North Korean, Chinese, and Russian Hackers Targeting Financial Sector... Changed 'DDoS' Attack Methods

[Asia Economy Reporter Song Seung-seop] Cyberattacks targeting the domestic financial sector are becoming increasingly sophisticated. As threats using Distributed Denial of Service (DDoS) attacks have proven ineffective, attempts to directly hack systems are on the rise. Hacker groups with pro-North Korea, China, and Russia affiliations have been identified as the culprits, prompting South Korea, the United States, and Japan to launch a joint response.

According to the Financial Security Institute on the 18th, ransomware was the most frequently shared cyber threat externally over the past three years, with 55 cases. Ransomware is malicious software that infects computer systems, restricting access by the original users and demanding a ransom to lift the restrictions. Phishing incidents followed with 48 cases. DDoS attacks numbered 6, fewer than the 12 cases of Advanced Persistent Threats (APT) or 9 cases of information theft.

The recent three-year data on 'private sector cyber incident reports' released by the Korea Internet & Security Agency (KISA) also shows a declining trend in DDoS attacks. DDoS attacks decreased from 213 cases in 2020 to 123 cases the following year, and only 76 cases as of September this year. In contrast, system hacking incidents increased from 250 to 283 and then to 428 during the same period. Ransomware attacks also rose from 127 to 223 and 225 cases.

The decline in DDoS attacks indicates that domestic financial institutions have strengthened their defenses, reducing the value of such attacks. In 2017, there were 26 DDoS attack threats against domestic financial firms, which dropped to 18 in 2020 and only 3 last year. This year, there has been just one DDoS attack. All DDoS attacks during this period were successfully blocked by financial institutions, and there have been no cases of ransom payments.

The issue now is that attacks backed by specific countries have become more frequent compared to the past. Analysts suggest an increased likelihood of attacks by hacker groups showing pro-North Korea, China, or Russia tendencies. Last month, U.S. government agencies including the Federal Bureau of Investigation (FBI) disclosed the top 20 vulnerabilities exploited by China-backed hacking groups. In South Korea, malware used by hacker groups such as Lazarus, Andariel, and Kimsuky continues to be detected. The Lazarus group, attributed to North Korea, has attempted attacks on domestic financial companies, though these have not resulted in incidents.

Warnings have been raised about the growing threat of pro-Russian hacker groups following Russia's invasion of Ukraine. Among these groups, Killnet is known to have attempted DDoS attacks against multiple countries opposing Russia. Lim Gu-rak, head of the Cyber Response Division at the Financial Security Institute, stated, "There has been an increase in attacks by large-scale organizations backed by states," and added, "Hacktivism (hacking for political or social purposes) attacks have intensified significantly since the Russia-Ukraine war."

Financial-related personal information is also confirmed to be traded on the dark web and other platforms. Transactions typically occur through Telegram, where sample data is exchanged. However, according to the Financial Security Institute's investigation, over 90% of recently leaked card information was found to be meaningless, either because the data was fake or the leaks had already been identified and addressed.

South Korea plans to strengthen cooperation with the United States and Japan in the field of financial security. On the 15th, financial security agencies from South Korea, the U.S., and Japan signed a memorandum of understanding to share cyber threat information collected from their respective financial sectors.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.