(windows based pc's) and then a technician had to connect to a seperate network that contained the PLC's controlling centrifuges and put a new program on them(the malware then spliced itself into the program while it was downloading). This kind of attack tookany years to plan out and coope

          • by tqk ( 413719 )

            Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges ... This kind of attack took [many] years to plan out and cooperation from the company that manurfactured the PLC's(Siemens), and it required the tech reprogramming them, which would only happen because the system was still in [its] software infancy.

            Yet the result was, it worked. Someone was sufficiently motivated for the long haul to make it happen. I prefer not to underestimate the opposition. Slim chances are a challenge; that's all. We have to be right all the time. They only have to be right once. That story yesterday talked about (tens of|hundreds of) thousands of machines whose security were trivially unsecured (factory admin username/passwords unchanged & machines networked). It showed that there's oodles of low-hanging fruit with li

      • by RabidReindeer ( 2625839 ) on Wednesday April 10, 2013 @10:02AM (#43412287)

        But I'm sure most civilians prefer an empty computer rather than being dead...

        Civilian computers are not the primary target. A military cyber-attack would primarily be focussed on leaving the target area without electrical power, water, transportation (including traffic lights) or communications, with its banking and financial capabilities damaged. Consider, for example, how Iran was targeted. Their nuclear centrifuges were deliberately made to spin "off-key" with the intent that the results would be useless and the centrifuges would be physically ruined.

        Obviously, if you can keep everyone busy trying to restore their personal computers and devices at the same time, it's a bonus. That way they're distracted from working on core infrastructure.

      • by leonbev ( 111395 )

        With the number of Bitcoin fanatics currently on Slashdot, I'm sure that there would be at least one person here who would rather be dead than lose their wallet file with a $100,000 worth of cryptocurrency on it :)

      • Personally I'd prefer no internet access to North Korea over a wiped computer. So how about we just disconnect them from the global internet instead?
    • by carlhaagen ( 1021273 ) on Wednesday April 10, 2013 @09:18AM (#43411813)
      "but without all the mess" - as long as you don't count the mess that come with society's backbone starting to wobble. Our infrastructure's and societal functions' dependency on the Internet is grossly underestimated. This is a fact.
    • Messy bombing BEST bombing.
    • by Anonymous Coward

      Kinda reminds me of an old Star Trek episode from the original series. War was just a computer simulation for calculating casualties and then people were sent for disintegration according to the simulation results.

    • by AvitarX ( 172628 )

      I see this as, they cost 48 million over a large selection of banks (1000/each machine to repair).

      hardly a terrible attack.

      • by KGIII ( 973947 ) <uninvolved@outlook.com> on Wednesday April 10, 2013 @09:39AM (#43412021) Journal

        What I find amazing is that NK is technologically capable of causing that amount of damage both in terms of technology and infrastructure. I didn't believe they'd get enough bandwidth by using the soldiers to manually hand off the packets. I figured they'd be too busy eating grass and tree bark really.

        Okay, okay. So I'm only a little kidding. I'm still surprised they had the tech chops to pull that off OR that they were so poorly defended. It could go either way I suppose.

        • by AvitarX ( 172628 )

          I assumed they simply had more script kiddies than anonymous not fearing retribution.

          • by KGIII ( 973947 )

            It is pretty clever. Someone linked to an autopsy down further in the thread. I'm kind of surprised though it does look like poor security practices were in place.

        • NK is the subject of a lot of Western propaganda. As such, you usually only hear the bad stuff about them. Any tech progress they've made would never be reported in the Western press, of course. So I suspect they're a lot more technologically advanced than most of us realize. It was the same way with the USSR in the 50's. One of the reasons a lot of Americans were so shocked by Sputnik was that they had been hearing for years that the USSR was all gulags and poverty, and had no idea that they were so techno

        • by tqk ( 413719 ) <s.keeling@mail.com> on Wednesday April 10, 2013 @10:09AM (#43412363)

          I'm still surprised they had the tech chops to pull that off ...

          You can buy tech chops. Cf. Werner von Braun. There's always been plenty of people who're easily persuaded to supress any sense of morality or ethics that might get in the way of them getting the filthy lucre. Some (WvB again) aren't even after money.

