[Initial Perspective] Why Yes24 Refused Government Help After Being Hacked [Concealment (16)]

On June 11, the third day since Yes24's services were paralyzed by a hacker's ransomware attack, a notification arrived in the email inbox after 10 p.m. The sender was the forensic analysis team of the Korea Internet & Security Agency (KISA), a hacking response agency under the Ministry of Science and ICT. Curious if this sudden late-night press release meant a breakthrough had been found, I opened it, but the contents were quite different.

"Yes24 claimed it was making every effort to recover services in cooperation with KISA, but this is not true. KISA analysts visited Yes24 headquarters twice, but Yes24 has not cooperated. KISA will continue to request Yes24's cooperation to ensure normal recovery."

At first glance, the final sentence seemed to have the subject reversed, illustrating an abnormal situation in which the hacked company is refusing help, while the government is the one pleading to assist. After this, a flood of articles criticizing Yes24 appeared. On top of criticism for poor security and the site outage, the company was now being called a liar. It was not until noon the following day that Yes24 reportedly agreed to receive technical support from KISA. However, if one understands the internal circumstances of a company caught in a ransomware trap, it is difficult to simply point fingers at Yes24.

Asia Economy has been reporting the "Concealment" series, tracking companies that do not report hacking incidents, from May 26 to June 1. The starting point was a comment from a high-ranking former official of the Ministry of Science and ICT four months ago: "Most companies that are hacked do not report it and instead pay hackers in Bitcoin. Their reputation suffers, and the government only blames them, so they choose not to report."

Representatives of victimized companies and cybersecurity experts I met during the investigation also testified, "When you report to the government, all they say is not to pay the hackers," and "You lose time to investigations and paperwork just piles up." SK Telecom also refused KISA's follow-up investigation and damage assessment after reporting a USIM hacking incident last April.

Reading KISA's "Guidelines for Ransomware Infection" made the companies' difficulties understandable. The steps were: "Confirm symptoms → Report → Recover." The content was limited to "Back up unencrypted data," "Keep encrypted data," and "If you pay hackers, you become an easy target." There was no mention at all of "full data restoration," which is what hacked companies most desperately want.

Security experts believe this is why Yes24 did not open its servers to the government. Unlike manufacturers, which can cover up incidents by keeping employees silent, a site with 20 million subscribers cannot hide a hacking incident. This suggests that Yes24, though forced to report, wanted to avoid a government investigation as much as possible. Most hacked companies seek out shadowy negotiators to settle ransom demands with hackers rather than the government. Only after paying anywhere from tens of millions to billions of won in Bitcoin do they receive the decryption key (data recovery password).

Hackers use this ransom to fund further ransomware attacks. If the government cannot help hacked companies, the vicious cycle cannot be broken. The US Federal Bureau of Investigation (FBI) has achieved results by hacking back against hacker groups and tracing cryptocurrency flows to recover ransom payments. The new administration must focus on cultivating such specialized hacking response experts.

The current perception of the government among victimized companies was demonstrated by the press release KISA sent late at night on June 11. Failing to develop countermeasures due to ignorance is incompetence, but knowingly failing to act goes beyond incompetence to outright irresponsibility.

▲Screenshot of Yes24 homepage as of the 13th

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.