Article Lead Image

Who’s really behind that cyberattack on South Korea?

A North Korean group was the major suspect, but an IP address associated with the attack traces back to China.


Kevin Collier


The jury’s still out on who was behind Wednesday’s massive cyberattack on South Korea, and we may never know the culprit with certainty.

But we do know one thing: the hackers’ Internet protocol (IP) address traced back to China.

The attack, which paralyzed the networks of two banks and three television stations for a few hours, was certainly theatrical. A video showing what some affected computers looked like has found its way to YouTube. It depicts three robot-looking skulls, not unlike the series 800 Terminator, backlit with flashes of lighting. The hacker group, calling itself the Whois Team, wrote in oddly capitalized, unconversational English.

Hi !!!
We have an Interest in Hacking.
This is the Beginning of Our Movement.
User Accounts and All Data are in Our Hands.
Unfortunately, We have deleted Your Data.
We’ll be back Soon.

It also advertises an email address,, that appeared to be inoperative when the Daily Dot attempted to contact the hackers.

This appears to run contrary to the most common speculation: that the attack was launched by the North Korean government. North Korea has long demonstrated it possesses the capability for these attacks; it’s hacked South Korean banks before. It also has the motive, considering the country announced Friday that it had been the victim of cyberattacks from South Korea and the U.S. and hinted that it would retaliate.

The presence of the WhoIs group raises more questions than answers. As Ars Technica notes, it seems there were multiple attacks at the same time, and it’s noteworthy that the attack seemed aimed for disruption, not for stealing data.

It’s also entirely possible that the WhoIs group is not behind most of the network attacks. A representative for LG Uplus, the Internet service provider used by all five of the hacked networks, initially claimed WhoIs was not responsible.

And as for that Chinese IP address? That could mean anything. The U.S. and China have each recently accused each other of attacks, each citing IP addresses coming from the other country. But it’s not much of a challenge for a hacker to spoof an IP address. Besides, as cybersecurity expert Jeff Carr previously told the Daily Dot, China is a perfect scapegoat for any hacker.

“China is probably the perfect target right now for every other country in the world that wants to do cyber-espionage,” he said. “All you’ve got to do is run it through a Chinese IP address. “

Screengrab via Vitahumor/YouTube

Share this article

*First Published:

The Daily Dot