Posts tagged AhnLab
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing.
The National Police Agency said it has traced some of the malicious code to addresses in the United States and three European countries, according to Yonhap. No further details were released by the NPA.
The news comes after investigators last week publicly announced a Chinese address as linked to the attack, but then withdrew the accusation a day later. It turned out the address was correct and, when used on the global Internet it was located in a China, but in the context of this attack was being reused by Nonghyup Bank on its internal network.
The attacks hit at 2pm on March 20 and resulted in an estimated 32,000 machines at three broadcasters, KBS, MBC and YTN, and three banks, Kookmin Bank, Nonghyup Bank and Jeju Bank, being hit. The contents of the hard disk drive on many of the machines was wiped clean.
Part of the investigation is centered on discovering the source — especially a smoking-gun link to many people’s favorite suspect: North Korea — but it’s so far come up empty.
That’s because tracing the source of a cyber attack is really difficult, if not impossible, said Brian Laing, vice president of marketing and business development, at AhnLab’s office in Silicon Valley.
“It varies depending on the level of attacker,” said Laing, who said he has been involved in the technical side of cyber security since the 1990s.
Sometimes the IP address can directly locate a hacker, said Laing. He once found a hacker based at a university computer lab thanks to the address, but only because the hacker was directly accessing the server without routing his traffic through other machines or using obfuscation techniques. In that case, he was able to determine the precise terminal in the lab that was being used.
Often though today, it’s much tougher.
“Most of the time, people are going through a network of owned machines or they are bouncing [their data traffic] off various proxies and in and out of the Tor network, so it can be very difficult to ultimately trace it back to an IP address,” he said.
Proxy servers work as intermediate relays for traffic while the Tor network is a global system for anonymizing traffic. Tor makes it all-but impossible to discover the ultimate source of an attack.
The highly anonymous nature of Tor makes it popular with dissidents and people in authoritarian countries, but it’s also popular with hackers and those involved in illegal activities.
Laing said it doesn’t take a state-sponsored hacker to execute an anonymous attack these days. Often the software involved can be downloaded from hacker web sites.
“You’ve got multiple stories of kids downloading various botnet access, infecting small numbers of machines and then infecting other networks. You don’t even need an organization behind you,” said Laing.
So chasing IP addresses, if the attackers are clever, could be an exercise in futility.
But there are other ways to identify a hacker, or at least get an idea of who they are.
“You break down the code and see certain things in the code that tie back to the individual,” he said.
The software code will sometimes provide clues such as snippets of a certain language, styles of writing code or pieces reused from other attacks. All of those can help build up a profile of the author.
The increasing number of anonymous attacks and those launched for financial gain marks a big change in the threat landscape.
“I liken it to graffiti,” he said.
“Graffiti started and still is an art form, but it has devolved into people tagging their names wherever they can. Cyber attacking is the opposite. It was people blasting things out and defacing websites to gain standing and recognition, but now attackers are lying in wait and trying to remain undetected.”
The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies.
The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that has been known for a year or so and because the commands in the code were not hidden.
That still seems to be true, but more data about the malware is coming out as researchers spend more time with it.
Fortinet on Friday said there were two different pieces of software that, once either got on a machine, who instal one of four routines that ultimately wiped the hard disk. The wiper programs were triggered by the absence of a file or certain memory data or by the current time.
It’s that latter one that triggered the attack at 2pm, as can be seen in his piece of code:
That software would trigger at 2pm and write “HASTATI” over the hard disk directory, thus rendering it useless. A second wiper triggered at 3pm local time and wrote “PR!NCPES” over the disk content.
But the most interesting information from Fortinet came in an interview with The Guardian.
Guillaume Lovet, threat response manager for Fortinet in Paris, said: “In examining some of the code for the malware responsible for the attack, we’ve found that it refers to a RAT – a remote access tool. That’s not a phrase a normal virus writer would use. That’s more like a professional.” He explained: “My feeling is that the author of this is not a typical virus writer. So it could be a government-led attack.”
But, he added, “if it is, then it’s the least sophisticated attack that we have seen in years.” — The Guardian, March 22, 2013
So, the source of the attack is becoming more interesting.
Pretty quickly South Korean investigators announced they had traced the source of the attack to a computer in China, but a day later had to retract that information.
The Korea Communications Commission had found a Chinese Internet address as the source of the infection, although said a day later that the address was, in fact, one used by Nonghyup Bank. On the Internet, the address was pointing to a computer in China, but Nonghyup had reused it on it’s internal network, reported The AP in Seoul.
Meanwhile, South Korea’s AhnLab said the software was distributed to computers in the companies through patch management servers. These are in-company computers that distribute software patches to computers in the organizations. IDs and passwords for the servers had been stolen to provide access.
“Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates,” said AhnLab.
The company didn’t provide any guesses for the source of the attack — but, somewhat unusually, they were happy to have someone else do it for them. In a press release, the company included speculation that the hack was based in North Korea.
