South Korea’s National Police Agency concluded yesterday that North Korea was responsible for a three-day distributed denial-of-service (DDoS) attack that crippled 40 Web sites run by the government and private businesses on March 4. 

“After scrutinizing computers affected by malicious code and overseas servers involved in the March DDos attack, we discovered the origin of the attack was the same as the July 7, 2009 attack,” said South Korea’s Cyber Terror Response Center, which is under the NPA. 

According to the National Police Agency, the attack originated from the same IP address used for the July 2009 attack.

In October 2009, the National Assembly’s Intelligence Committee told the JoongAng Ilbo that South Korea’s National Intelligence Service had identified North Korea’s Ministry of Posts and Telecommunications as being behind the July 2009 cyberattacks, which paralyzed 21 Web sites in South Korea and 14 overseas including the United States.

Investigators said the method of the latest cyberattack was exactly the same as in 2009: Malicious code was distributed through peer-to-peer file sharing sites, transforming personal computers that downloaded the files into zombie computers that performed the DDoS attacks.

Investigators noted that some of the overseas servers used for the March attack were used in the 2009 attack.

“There are over 4.2 billion IP addresses in the world, and it would be impossible for the latest attack to be initiated by a different hacker because it used the same IP address as in the 2009 DDoS attack,” the Cyber Terror Response Center said. 

The March attack infected over 100,000 personal computers across the country, making them “zombies.”

Nearly 750 servers in 70 countries controlled the infected computers to generate a large volume of traffic to overwhelm 40 Web sites and make them inaccessible to the public, according to police. 


By Kim Mi-ju [mijukim@joongang.co.kr]