Summary

In ASERT’s monitoring of DDoS attacks stemming from hacktivism and geopolitical tensions, it was discovered that South Korea was subject to widespread attacks. This digital assault is targeting various industries, including government and financial institutions, which can create significant disruption to public life.

These attacks mostly consist of direct-path attacks at key websites, including government agencies, tourism, law enforcement, and transportation. The spike first appeared in March 2024 and has been elevated since (Figure 1). This coincides with US-South Korea military drills aimed at preparing for North Korean threats. 

Motivations For the Recent South Korean DDoS Attacks 

Multiple groups are involved in the flurry of DDoS attacks against South Korea. Notable hacktivist group South Korean Company, joined by CyberDragon, has claimed their aggression is due to “Russophobia”. Several other hacktivist groups, including EXECUTOR DDOS, Russian Cyber Army Team, and more, claim they are also involved in the attacks. The overall motive behind the attacks appears to be geopolitical in nature. It's not even just DDoS Hacktivists. There's a huge array of adversaries targeting South Korea during this same time period (Figure 2).

A Secondary DDoS Spike in June

In addition to coinciding with military training operations in March, the second spike in June lines up with comments made by South Korean Ambassador Hwang on June 12, 2024, speaking to the media on behalf of 57 member states of the United Nations and the European Union, including the United States and Japan, on the human rights situation in the Democratic People’s Republic of Korea (DPRK). In the statement, Ambassador Hwang displayed the need to concrete change in DPRK to improve the welfare of its people, as the humanitarian situation is closely linked to its weapons development, creating harsh living conditions and a less peaceful and secure world.  

These statements coincide with a second wave of DDoS attacks recently, leading to questions around the motives and coordination behind the latest round of cyber assaults. Again, these attacks largely target key websites that aid in the smooth operation of society, including the Korean National Police, National Tax Service, and more.  

What We Can Learn

The widespread footprint of these DDoS attacks shows the coordination these adversaries are capable of. Numerous groups are taking credit for attacks and there are a variety of important targets caught in the firefight, showing that geopolitical motivations are a powerful fuel for cyber warfare.

Hacktivist groups have and will continue wage cyber war on political and religious grounds. They have shown a willingness to target any nation that gets in the way of their ideals and goals. Society, including governments, enterprises, and service providers, should be prepared to combat these attacks as their prevalence grows. Having a strong DDoS protection solution in place, like NETSCOUT’s Arbor DDoS, can keep key services, applications, and websites available during attacks to help maintain continuity. 

Read ASERT’s X Thread on these attacks.