Websites such as the presidential office and Financial Services Commission were brought down by the distributed denial of service (DDoS) attack.
A DDoS attack involves flooding a server with so many requests that it becomes clogged and cannot operate. This is typically done by harnessing a vast network of computers to send the traffic simultaneously and continuously.
Rather than buy and build the computers, hackers usually build this network by infecting PCs with illicit software. At the time of the attacks, local computer security firm AhnLab estimated around 50,000 PCs were involved.
A similar series of DDoS attacks targeted computers in South Korea in July 2009.
“After closely probing a number of Web sites that carried malicious codes, zombie computers and overseas servers that ordered the attacks, the strikes are identical to those of July 7, 2009, in ways of organizing the attack and designing the malicious codes,” an official at the Cyber Terror Response Center of the National Police Agency (NPA) said. – Yonhap News (via Korea Herald), April 6, 2011.
AhnLab agrees that March attack was carried out in a similar method to the 2009 attack. It has a fuller, more technical explanation of the attacks on its blog. But AhnLab doesn’t offer any suggestion as to the source of the attacks.
A DDoS attack, like any sophisticated computer hack, is typically difficult to pin down. The infected PCs that carried out the attack were probably located in many countries, but they would have been keeping contact with one or more servers that signaled them when to start attacking.
To find the responsible party, investigators first need to identify the servers. That’s relatively easy if they have an infected PC to examine. But that’s not the end of the trail. You then have to work backwards to find the party controlling the servers, and that might be through other compromised PCs, through encrypted connections or other methods designed to block tracking of data.
It’s often very difficult to track down the true party behind such attacks.
Back in 2009, the South Korean government fingered North Korea as the party behind those attacks. This time, it says some of the same servers were involved and the origin was the same.
“After scrutinizing computers affected by malicious code and overseas servers involved in the March DDos attack, we discovered the origin of the attack was the same as the July 7, 2009 attack,” said South Korea’s Cyber Terror Response Center, which is under the NPA. – JoongAng Ilbo, April 7, 2011.
“There are over 4.2 billion IP addresses in the world, and it would be impossible for the latest attack to be initiated by a different hacker because it used the same IP address as in the 2009 DDoS attack,” the Cyber Terror Response Center said.- JoongAng Ilbo, April 7, 2011.
So case closed, right?
Not necessarily. Back in 2009 several security researchers who saw the code said they could find absolutely no evidence to support the South Korean government’s claim that the DDoS attack originated in North Korea.
Here’s a story I wrote at the time:
“The timing is auspicious, but none of the data I have suggests North Korea,” Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks’ counter-threat unit, told Computerworld, “There’s nothing in there to suggest that it’s state sponsored.” – Computerworld, July 10, 2009.
And in mid 2010, the Associated Press reported that U.S. officials had ruled out North Korea as the source:
U.S. officials have largely ruled out North Korea as the origin of a computer attack last July that took down U.S. and South Korean government websites, according to cybersecurity experts. – Associated Press, July 3, 2010.
The report went on to note that some were suggesting the source could be from within South Korea itself.
Pinpointing the culprits for such attacks is difficult or even impossible, officials say. Some suggest the July 4 weekend attacks a year ago may have been designed as a political broadside.
These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor. Several experts familiar with the investigation spoke on condition of anonymity because the results are not final. – Associated Press, July 3, 2010.
South Korea’s National Police Agency hasn’t, to my knowledge, published any technical details of the attack or evidence to back up its claim that it came from within North Korea.
It could be true. North Korea appears to have been building up its cyber capabilities for the last few years, and many experts agree that the country does have the expertise to carry out such an attack.
But so do other countries and individuals.
If anyone has any technical details of the attacks, please email me.