Nonghyup Attack Carried Out by the General Bureau of Reconnaissance

On May 3rd, the South Korean Supreme Prosecutors’ Office stated publicly that the April 12th paralysis of the National Agricultural Cooperative Federation, also known as Nonghyup, computer network was a cyber terrorist attack carried out by North Korea.

A high-tech crime investigation unit of the Central Prosecutors’ Office revealed that this-+e attack was carried out by the same group which was charged with the DDoS attacks of July 7th, 2009 and March 4th of this year. “It is unprecedented cyber terror” that North Korea is involved in “and the hacking group has planned meticulously over a long time period.”

The National Intelligence Service also stated that, “The body which attacked the Nonghyup computer system last month is North Korean. It appears that the General Bureau of Reconnaissance of North Korea has been involved in this issue.”

The General Bureau of Reconnaissance was created within the No. 35 Department of Operation of the Central Committee of the Party in February, 2009 as an organization to lead all kinds of espionage targeting South Korea and other countries.

The Supreme Prosecutors’ Office stated that after analysis of 81 malignant codes found on the laptop which initiated the order to ‘delete’ the OS of Nonghyup, it was found that the methods to encode and hide the malignant code were similar to those used in the previous DDoS attacks.

In addition, the methods used to spread the malignant codes were also similar to those used in previous attacks and one of the Internet protocol addresses which were used to operate the zombie PC was identical to the address used in the most recent DDoS attack.

The North’s hackers hacked into the laptop, installed a hacking program, a “backdoor”, and a wiretapping program in order to monitor the actions of the laptop user and to obtain the target IP address and password of the lead manager of the operation system.

The hackers installed a file designed to attack the servers of Nonghyop from the laptop at 8:20 AM on the 12th of April and ordered the operating system to delete at 4:50 P.M. on the same day. Through three separate attacks the hackers destroyed over 273 servers out of a possible 587 Nonghyup servers.