The cyber attacks against several South Korean television stations, banks and insurance firms on Wednesday may not have been crippling or widespread, but their timing further fuels concerns over who is launching such attacks, what constitutes “cyber warfare” and how should countries react to such online aggression.
The malicious software—or malware—used in the attack interferes with antivirus and other security software and can wipe the contents of a computer’s hard disk as well as drives attached to or mapped to the infected computer, according to a blog post by Symantec, a cyber security researcher and software vendor. The malware then forces the infected computer to reboot, which it cannot do because its files have been wiped, rendering the device useless. The attacks prevented some bank customers from using their debit and credit cards, although South Korea’s government agencies or critical infrastructure were not impacted. Currently, investigators have no indications of the source of this attack or how the attackers infiltrated the victims’ computers.
The malware attack follows North Korea’s accusations last week of U.S.-led efforts to attack that country’s Internet servers, on top of the increased rhetoric implicating China in cyber attacks directed at the U.S. Yet analysts and officials have not linked these latest cyber attacks to North Korea, and the malicious software used does not appear to contain any novel attack methods that would strike fear into the South Korean institutions targeted.
Investigators often have difficulty locating the origin of cyber assaults because the attackers tend to evade detection by breaking into poorly secured computers and using those hijacked systems as proxies through which they can launch and route attacks worldwide.
Still, any investigation into Wednesday’s attacks will likely assess the attacker’s motive as a means to develop an appropriate response. Is a cyber attack an act of aggression, or is it merely provocative, on par with a country testing weapons within its own borders, as North Korea did last month with its underground nuclear weapons test? “From a foreign policy perspective, we haven’t come to grips with what different cyber activity signifies,” says Daniel Castro, a senior analyst with the tech think tank Information Technology & Innovation Foundation.
For instance, the alleged attacks by China on U.S. firms strongly indicate “that China is interested in stealing intellectual property,” Castro says. Aside from “cost and embarrassment” to the South Korean victims for fixing the compromised computers and having the attacks made public, there does not appear to be any lasting damage, he adds.
Instead of being intimidated, the companies victimized are more likely to pour additional resources into the cyber defenses. Says Castro: “The attackers didn’t come up with a novel way of damaging their adversaries, and the attacks don’t show any strength of cyber military capability.”
South Korea has faced serious cyber threats in the past—in particular the 2011 and 2009 attacks attributed to North Korea (although they denied involvement)—this most recent incident must be put in perspective. “We need to start being more sophisticated about how we talk about cyber ‘attacks’ and cyber ‘war,’” says Peter Singer, director of The Brookings Institution’s Center for 21st Century Security and Intelligence.
Just as law enforcement would not place a mugger, a terrorist, a spy and a soldier in the same threat category because they all might use the same technology—gunpowder—cyber incidents should be carefully evaluated, Singer says. Even if North Korea were involved in Wednesday’s attack, “harassing South Korean Web sites is something very different than Chinese hackers stealing intellectual property,” he adds. “Both are bad, but very different bads.”