Another set of cyberattacks against the Republic of Korea and the first to be blamed is the DPRK. Computers at two major television networks stopped working and their websites were taken offline. A cable channel experienced similar problems. Three banks had trouble with ATMs and Internet- and mobile-banking applications. The attacks were targeted specifically at South Korea, and the malware used was programmed to erase data on the bank computers, similar to 2011 attacks on ROK banks that some attribute to North Korea.
We don't know that North Korea is responsible, but it is a likely suspect. Cyber is the perfect weapon for a country that loves provocation, and the North has put money and time into building cyber-weapons. It is good at covert action, slipping agents across the border and engaging in black market activities around the world, such as counterfeiting and smuggling. Hacking is a natural fit for the secretive and belligerent Hermit Kingdom.
But the evidence is murky. Some cyberattacks leave obvious signs of who was responsible. Other times, the attack can be tracked back, particularly if it is "in progress" and the attackers are still connected. In some cases, the United States finds identifying evidence when it takes a close look at other countries' networks. This has not been the case for these latest attacks, leaving us to wonder who did it.
One way to identify the source of an attack is to examine the intersection of capabilities and intent for likely culprits. A sophisticated cyberattack against Iran's nuclear facilities, for example, points to only a few suspects. In this case, however, many state and non-state actors have the necessary attack capability. North Korea is only one of them. It began developing cyber capabilities in the 1990s, and although progress has been slow -- the country is not particularly conducive to the development of a hacker culture -- the North Koreans are dogged and willing to spend scarce resources to gain asymmetric advantages, as shown by their nuclear and missile programs.
Determining who is responsible for an attack often depends on asking "cui bono?" -- who benefits? In attacks on South Korea, the North is always the lead suspect, but the target set for this attack apparently included no South Korean or U.S. government agencies. Most attacks focus on extracting money or valuable information, but that did not happen in this case. Nor did the attacker try to disrupt critical infrastructure and services. What is left is political motivation. Cyberattacks are a new and attractive form of protest and coercion. The Russians used them against Estonia; the Iranians used them against the United States. In such company, North Korea would feel right at home.
But governments are not the only ones to use these new tools. Political groups like Anonymous routinely hack websites or launch denial of service attacks (essentially, flooding the target network with traffic so that it is knocked offline). If North Korea is a suspect, so are political activists, perhaps hacktivists from China or South Korea's thriving Internet community. At the same time, the fact that a new, unknown group calling itself "Whois Team" has claimed credit means little. They could be the authors of the attack, they could be an outside group that is simply taking credit, or they could be a cover for state-sponsored efforts.
The Chinese IP address that has been linked to the attack is hardly conclusive. Many Chinese networks use pirated software, making them inherently vulnerable to outside manipulation. A Chinese hacker group could have attacked South Korean sites as a protest, but such groups usually make bombastic, direct, and nationalistic threats. That was not done here. North Korea could have used China as a jumping off point for an attack, but doing so would have risked its relationship with its most important ally. The North may have been tweaking China because of its recent support for sanctions, or the Chinese may have decided to tolerate action against the South, but there is no evidence or precedent to support either hypothesis. We simply don't know.