          • by KGIII ( 973947 )

            True, I just don't see them getting out much in order to do so. I am usually the guy that laughs at the conspiracy nuts but I wonder if this is a false flag op or something. I don't really know or anything, it just seems a little off.

    • by nospam007 ( 722110 ) * on Wednesday April 10, 2013 @10:16AM (#43412453)

      "I can see nations targeting unprotected civilian computers in enemy nations."

      The South should immediately retaliate and wipe all the North's computers, both of them.

  • The Scoop (Score:5, Informative)

    by camperdave ( 969942 ) on Wednesday April 10, 2013 @09:22AM (#43411863) Journal
    Symantec has an analysis [symantec.com] of the linux component. It relies on extracting a history of ssh connections from windows machines from an application called mRemote, an open source, multi-protocol remote connections manager.
    • They didn't properly quote their bash variables. Oh the humanity!
    • Re:The Scoop (Score:5, Informative)

      by iggymanz ( 596061 ) on Wednesday April 10, 2013 @09:29AM (#43411939)

      more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.

      • Re:The Scoop (Score:5, Insightful)

        by chispito ( 1870390 ) on Wednesday April 10, 2013 @10:31AM (#43412575)

        more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.

        People with poor security do not *deserve* an attack.

      • Re:The Scoop (Score:4, Informative)

        by Dr_Barnowl ( 709838 ) on Wednesday April 10, 2013 @10:34AM (#43412597)

        Yup, this is why you should only accept standard user logins, let them use sudo if they need to administer the box.

    • Really nasty, if you run it as root. How do they escalate their privileges?

      • Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.

        Thus no one sane accept ssh to root.

        • by Anonymous Coward

          Toot is the same as full access to everything

          The advantage of a toot login vs root is that it uses a double olfactory authentication. Plus it just feels good.

        • by mark-t ( 151149 )
          The problem isn't accepting ssh as root, per se, the biggest problem is having passwords for usernames on another system stored on an easily compromisable computer, especially ones with sudo rights.
        • Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.

          Thus no one sane accept ssh to root.

          While it's rarely possible to login directly as root via ssh on current *n*x systems, it is common to be able to elevate oneself once logged in as an ordinary user. Otherwise remote administration would not be possible.

          Conversely, root is not god if you have selinux switched on. Still immensely powerful, but not god.

    • by jasnw ( 1913892 )

      Evidently, mRemote is orphanware [royalts.com], although it appears it was forked into mRemoteNG [mremoteng.org]. Sets up an interesting idea - what if mRemote was just a way to set up access to non-Windows systems from malware that first exploits one of the seemingly-endless entry points into Windows.

    • Am I mistaken or does this mRemote application store passwords in the clear? That's just plain nuts!

  • by Anonymous Coward

    People, N. Korea has declared war. Time to make a backup...

    • by PNutts ( 199112 )

      NK waged war in 1950. What they just did was declare... Never mind, you've ignored history and current events until this point so I'll leave you with this [lmgtfy.com].

  • by kannibal_klown ( 531544 ) on Wednesday April 10, 2013 @09:28AM (#43411929)

    Just think about all of those hours lost playing StarCraft.

    In other news, the entire population of South Korea is now looking for that 1 StarCraft CD so they can install it on all their machines again.

    • by KGIII ( 973947 )

      It runs in Windows. They've likely had to reformat lately so the disks should be easy to find.

  • Comment removed based on user account deletion
  • by Sloppy ( 14984 ) on Wednesday April 10, 2013 @09:57AM (#43412227) Homepage Journal

    If I understand correctly (do I?) the way it attacked Linux systems was that some people use a ssh client, where they literally have a preference or setting stored, for logging into the Linux machine as root. User clicks something (which does the equivalent of "ssh root@whatever" and the software automatically supplies a key or passphrase) and the next thing they see is a root bash prompt. Wow.

    If that's right, then assuming your Linux machines still have

    PermitRootLogin no

    in /etc/ssh/sshd_config, then your setup isn't compatible with this malware. You'll need an updated version of this malware.

    All machines should have "PermitRootLogin no" and if yours doesn't, you're doing something very very strange. Maybe you should go check that, right now. It'll take .. seconds.

