SEOUL – Exactly 63 years after the outbreak of the Korean War, South Korean hackers working under the ‘Anonymous’ collective appear to have staged a modern-day reconstruction of events by first hacking South Korean websites, then ‘counter-attacking’ North Korean websites.
People claiming to be ‘Anonymous’––which has no hierarchical structure and leans towards anarchy––defaced the South Korean presidential and prime ministerial websites on Tuesday morning, releasing links to files containing a staff database for the Blue House, Saenuri Party and the U.S. Army.
South Korean broadcasters KBS and YTN were also attacked, although both sites have since recovered. Today, the anniversary of the 1950-53 Korean War had been earmarked for the OpNorthKorea cyber attack operation by the hacking group.
“The real focus of today is the promised disclosure of North Korean military documents. If we get those and they turn out to be authentic, Anonymous will have achieved quite a feat. So far, we’re still waiting,” NK News contributor and analyst Martyn Williams said.
The Presidential website was defaced with a message in red saying “Long live general Kim Jong Un, [our] unified president!”, and was branded with Anonymous logos and Twitter handles consistent with the group’s style.
Twitter users operating under Anonymous-affiliated handles told NK News they had been “framed”, and denied they had attacked the Blue House. A video released late on Monday night, however, claims to show an Anonymous hacker carrying out the attack using a hacking toolkit called “w3b_avtix.”
“South Korean pundits are already blaming the North, but it looks like Anonymous might have staged the entire thing, mimicking the patterns of the real Korean war,” Defense analyst and NK News analyst Subin Kim said.
“It’s too early to blame anyone at this stage,” he added.
Anonymous has no central authority or manifesto from which to draw, making it very difficult to ascertain if those speaking publicly are behind any of the attacks or, indeed, if ‘Anonymous’ hackers are involved at all.
The leaked Saenuri Party list, a link to which was posted on the hacked Blue House site, was consistent with a pre-April 2012 parliamentary election scandal, indicating it may not have been obtained by Anonymous hackers.
Other leaked records included unusual entries in the address field such as “How can I live in [South] Korea,” and “South Korea is America’s Dokdo” –– indicating they too may have come from somewhere else.
Several files contained what appear to be the personnel records of members of the U.S. Army’s 3rd Marine Division, 25th Infantry Division and 1st Cavalry Division. The records contain a name, date of birth, rank, social security number and other information related to their service.
The three units have been involved in ‘OPLAN 5027’, an ongoing U.S.-South Korean joint exercise to prepare for a possible North Korean invasion of the South. All units also fought during the Korean War.
Twitter users @YourAnonNewsKR and @Anonsj, both of whom have been speaking to South Korean media outlets as ‘official’ representatives of Anonymous operations against North Korea told NK News that they had only planned web-based attacks today, despite earlier claiming to possess secret North Korean documents and a way of accessing the internal North Korean Kwangmyong network.
Other users, however, claimed both were making false claims –– and neither had successfully accessed the North Korean intranet.
“That guy [@Anonsj] doesn’t know anything. The guy who announced the hacking was someone else –– but he didn’t show up.”
“He’s a Korean middle-school student called Lee Kyung-ju, an Anonymous ‘spy’ [sic] told me.” The user showed NK News a chat transcript between Anonsj and another hacker challenging the Anonymous member, accusing them of “showing off”.
The transcript reveals dialogue between a netizen engaged in online chat with “Anonsj”, inviting the Anonymous member to a South Korean security conference on 3 July, where the netizen “plans to tell the press and famous IT figures that Anonymous are showing simply showing off.”
South Korean hackers against the two most vocal twitters users claim that only the Uriminzokkiri website is truly hackable –– South Korean high school students have been known to successfully hack into and obtain information from the site in the past. None of this information could be verified by NK News.
DENIAL OF SERVICE
After the attacks on South Korean websites, Anonymous groups made multiple claims that North Korean sites––which were still ‘responsive’ to outside requests––had been taken offline by cyber attacks. Those sites, however, were simply responding at a slower rate than normal, a symptom that Frank Feinstein of KCNA Watch says is typical of a Denial of Service (DoS) attack.
“We check sites by rotating access to thousands of proxy servers spread somewhat evenly over the world and although the websites can appear “down” from one location they are often still accessible at others,” Feinstein said.
At the time of writing, NK News was unable to retrieve any proof from Anonymous members, real or otherwise, indicating that the North Korean intranet has been successfully accessed from the outside.
Additional reporting by Hyowon Shin and Shinui Kim in Seoul, and Martyn Williams of North Korea Tech.