South Korea in ‘emergency mode’ over cyber threat to banks

Hacking hacker cyber security
Thomas Samson | AFP | Getty Images

Authorities in South Korea are in "emergency mode" as they scramble to head off a threatened cyber attack on the nation's biggest banks.

A hacker group known as the Armada Collective on Wednesday said it would hit the country's seven main lenders with distributed denial-of-service — or DDoS — attacks if they failed to pay a ransom in virtual currency bitcoin.

The threats come just a month after the landmark WannaCry cyber attack that infected hundreds of thousands of computers across 150 countries, including South Korea, and which security officials have since linked to North Korea.

Receive 4 weeks of unlimited digital access to the Financial Times for just $1.

This month South Korean web hosting group Nayana paid about $1m to unlock more than 3,400 websites in what is believed to be largest payout ever following a ransomware case.

"The Financial Supervisory Service went into an emergency mode after seven banks received threatening emails from the Armada Collective," Chung Ki-young, head of the IT team at the FSS, told the Financial Times on Thursday.

"We are preparing for various ways to prevent a DDoS attack, including blocking unnecessary IP addresses, traffic dispersion and the implementation of a clean zone."

DDoS attacks are a commonly used form of cyber attack that aim to overwhelm and immobilise websites by directing huge amounts of traffic at the target. More than 2,200 such attacks occur every day, with China and the US the main culprits, according to Digital Attack Map, which tracks cyber attacks.

So-called "clean zones" are a defensive measure that seek to undermine DDoS attacks by directing traffic away from the targeted website towards those that can handle the onslaught.

The hackers made the threat via email to seven banks, including South Korea's "big five" — KB Kookmin, Shinhan, Woori, KEB Hana and Nonghyup — demanding payment of about $300,000 in total by Monday.

"Since we don't know when they will unleash their DDoS attack, we will be in emergency mode for a while," said Mr Chung.

The Armada Collective is believed to have extorted hundred of thousands of dollars from companies around the world since reports of the group began emerging early last year.

However, Cloudflare, a US internet security services group, says the threats are largely empty.

"To date, we've not seen a single attack launched against a threatened organisation," it wrote in an online post last year. "This is in spite of nearly all of the threatened organisations we're aware of not paying the extortion fee."

Patrick Neighorn of cyber security group FireEye echoed the sentiment. saying

"DDoS issues tends to be less impactful than a lot of other attacks," he said. "The impact is typically much more limited than an effective ransomware worm like WannaCry, economic espionage, or unauthorised bank transfers."

Choi Sang-myung, a researcher from cyber security group Hauri, believes Nayana's $1m payout has emboldened hackers to target Korea, but said the country was well-prepared.

"I believe Korea can handle it since we are experienced and trained after a series of attacks by North Korea," he said. "Even though I think they're bluffing, we should not let down our guard down."

More from Financial Times:
Big China companies targeted over 'systemic risk'
Kalanick departure leaves scandal-hit Uber's top ranks vacant
Young Brazilian politicians push for generational change