North Korea behind Internet attacks, says South
Websites such as the presidential office and Financial Services Commission were brought down by the distributed denial of service (DDoS) attack.
A DDoS attack involves flooding a server with so many requests that it becomes clogged and cannot operate. This is typically done by harnessing a vast network of computers to send the traffic simultaneously and continuously.
Rather than buy and build the computers, hackers usually build this network by infecting PCs with illicit software. At the time of the attacks, local computer security firm AhnLab estimated around 50,000 PCs were involved.
A similar series of DDoS attacks targeted computers in South Korea in July 2009.
“After closely probing a number of Web sites that carried malicious codes, zombie computers and overseas servers that ordered the attacks, the strikes are identical to those of July 7, 2009, in ways of organizing the attack and designing the malicious codes,” an official at the Cyber Terror Response Center of the National Police Agency (NPA) said. – Yonhap News (via Korea Herald), April 6, 2011.
AhnLab agrees that March attack was carried out in a similar method to the 2009 attack. It has a fuller, more technical explanation of the attacks on its blog. But AhnLab doesn’t offer any suggestion as to the source of the attacks.
A DDoS attack, like any sophisticated computer hack, is typically difficult to pin down. The infected PCs that carried out the attack were probably located in many countries, but they would have been keeping contact with one or more servers that signaled them when to start attacking.
To find the responsible party, investigators first need to identify the servers. That’s relatively easy if they have an infected PC to examine. But that’s not the end of the trail. You then have to work backwards to find the party controlling the servers, and that might be through other compromised PCs, through encrypted connections or other methods designed to block tracking of data.
It’s often very difficult to track down the true party behind such attacks.
Back in 2009, the South Korean government fingered North Korea as the party behind those attacks. This time, it says some of the same servers were involved and the origin was the same.
“After scrutinizing computers affected by malicious code and overseas servers involved in the March DDos attack, we discovered the origin of the attack was the same as the July 7, 2009 attack,” said South Korea’s Cyber Terror Response Center, which is under the NPA. – JoongAng Ilbo, April 7, 2011.
“There are over 4.2 billion IP addresses in the world, and it would be impossible for the latest attack to be initiated by a different hacker because it used the same IP address as in the 2009 DDoS attack,” the Cyber Terror Response Center said.- JoongAng Ilbo, April 7, 2011.
So case closed, right?
Not necessarily. Back in 2009 several security researchers who saw the code said they could find absolutely no evidence to support the South Korean government’s claim that the DDoS attack originated in North Korea.
Here’s a story I wrote at the time:
“The timing is auspicious, but none of the data I have suggests North Korea,” Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks’ counter-threat unit, told Computerworld, “There’s nothing in there to suggest that it’s state sponsored.” - Computerworld, July 10, 2009.
And in mid 2010, the Associated Press reported that U.S. officials had ruled out North Korea as the source:
U.S. officials have largely ruled out North Korea as the origin of a computer attack last July that took down U.S. and South Korean government websites, according to cybersecurity experts. – Associated Press, July 3, 2010.
The report went on to note that some were suggesting the source could be from within South Korea itself.
Pinpointing the culprits for such attacks is difficult or even impossible, officials say. Some suggest the July 4 weekend attacks a year ago may have been designed as a political broadside.
These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor. Several experts familiar with the investigation spoke on condition of anonymity because the results are not final. – Associated Press, July 3, 2010.
South Korea’s National Police Agency hasn’t, to my knowledge, published any technical details of the attack or evidence to back up its claim that it came from within North Korea.
It could be true. North Korea appears to have been building up its cyber capabilities for the last few years, and many experts agree that the country does have the expertise to carry out such an attack.
But so do other countries and individuals.
If anyone has any technical details of the attacks, please email me.
|Print article||This entry was posted by Martyn Williams on April 9, 2011 at 17:20, and is filed under Hacking, Internet, Security. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
No comments yet.
about 1 month ago - No comments
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing. The National Police Agency said it has traced some of the malicious code to addresses in the United…
about 1 month ago - No comments
The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies. The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that…
about 1 month ago - 6 comments
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below] The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable…
about 1 month ago - 3 comments
An apparently sophisticated and coordinated cyber attack has caused widespread disruption to computer networks and three of South Koreas largest broadcasters and two of the country’s banks. The attack first showed itself at 2pm on Wednesday when computers at KBS, MBC and YTN shutdown. Upon restarting, the computers displayed error messages saying they were unable…
about 3 months ago - No comments
File this one under business as usual. North Korea was again ranked second-to-last in Reporters Without Borders’ annual press freedom index while South Korea continued to drop down the ranking. The Paris-based press censorship watchdog ranked North Korea as 178th in its survey, just one rank above Eritrea. “Kim Jong-un’s arrival at the head of…
about 4 months ago - No comments
Well, this is a little embarrassing. The presidential transition team that Thursday blamed North Korean hackers for an attack on its press room now says there was no hacking. It all appears to have been a misunderstanding. Reporting on the reversal, Yonhap quoted an official on the team as saying the allegations stemmed from a disconnect in communications within…
about 4 months ago - 1 comment
Cyber attacks on South Korean networks suspected to have originated in North Korea are back in the news. On Thursday, Yonhap News reported that a computer server handling the Internet connection for the press rooms at South Korea’s presidential transition team had been hacked. The hack, which was not detailed, was detected during a security check by…
about 4 months ago - 2 comments
Just days away from completing a nationwide switch from analog to digital television, South Korea has announced plans to continue analog TV broadcasting in border areas so that North Koreans don’t lose access to the signals. Overseas radio and TV broadcasts are about the only free media available to North Koreans, although reception isn’t easy.…
about 5 months ago - No comments
Park Jung-geun, a Seoul-based photographer and free-speech activist, has received a 10-month suspended prison sentence for retweeting North Korean tweets. The case, one of several that has drawn international attention to South Korean Internet censorship, has been going on for the better part of a year and was being closely watched for its interpretation of how South Korea’s…
about 6 months ago - 1 comment
North Korea earlier this year jammed military communications running through a South Korea satellite, according to a report in the Joong Ang Ilbo. The newspaper, which quoted an anonymous South Korean military official, said a powerful signal sent from a location near Pyongyang caused interference to military communications on the Koreasat 5 satellite in March this…