ììì¼ë³_íí¹_ê¼ìì.hwp (327 KB)

South Korean police attributed the June 2012 JoongAng Ilbo intrusion to North Korean-linked activity after examining compromised newspaper production systems, security logs, six malware samples, and domestic and overseas relay servers. The attacker using the alias “IsOne” had prepared since around April, accessed the victim’s production environment for reconnaissance, compromised an administrator PC two days before the attack, stole server-management information, defaced the website, and deleted some production-system data. Investigators found access from North Korean IP ranges using the PC name “ISONE,” reuse of an overseas relay server seen in the 2011 DDoS and NongHyup incidents, and malware functionality, build algorithms, or key values overlapping with earlier North Korea-attributed cases. The case mattered because it showed continuity in infrastructure and tooling across attacks on South Korean media and critical domestic targets, while the attacker’s message suggested possible follow-on operations against other media organizations.