S. Korea, US attacks possibly launched by N. Korea

S. Korea, US attacks possibly launched by N. Korea

Summary: Distributed denial-of-service attacks on both countries' government and military sites in 2009 and March this year may have been "armed reconnaissance operation" deployed by North Korea's cyber army, suggests security researcher.

SHARE:

The distributed denial-of-service (DDoS) attacks on government Web sites of both South Korea and United States in 2009 and more recently in March this year could have been a "reconnaissance operation" by a cyber army launched on behalf of North Korea.

This assessment was put forward by Georg Wicherski, a security researcher at McAfee Labs, who wrote in a blog post Wednesday detailing how a botnet based out of South Korea launched DDoS attacks against 40 sites affiliated with the local government, military and civilian critical infrastructure on Mar. 4 this year. It also targeted U.S. Forces Korea and the U.S. airforce base in Kunsan, South Korea, he noted.

Wicherski went on to make the link between 14 of the sites in the 2011 attack with those targeted in the July 2009 attacks, noting in his post that the modus operandi was "identical [but] unusually destructive" for typical botnet attacks.

News agency Fox News reported in 2009 that the DDoS attacks took down South Korea's presidential Blue House, the Defense Ministry, Shinhan Bank and Internet portal Naver, as well as American sites such as the National Security Agency, Homeland Security Department, State Department, the Nasdaq stock market and The Washington Post.

Instead of preserving the botnets, in which infected PCs are hijacked and controlled by a master computer, for as long as possible to run other criminal online activities, Wicherski said the people behind the South Korean botnet brought down the systems the DDoS attacks were deployed on by "deleting key data files such as source codes, documents and then zeroing out the Master Boot Record to render these computers unbootable".

The researcher then added that these two attacks had a 95 percent chance of being perpetrated by the same masterminds, who have "very clear anti-Korean and anti-U.S. political motivations".

"This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military, as the South Korean National Intelligence Agency has asserted, to test the defenses and, more importantly, the reaction time of the Korean government and civilian networks to a well-organized and highly obfuscated attack," Wicherski surmised.

Such attacks would be "invaluable" for North Korea in light of possible future armed confrontation on the peninsula, since cyberspace has become the "fifth battle space dimension" in addition to land, air, sea and space, added the McAfee researcher.

Beefing up cybersecurity
To counter cyberthreats and aggression from across its border, the South Korean military and Korea University announced last week that they inked a deal to set up a cyber defense program aimed specifically at training students in cyber warfare. The training program will cover a spectrum of courses from deciphering enemy codes and cryptography to cyber warfare tactics and strategies, according to a ZDNet Asia report.

The South Korean government earlier in 2010 also installed digital "bunkers"--which refer to a new IP address served to a business that is under persistent DDoS attack, but lacks the funds or resources to protect itself--to prevent a repeat of the DDoS attacks. According to a report by ZDNet Asia's sister site, ZDNet Australia, the attacks in 2009 forced blasé local telcos to cooperate with KrCERT and forge these bunkers to protect the nation's small and midsize businesses.

Topics: IT Employment, Government, Government Asia, Security

Kevin Kwang

About Kevin Kwang

A Singapore-based freelance IT writer, Kevin made the move from custom publishing focusing on travel and lifestyle to the ever-changing, jargon-filled world of IT and biz tech reporting, and considered this somewhat a leap of faith. Since then, he has covered a myriad of beats including security, mobile communications, and cloud computing.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • How do you know the difference between a DDoS attack and just having your content being blocked/filtered by the government?
    davidlee.berry@...