Posts tagged DDoS
North Korea or parties closely tied to the country were almost certainly behind the March cyber attacks that took down several South Korean websites, according to a report from computer security company McAfee.
The report contains a detailed analysis of the attacks and how they were carried out.
Working with the governments of both South Korea and the U.S., the company reverse engineered the computer code used in the attacks to uncover its inner workings.
Infected computers that launched the attacks were controlled by two tiers of command server, communications between the systems was encrypted in several different systems and the whole network was designed to self-destruct 10 days after the attacks began, the report said.
Full details are in an article I wrote for Computerworld.
McAfee said it didn’t find a direct link to North Korea, but it came to its conclusion after looking at the architecture of the system and what it was designed to achieve.
“It was to test the response of the South Korean government,” he said. “When you look at who might do that, one actor jumps off the page. The North Korean government would want to see if a future conflict could have a cyber impact as well as a real-life impact.” – Computerworld
The same conclusion was reached in April by an investigation of South Korea’s National Police Agency. (See “North Korea behind Internet attacks, says South.”)
The McAfee report also comes to a worrying conclusion:
While the code and botnet architecture were advanced, the attack itself was very limited and may have been utilized to test and observe how quickly the attack would be discovered, reverse engineered, and mitigated. Armed with this knowledge, the aggressor could launch cyberattacks, possibly in conjunction with kinetic attacks, with a greater understanding of South Korea’s incident response capabilities. As such, the attackers could better understand their own requirements for a successful campaign.
With so much attention paid to this attack and a previous one in July 2009, it will be interesting to see if subsequent attacks — should they come — further refine on the techniques used earlier this year.
The “10 Days of Rain” report can be downloaded here.
The DPRK has made its first comment on allegations that it was behind a cyber attack on a large South Korean bank and, not surprisingly, has denied any involvement.
Last week South Korean prosecutors said they had found evidence that North Korea was behind the April attack, which brought chaos to the computer system and ATM network of Nonghyup Bank for several days. It was one of the most disruptive cyber attacks to-date on the South Korean financial system.
Prosecutors made the allegations after examining the laptop of an IBM employee working at the bank. The laptop was apparently used as a gateway into the bank’s network. Software in the computer was similar to that seen in previous attacks, local media quoted the prosecutor as saying.
“We found programming methods that were also detected in the previous two cyber attacks, such as the method of encoding the malicious commands,” senior prosecutor Kim Yeong-dae said at a press briefing.
The way the codes were distributed was similar to that of the previous attacks, and the Internet Protocol (IP) of a server used to control the zombie PC was identical as the one used in the distributed denial-of-service (DDoS) attack in March. Nonghyup was one of the targets in both the former attacks. — Korea Times, May 3, 2011.
The IP address was linked to North Korea’s Ministry of Posts and Telecommunications and was also used in two large denial of service attacks that hit South Korean Internet sites earlier this year and last year, officials said.
The problem with this explanation is that tracing a cyber attack is often much more complicated than finding an IP address.
Highly sophisticated attacks often involve routing commands through multiple PCs. The address detected might be one of several relay machines, usually being used without the owner’s knowledge.
To-date prosecutors are yet to offer any detailed information that conclusively ties the attacks to the DPRK.
To be sure, the North does appear to have the ability to launch such attacks — if the wealth of previous reports on the country’s cyber security expertise are correct — and it fits the sabre-rattling that often takes place between the two neighbors.
The statement was carried on Voice of Korea and KCNA. Here’s the Voice of Korea statement in English:
And here’s the full text as carried on KCNA:
South Korea reportedly met the "greatest banking computer disturbance ever in history", in which the banking computer network of the "National Agricultural Cooperative Federation" has been put at the worst paralysis since April 12. This case caused a great loss and south Korea experienced a hot agony of shame in the eyes of the world. What is at issue is the fact that the group of traitors let the puppet Intelligence Service and prosecution finally announce this case as "done by the north" after making "joint investigation" into it for nearly one month. What the group claimed as evidence to link the case with the DPRK is that the IP used in attacking the said computer network was identical with the IP of the DPRK Ministry of Post and Telecommunications and the attack was based on the delicate and accurate way of remote control whereby its attacker was supposed to be a special cyber unit. It also asserted that such attack was hard to be carried out without mighty human and material resources and this was not an attack for "gaining specified interests" such as stealing fund and data but repeated attack aimed at "indiscriminate destruction." Its assertions are just absurd argument based on unreasonable ground. Even the members of the federation hard hit by what happened, in actuality, refuted the announcement that "the north was responsible for the cyber attack" as a "hasty conclusion" as it lacked scientific accuracy. Even the Defense Security Command of the puppet army known not to lag behind others in investigating cases officially declared that the incident cannot be branded as an "attack made by the north Korean military." Moreover, experts cast doubt about the assertion that "it was done by the north," querying "Had the IPs used for the above-said attack belonged to U.S., Japan or south Korea, the U.S., Japan and south Korea should have been accountable for having created this confusion." Last year the south Korean authorities asserted that the "Cheonan" sinking case was "linked with the north" as the propelling body of the torpedo they claimed sank it was inscribed with letters "No. 1." Different circles of south Korea are now widely jeering at them, putting up questions as to how many letters "No. 1" were attached to the IPs which were used for attacking the Federation's banking computer network. In the final analysis, the story about "the north's involvement" spread by the group of traitors is creating fresh suspicion even in its own camp and it is, therefore, derided by people for being one more farce and charade. The above-said story floated by the group is aimed at saving its policy of confrontation with the north from shaking to its very foundation, weathering the crisis of its state administration fully disclosed in the closing years of its rule before and after the April 27 by-election and evade the responsibility for having stemmed the trend of national reconciliation, unity, peace and prosperity. All the developments go to prove that the group of traitors' rumor that "the north was responsible for what happened" is one more farce staged against the nation to realize its sinister attempt and an anti-DPRK charade as ridiculous as the "Cheonan" warship sinking case. There are sayings that one should reflect on one's deed before pulling up others and one had better mind one's own business. The group of traitors should boldly discard its bad habit of finding fault with others. And it should immediately stop its reckless war exercises, waiting for someone's "contingency" to take place, unaware of its situation where it is threatened with total collapse. The group of traitors should bear in mind that the more anachronistic anti-DPRK farce and charade it orchestrates, the bitterer disgrace and fiasco it will face.