The malware code for the attack was likely developed by Chinese sources and used by hackers from North Korea, according to Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University in a statement to BusinessWeek Magazine. — AhnLab press release, March 22, 2013.
Here’s the actual quote:
“Discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there,” said Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University. “Who else would be making this kind of attack at this scale and timing other than North Korea?” — Bloomberg Businessweek, March 21, 2013.
The professor is responding to the Korea Communications Commission’s announcement that the attack was traced to a Chinese Internet address, something that’s now been corrected. That correction went out about 12 hours before AhnLab issued its press release at 2:21pm EDT on Friday.
North Korea hasn’t directly said anything about the attacks in South Korea or the various theories raised in Seoul and the global media that it might be behind the incident.
But on March 20 — the day Seoul was hit by the attacks — it did choose to complain about speculation that an Internet outage that took its websites offline the prior week was part of a domestic plan.
It also rubbished speculation that it might launch retaliatory attacks on South Korea — hours before it would be accused of just that.
Here’s the full KCNA report:
Pyongyang, March 20 (KCNA) — Some days ago, leading internet websites of the DPRK were hit hard by virus attacks. The south Korean puppet regime is letting its paid experts spread the rumor that “it is likely to be a charade orchestrated by the north”. The ultra-right conservative media are hyping this rumor by echoing their assertion.
Minju Joson Wednesday in a bylined commentary observes in this regard:
It is as clear as a pikestaff who mounted the cyber attacks as it was timed to coincide with the nuclear war exercises staged by the U.S. and south Korean warmongers against the DPRK.
The south Korean regime is spreading the rumor because of its guilty conscience.
What merits a serious attention is that it is letting loose even sophism that a vicious code with function of Ddos attack which they suspect it is “made by the north” is detected without let-up, “the north is going to attack main facilities with cyber terror” and that “the north may make a retaliatory provocation”. On Mar. 15, it “served such warning that the north may cause a Ddos attack in the light of the fact that it targets mainly websites of military generals different from the attack made to gather financial information, etc.” This propaganda is aimed at implanting anti-DPRK hostility into the minds of south Koreans and justifying the policy for confrontation with fellow countrymen and war. This goes to prove that the cyber attacks on the DPRK were perpetrated according to the carefully worked out scenario in advance.
The rumor floated by the south Korean regime about cyber attacks on the DPRK is little short of another anti-DPRK farce orchestrated by it with the backing of the U.S. to secure a pretext for igniting a war against the DPRK.
The ceaseless ridiculous plots hatched by the puppet forces for a war of aggression against the DPRK would only bring into bolder relief their true colors and precipitate their self-destruction.
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below]
The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable to start at KBS, MBC and YTN and took the auto-teller machines at Shinhan Bank and Nonghyup Bank offline. It didn’t affect the ability of the TV stations to put out programming.
The root of the attack was a malicious piece of software identified by computer security company Sophos Labs as “Mal/EncPk-ACE.” The rather forgettable name has resulted in it being dubbed “DarkSeoul” by researchers at the company who analyzed the code on Wednesday.
“What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated,” the company said in a blog posting.
For that reason — and based on its analysis of the software code alone — Sophos said it’s difficult to conclude the malicious software constituted a “cyberwarfare” attack from North Korea.
Whatever the source, the software was directed at South Korean computers because it attempts to disable two popular local anti-virus scanners, AhnLab and Hauri AV, Sophos said.
When a computer is infected, the software appears to create several files in the “temp” folder of the PC, AhnLab said in a blog posting. The new files include a routine to destroy the master boot record of the disk — the hard disk’s electronic directory of where information is stored.
A computer with a damaged master boot record won’t start — exactly the behavior reported by companies hit by the attack.
In some cases, the malicous code will attempt to overwrite data on the hard disk. In some cases, data is overwritten with the word “PRINCPES” while other cases saw the words “HASTATI” and “NCPES” used, said researchers.
Versions were detected that attack Windows XP, Windows 7 and several lesser used operating systems including Linux, HP Unix, Solaris and AIX Unix.
Separately from the malicious software, network analysis company Renesys said it detected an impact in several South Korean networks as a result of the attack.
“We observed 5 routed networks of Korea Broadcasting System go down at 05:54:18 UTC this morning (20 March). At the time of this writing they are still down. The Yonhap News Network (YTN) also experienced outages of two of its networks today at 05:54:30 UTC and 06:29:26 UTC.”
Renesys said it also noticed network problems at Korea Gas Corp., which saw its networks go completely offline for two hours from 15:26:30 local time (6:26:30 UTC). Three networks at Shinhan Bank also went offline at the same time.
The problems at Korea Gas could be coincidental, but Renesys notes that South Korea’s 15,000 networks are usually pretty reliable with only 40 or 50 offline at anyone time, usually for technical reasons.
