Investigation into cyberattacks stretches around the globe

British authorities are investigating a critical server used in the attacks, which is pinpointed to Miami

British authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world.

On Tuesday, the Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) said it had identified a master command-and-control server used to coordinate the denial-of-service attacks, which took down major U.S. and South Korean government Web sites.

A command-and-control server is used to distribute instructions to zombie PCs, which form a botnet that can be used to bombard Web sites with traffic, rendering the sites useless.

The server was on an IP (Internet Protocol) address used by Global Digital Broadcast, an IP TV technology company based in Brighton, England, according to Bkis.

That master server distributed instructions to eight other command-and-control servers used in the attacks.

Bkis, which managed to gain control of two of the eight servers, said that 166,908 hacked computers in 74 countries were used in the attacks and were programmed to get new instructions every three minutes.

But the master server isn't in the U.K.; it's in Miami, according to Tim Wray, one of the owners of Digital Global Broadcast, who spoke to IDG News Service on Tuesday evening, London time.

The server belongs to Digital Latin America (DLA), which is one of Digital Global Broadcast's partners. DLA encodes Latin American programming for distribution over IP TV-compatible devices, such as set-top boxes.

New programs are taken from satellite and encoded into the proper format, then sent over VPN (Virtual Private Network) to the U.K., where Digital Global Broadcast distributes the content, Wray said.

The VPN connection made it appear the master server belonged to Digital Global Broadcast when it actually is in DLA's Miami data center.

Engineers from Digital Global Broadcast quickly discounted that the attacks originated with the North Korean government, which South Korean authorities have suggested may be responsible.

Digital Global Broadcast was notified of a problem by its hosting provider, C4L, Wray said. His company has also been contacted by the U.K.'s Serious Organized Crime Agency (SOCA). A SOCA official said she could not confirm or deny an investigation.

Amaya Ariztoy, general counsel for DLA, said the company examined the server in question today and found "viruses" on it.

"We are doing an investigation internally," Ariztoy said.

Investigators will need to seize that master server for forensic analysis. It's often a race against the hackers, since if the server is still under their control, critical data could be erased that would help an investigation.

"It's a tedious process and you want to do it as quickly as possible," said Jose Nazario, manager of security research for Arbor Networks.

Data such as log files, audit trails and uploaded files will be sought by investigators, Nazario said. "The holy grail you are looking for are pieces of forensics that reveal where the attacker connected from and when," he said.

To conduct the attacks, the hackers modified a relatively old piece of malware called MyDoom, which first appeared in January 2004. MyDoom has e-mail worm characteristics and can also download other malware to a PC and be programmed to conduct denial-of-service attacks against Web sites.

Analysis of the MyDoom variant used in the attacks isn't that impressive. "I still think the code is pretty sloppy, which I hope means they [the hackers] leave a good evidence trail," Nazario said.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberattackscybersecurityhacking

More about Arbor NetworksCA TechnologiesDLAetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts