U.S. computer security experts didn’t have much of an Independence Day holiday this year, thanks to a massive botnet-driven attack launched on July 4 that initially targeted several federal agency Web sites and then went wider to include assaults on private sector Web entities in America and sites for South Korean government departments.
The denial of service (DoS) attacks, which reportedly began Saturday and were still hammering away as of Tuesday, shut down or slowed response times for Web sites of the Treasury and Transportation departments, the Secret Service, and the Federal Trade Commission, among others. The inclusion of South Korean targets has some officials in that country blaming North Korea or its sympathizers, but cybersecurity analysts say it’s very difficult to lay such DoS attacks at the feet of a particular nation-state.
The Department of Homeland Security’s Computer Emergency Response Team (CERT) did not comment on any possible ties to North Korea, but a spokesperson did say that DHS is aware of the attacks and is advising all the affected agencies on how to help mitigate any problems.
“We see attacks on federal networks every day, and measures in place have minimized the impact on federal Web sites,” DHS deputy press secretary Amy Kudwa told TechNewsWorld. “US-CERT will continue to work with its federal partners and the private sector to address this activity.”
The Nature of the Attack
The offending computer code has been under Joe Stewart’s microscope since the Fourth of July weekend.
It’s not a particularly sophisticated piece of malware, said Stewart, who’s director of malware research at Secure Works. There’s nothing unusual in its antivirus evasion techniques, its command-and-control protocol, or the way it sends data packets slamming up against Web sites to slow or shut them down.
What is curious is its trigger mechanism: On July 5, it started with six U.S. government Web site targets, then expanded to 21 targets on July 6 (with some of those including commercial Web sites in America). On July 7, it removed some previous Web sites from its crosshairs and replaced them with 26 South Korean government agencies.
“They started out with a fairly small attack, then ramped it up in terms of broadness,” Stewart told TechNewsWorld. “If you think about that, that’s making each attack less effective because they’re now having to share that attack bandwidth. They’re more interested in getting attention rather than having real DoS effects on the sites that they’re after. They’re trying to attack whoever they think it important enough to warrant headlines, is how I see it.”
Could North Korea Be the Culprit?
Using a botnet — a network of thousands of infected “zombie” computers unwittingly used to send out nasty code — to stage a denial-of-service attack doesn’t require that much sophistication. It could well be within the reach of a nation-state like North Korea.
If Kim Jong-Il’s regime is behind this attack, “I think it’s a real problem, but I also don’t think North Korea has done anything beyond what script kiddies do,” Gary McGraw, chief technology officer for Cigital, told TechNewsWorld. “Most commercial Web sites are under almost constant denial-of-service attack and have learned to cope with it.”
The difficulties in tracing a botnet-launched DoS attack back to its original source make it tough to hang an intelligence indictment on a hostile country.
“That’s the problem with the Internet,” McGraw said. “In fact, it’s an issue with the Department of Defense, which is trying to figure out war doctrine with cyber warfare. Is a pre-emptive strike allowed? Do you have to put out a ‘flag on your tank,’ as it were? In these cases, it would be fairly straightforward to frame a nation-state or terrorist organization or whatever. That’s the trouble here.”
Technology and Motivation
North Korea may be inconsistent with its missile accuracy, but observers shouldn’t try to equate the quality of that program with its cyberwarfare capabilities, according to Rodger Baker, director of East Asian analysis for Stratfor.
“It’s not a perfect comparison,” Baker told TechNewsWorld. “One of the big differences is that the North Koreans just don’t have the airspace or capability to really test their missile systems. It takes a lot of failures to be successful, and they haven’t done enough testing.
“Actually, given the flight operations they’ve had, their program has been successful,” noted Baker. “With their computer systems, they have more ability to test their attacks. The other thing is, you can often mask where they’re coming from. Who knows if the [cyber] attacks blamed on the Chinese really take place in China?”
North Korea has been working over the better part of the past decade on shoring up its computer warfare capabilities, Baker has found through his own research. Unlike cyberattacks blamed on Chinese or Russian state hackers, where there may be collusion with non-government cyber experts, “in North Korea, it can be assumed that activities coming out of North Korea are much more closely controlled and integrated with the government.”
It could indeed have been Kim’s government launching the latest attack since it occurred between July 4 and Wednesday — the 15th anniversary of Kim il Sung’s death.
“That becomes symbolic,” said Baker. “Also, North Koreans didn’t have another long-range missile ready, and they needed something else to demonstrate their capability for messing around outside of their country.”