South Korea says attackers used IP address in 5 nations
South Korea said Friday it had identified and blocked five IP addresses used to distribute computer viruses that caused a wave of Web site outages in the U.S. and South Korea.
Lee Jin-man/AP
SEOUL — South Korea said Friday it had identified and blocked five IP addresses used to distribute computer viruses that caused a wave of Web site outages in the U.S. and South Korea.
South Korean and American officials have said they believe North Korea was behind the attacks, but none of the blocked Internet Protocol addresses — the Web equivalent of a street address or phone number — were for computers in North Korea.
The addresses point to the computers that distributed the virus that triggered so-called denial of service attacks in which floods of computers try to connect to a single site at the same time, overwhelming the server. They were in Austria, Georgia, Germany, South Korea and the U.S., an official from the state-run Korea Communications Commission said. He spoke on condition of anonymity because he is not authorized to speak to the media on the record.
The latest evidence does not clear North Korea of involvement. It is likely that the hackers used the identified IP addresses to disguise themselves — for instance, by accessing the computers from a remote location — though blocking them helps prevent those computers from being used again to distribute viruses or to carry out denial of service attacks.
U.S. officials have also said some IP addresses have been traced to the North. And South Korean officials have said the attacks could have been carried out by sympathizers who worked outside of North Korea. IP addresses can also be faked or masked, hiding their true location.
The official added that South Korea also blocked another 86 IP addresses in 16 countries that were used to spread different viruses that damaged hard disks or files in computers they contaminated.
Earlier in the day, ruling party lawmaker Chung Chin-sup told reporters that he was told by the country's main spy agency, the National Intelligence Service, that the 86 IP addresses in 16 countries were used to cause the Web outages. None of those addresses were in North Korea, according to another lawmaker briefed.
But the commission official later corrected that those addresses were not used in the denial of service attacks. The damage from the new viruses appears to be small, with only 96 cases being reported in South Korea so far, the commission said in a statement.
The official said the distribution of the virus was linked to the attacks that caused dozens of Web sites — including those of the White House, Pentagon, Nasdaq stock exchange and South Korea's presidential Blue House — to crash or be disrupted.
The original virus, which got affected computers to attack Web sites, later ordered those computers to get a new virus from the 86 IP addresses to damage their hard disks or files, the official said.
On Friday, South Korea's spy agency briefed lawmakers on circumstantial and technical reasons for believing that North Korea could be behind the attacks, Chung said without elaborating.
But it also cautioned it was too early to conclude that North Korea was responsible as the investigations were still under way, according to Park Young-sun, another member of the intelligence committee.
The Yonhap news agency, citing an unnamed participant in the briefing, said the spy agency told lawmakers that it suspects a technology research unit under the general staff of the North's military is behind the cyber assaults. The NIS declined to confirm the report.
South Korean media reported in May that North Korea was running a cyber warfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service. The Chosun Ilbo newspaper reported Friday the North has between 500-1,000 hacking specialists.
U.S. authorities also eyed North Korea as the origin of the trouble, though they warned it would be difficult to identify the attackers quickly.
Three U.S. officials said this week while Internet addresses have been traced to North Korea, that does not necessarily mean the attack involved Kim Jong Il's government in Pyongyang. They spoke on condition of anonymity because they were not authorized to speak publicly on the matter.
It follows a turbulent few months in which secretive North Korea has engaged in a series of threats and provocative actions widely condemned by the international community, including a nuclear test and missile launches.
North Korea has not responded to the allegations of its involvement in the Web site outages.
On Thursday, seven South Korean Web sites — one belonging to the government and the others to private entities — were attacked in the third round of cyber assaults, but most were back up and running quickly. Attacks were continuing on the seven sites Friday, but they were still accessible, according to the communications commission.
Park, the South Korean lawmaker, said Thursday that a senior intelligence official told her the NIS suspects the North because the country earlier warned it won't tolerate what it claimed were South Korean moves to participate in a U.S.-led cyber warfare exercise, according to a statement from the opposition Democratic Party.
Japan was also being extra vigilant against possible cyber attacks, although there was no sign it had been targeted, officials said.
Associated Press writers Kwang-tae Kim and Wanjin Park in Seoul, Lolita C. Baldor in Washington and Yuri Kageyama in Tokyo contributed to this report.
Copyright © 2009 The Associated Press. All rights reserved.