Websites such as the presidential office and Financial Services Commission were brought down by the distributed denial of service (DDoS) attack.
A DDoS attack involves flooding a server with so many requests that it becomes clogged and cannot operate. This is typically done by harnessing a vast network of computers to send the traffic simultaneously and continuously.
Rather than buy and build the computers, hackers usually build this network by infecting PCs with illicit software. At the time of the attacks, local computer security firm AhnLab estimated around 50,000 PCs were involved.
A similar series of DDoS attacks targeted computers in South Korea in July 2009.
“After closely probing a number of Web sites that carried malicious codes, zombie computers and overseas servers that ordered the attacks, the strikes are identical to those of July 7, 2009, in ways of organizing the attack and designing the malicious codes,” an official at the Cyber Terror Response Center of the National Police Agency (NPA) said. – Yonhap News (via Korea Herald), April 6, 2011.
AhnLab agrees that March attack was carried out in a similar method to the 2009 attack. It has a fuller, more technical explanation of the attacks on its blog. But AhnLab doesn’t offer any suggestion as to the source of the attacks.
A DDoS attack, like any sophisticated computer hack, is typically difficult to pin down. The infected PCs that carried out the attack were probably located in many countries, but they would have been keeping contact with one or more servers that signaled them when to start attacking.
To find the responsible party, investigators first need to identify the servers. That’s relatively easy if they have an infected PC to examine. But that’s not the end of the trail. You then have to work backwards to find the party controlling the servers, and that might be through other compromised PCs, through encrypted connections or other methods designed to block tracking of data.
It’s often very difficult to track down the true party behind such attacks.
Back in 2009, the South Korean government fingered North Korea as the party behind those attacks. This time, it says some of the same servers were involved and the origin was the same.
“After scrutinizing computers affected by malicious code and overseas servers involved in the March DDos attack, we discovered the origin of the attack was the same as the July 7, 2009 attack,” said South Korea’s Cyber Terror Response Center, which is under the NPA. – JoongAng Ilbo, April 7, 2011.
“There are over 4.2 billion IP addresses in the world, and it would be impossible for the latest attack to be initiated by a different hacker because it used the same IP address as in the 2009 DDoS attack,” the Cyber Terror Response Center said.- JoongAng Ilbo, April 7, 2011.
So case closed, right?
Not necessarily. Back in 2009 several security researchers who saw the code said they could find absolutely no evidence to support the South Korean government’s claim that the DDoS attack originated in North Korea.
Here’s a story I wrote at the time:
“The timing is auspicious, but none of the data I have suggests North Korea,” Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks’ counter-threat unit, told Computerworld, “There’s nothing in there to suggest that it’s state sponsored.” – Computerworld, July 10, 2009.
And in mid 2010, the Associated Press reported that U.S. officials had ruled out North Korea as the source:
U.S. officials have largely ruled out North Korea as the origin of a computer attack last July that took down U.S. and South Korean government websites, according to cybersecurity experts. – Associated Press, July 3, 2010.
The report went on to note that some were suggesting the source could be from within South Korea itself.
Pinpointing the culprits for such attacks is difficult or even impossible, officials say. Some suggest the July 4 weekend attacks a year ago may have been designed as a political broadside.
These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor. Several experts familiar with the investigation spoke on condition of anonymity because the results are not final. – Associated Press, July 3, 2010.
South Korea’s National Police Agency hasn’t, to my knowledge, published any technical details of the attack or evidence to back up its claim that it came from within North Korea.
It could be true. North Korea appears to have been building up its cyber capabilities for the last few years, and many experts agree that the country does have the expertise to carry out such an attack.
But so do other countries and individuals.
If anyone has any technical details of the attacks, please email me.