    That said, things still aren't very rosy. Presumably the user of this ssh client would also have non-root passwords or keys stored too, to get non-root access. But how many of us usually login as a user with some sudoers powers? And how many of us have a very lazy sudoers configuration, where you're literally allowed to just do "sudo -s" and get a root shell, by only having to type in your password again?

    So my earlier "joke" about you needing an updated version of malware, might not really be all that much of a joke.

    Tighten up your sudoers file if you can. And whether you can or not, have ssh use key authentication instead of password authentication, so that no remote clients can, or need to, have your password stored in them.

    • Of course I mean "PermitRootLogin no" fixes it .. or rather, might not really fix it.

    • If that's right, then assuming your Linux machines still have

      PermitRootLogin no

      Hmm..just looked on my home linux box I recently set up to play with....bydefault, with OpenSSh...it appears that is set to yes by default.

      Just changed that and rebooted.

    • by jabuzz ( 182671 )

      And exactly how does key authentication stop the malware loging onto remote machines. Clue it does not. Even if I ditched key based authentication as well and kerberosied everything in sight that would still not help, because presumably I have a valid kerberos ticket when I log on...

      The only solution is to stop being lazy and require a password ever time you log into a remote machine and/or to run anything under sudo require a password.

      • by Sloppy ( 14984 )

        And exactly how does key authentication stop the malware loging onto remote machines.

        It doesn't. What it would stop, is the malware (once logged in) having an easy-to-guess sudo password. sudo doesn't care if you know the ssh key and are therefore allowed to log in; it wants a password (not an ssh key) before it'll let you rm -rf /.

      • Even that doesn't do much, if the attacker has control of your user account and your user account can create psuedo terminals (and if you cant create psuedo terminals then you can't use anything like xterm or screen) then they can easilly change your bash profile to add a directory under your homedir to the path. Then add malicious su and sudo wrappers in there which record the credentials.

    • If for some reason you can't use: PermitRootLogin no Consider allowing root login only with a key, not with a password: PermitRootLogin without-password If you do allow root login with a key by using "without-password", use a passphrase on the key if possible. That gives two factor security. something you have (the key) plus something you know (the passphrase). For automated SSH login such as remote cron, consider "command=" to an ssh key, so it can run as root, but it can only execute that one comman
      • by jabuzz ( 182671 )

        None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.

        • None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.

          If you follow my suggestion and use command="", it certainly DOES help that that login can only run "startbackup" and nothing else.

  • I'm surprised they opted to wipe the compromised machines. North Korea has a long history of earning hard-currency funds through illicit activity (counterfeiting, drug-smuggling, etc). By wiping their targets, they've lost the possibility of using them to turn a fraudulent profit.

    Probably means someone over there needed a short-term propaganda coup for internal political reasons.

  • Problem fixes itself (Score:5, Interesting)

    by gnasher719 ( 869701 ) on Wednesday April 10, 2013 @10:15AM (#43412431)
    All the vulnerable machines were wiped. So now there are no vulnerable machines anymore. Second attack will be much harder. And the percentage of Korean users doing proper backups will probably be growing :-) (Not that I'm saying people in Korea are more negligent with backups than others).
    • by caspy7 ( 117545 )

      Indeed, if mere destruction was their aim, they succeeded. But beyond taking out the vulnerable machines, if this attack has left enough of a cultural impact, it may have instilled a greater vigilance among South Koreans, such that not only will the [presumably] reinstalled machines be fully patched and secured, but the defenses of the still-standing machines will be shored up higher in the future.

      If a large enough amount of computers in my city were wiped, it would make the news, people would be talking a

  • I felt a disturbance in the force. As if thousands of Korean Starcraft characters all cried out at once then were deleted.

  • Interestingly, I just started playing with Rootkit Hunter a couple of weeks back, and it complained when it saw "PermitRootLogin yes".

    Since I didn't know that existed, it was either set that way by the very popular distribution I'm using OR (unlikely) by an external force. I'm sure no expert, but allowing login as root via SSH just didn't sound like a good idea. Maybe it's all those 'Security Now' episodes.

Avoid strange women and temporary variables.

Working...