3.20_사이버테러_중간_조사결과_발표.pdf (238 KB)

A South Korean joint civilian-government-military investigation linked the March 2013 broadcast and financial-sector destructive attacks to methods previously associated with North Korean operations, while describing the attribution as based on accumulated evidence. Investigators said malware was distributed through central software or antivirus distribution servers to destroy PCs or delete server data, after attackers had monitored compromised systems for at least eight months. The evidence cited included repeated access from at least six North Korean internal PCs to domestic relay sites, a February 2013 connection from a 175.45.178.x address, reuse of 22 of 49 relay points seen in earlier attacks, and malware code elements observed across 18 related samples. The destructive phase overwrote hard disks at similar times with strings including HASTATI and PRINCPES, and later attacks reused source code or relay infrastructure, supporting the assessment that the incidents were conducted by the same organization.