“However, networks from these sectors (Media, Energy, and Banking) are typically some of the most stable, and the timing of their simultaneous outages seems suspicious.”
03/22 UPDATE: Korea Gas contacted Renesys to tell it the network was deliberately taken offline when the attacks were reported to protect its system.
The attack came less than a week after North Korea’s considerably smaller Internet was hit was an unknown glitch that resulted in difficulty accessing web sites for almost two days. North Korea blamed the U.S. and its allies for a cyber attack but offered no other details of the incident, which was only reported in the country’s foreign media output.
“Since last week’s disruption in connectivity in North Korea, we have observed additional brief routing outages for the four routed networks of North Korea. On Monday (18 March) and this morning (20 March), we observed outages lasting for just a few minutes in North Korea. It should be noted that although North Korea’s Internet is small, it is very stable. Until last week, North Korean outages had been very rare.”
Additionally, an attack on the website of Internet provider LG Uplus is looking increasingly like it was unrelated to the troubles at the TV stations and banks. The attack resulted in replacing the service’s home page with a page that claimed responsibility in the name of “Team Whois.”
The same behavior wasn’t reported in the other attacks and Sophos said it had been unable to replicate it.
Websites such as the presidential office and Financial Services Commission were brought down by the distributed denial of service (DDoS) attack.
A DDoS attack involves flooding a server with so many requests that it becomes clogged and cannot operate. This is typically done by harnessing a vast network of computers to send the traffic simultaneously and continuously.
Rather than buy and build the computers, hackers usually build this network by infecting PCs with illicit software. At the time of the attacks, local computer security firm AhnLab estimated around 50,000 PCs were involved.
A similar series of DDoS attacks targeted computers in South Korea in July 2009.
“After closely probing a number of Web sites that carried malicious codes, zombie computers and overseas servers that ordered the attacks, the strikes are identical to those of July 7, 2009, in ways of organizing the attack and designing the malicious codes,” an official at the Cyber Terror Response Center of the National Police Agency (NPA) said. – Yonhap News (via Korea Herald), April 6, 2011.
AhnLab agrees that March attack was carried out in a similar method to the 2009 attack. It has a fuller, more technical explanation of the attacks on its blog. But AhnLab doesn’t offer any suggestion as to the source of the attacks.
A DDoS attack, like any sophisticated computer hack, is typically difficult to pin down. The infected PCs that carried out the attack were probably located in many countries, but they would have been keeping contact with one or more servers that signaled them when to start attacking.
To find the responsible party, investigators first need to identify the servers. That’s relatively easy if they have an infected PC to examine. But that’s not the end of the trail. You then have to work backwards to find the party controlling the servers, and that might be through other compromised PCs, through encrypted connections or other methods designed to block tracking of data.
It’s often very difficult to track down the true party behind such attacks.
Back in 2009, the South Korean government fingered North Korea as the party behind those attacks. This time, it says some of the same servers were involved and the origin was the same.
“After scrutinizing computers affected by malicious code and overseas servers involved in the March DDos attack, we discovered the origin of the attack was the same as the July 7, 2009 attack,” said South Korea’s Cyber Terror Response Center, which is under the NPA. – JoongAng Ilbo, April 7, 2011.
“There are over 4.2 billion IP addresses in the world, and it would be impossible for the latest attack to be initiated by a different hacker because it used the same IP address as in the 2009 DDoS attack,” the Cyber Terror Response Center said.- JoongAng Ilbo, April 7, 2011.
So case closed, right?
Not necessarily. Back in 2009 several security researchers who saw the code said they could find absolutely no evidence to support the South Korean government’s claim that the DDoS attack originated in North Korea.
Here’s a story I wrote at the time:
“The timing is auspicious, but none of the data I have suggests North Korea,” Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks’ counter-threat unit, told Computerworld, “There’s nothing in there to suggest that it’s state sponsored.” – Computerworld, July 10, 2009.
And in mid 2010, the Associated Press reported that U.S. officials had ruled out North Korea as the source:
U.S. officials have largely ruled out North Korea as the origin of a computer attack last July that took down U.S. and South Korean government websites, according to cybersecurity experts. – Associated Press, July 3, 2010.
The report went on to note that some were suggesting the source could be from within South Korea itself.
Pinpointing the culprits for such attacks is difficult or even impossible, officials say. Some suggest the July 4 weekend attacks a year ago may have been designed as a political broadside.
These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor. Several experts familiar with the investigation spoke on condition of anonymity because the results are not final. – Associated Press, July 3, 2010.
South Korea’s National Police Agency hasn’t, to my knowledge, published any technical details of the attack or evidence to back up its claim that it came from within North Korea.
It could be true. North Korea appears to have been building up its cyber capabilities for the last few years, and many experts agree that the country does have the expertise to carry out such an attack.
But so do other countries and individuals.
If anyone has any technical details of the attacks, please email me.