North Korea behind March web attacks, says McAfee

North Korea or parties closely tied to the country were almost certainly behind the March cyber attacks that took down several South Korean websites, according to a report from computer security company McAfee.

The report contains a detailed analysis of the attacks and how they were carried out.

Working with the governments of both South Korea and the U.S., the company reverse engineered the computer code used in the attacks to uncover its inner workings.

Infected computers that launched the attacks were controlled by two tiers of command server, communications between the systems was encrypted in several different systems and the whole network was designed to self-destruct 10 days after the attacks began, the report said.

Full details are in an article I wrote for Computerworld.

McAfee said it didn’t find a direct link to North Korea, but it came to its conclusion after looking at the architecture of the system and what it was designed to achieve.

“It was to test the response of the South Korean government,” he said. “When you look at who might do that, one actor jumps off the page. The North Korean government would want to see if a future conflict could have a cyber impact as well as a real-life impact.” – Computerworld

The same conclusion was reached in April by an investigation of South Korea’s National Police Agency. (See “North Korea behind Internet attacks, says South.”)

The McAfee report also comes to a worrying conclusion:

While the code and botnet architecture were advanced, the attack itself was very limited and may have been utilized to test and observe how quickly the attack would be discovered, reverse engineered, and mitigated. Armed with this knowledge, the aggressor could launch cyberattacks, possibly in conjunction with kinetic attacks, with a greater understanding of South Korea’s incident response capabilities. As such, the attackers could better understand their own requirements for a successful campaign.

With so much attention paid to this attack and a previous one in July 2009, it will be interesting to see if subsequent attacks — should they come — further refine on the techniques used earlier this year.

The “10 Days of Rain” report can be downloaded here.

Comments are closed.

An affiliate of 38 North