DDoS attack in March likely North Korean work, says McAfee

Research by McAfee points to a DDoS attack on South Korea by its northern neighbor

The cyber attacks that paralysed a handful of major South Korean websites earlier this year were almost certainly carried out by North Korea or parties allied with the country, computer security company McAfee said in a report.

The company's analysis, carried out with the help of the South Korean and US governments, is one of the most thorough yet published on the March attacks, and details how they were carried out, and why they were so difficult to counter.

In investigating the incident, the report draws clear parallels with a similar attack that knocked South Korean and U.S. websites offline in 2009 and comes to an unsettling conclusion: the attacks were likely designed to test South Korea's cyber defense and response, and could be the prelude of a much larger attack in the future.

The attack began on March 4 when thousands of computers started bombarding 14 websites with traffic. The sites included prominent government agencies, South Korean companies and the home page of U.S. Forces Korea. The method, called a distributed denial of service (DDoS) attack, is designed to overwhelm the sites with so many requests that they become overloaded. To genuine users they appear very slow or, in many cases, offline.

The computers that took part in the attack would have been earlier infected with a piece of malicious software that lay dormant waiting for instructions from control servers, which were themselves compromised computers. In the case of the March attack, these servers made up the middle layer of the infrastructure and were controlled by an additional tier of command computers.

Encryption was used throughout the system to make it more difficult to analyse the messages and computer code. In an extra step to make analysis even more difficult, multiple encryption algorithms were employed at different stages of the system.

The attacks lasted up to 10 days after which time the malicious software was programmed to self-destruct. Key files were deleted and overwritten, and then the master boot record of the disk on which they were stored was corrupted. This would leave the disk unusable, even for the legitimate owner of the computer being used.

After analysing the attack and how it was carried out, researchers had one big question: Why would you build so much sophistication into software designed to carry out a pretty primitive attack?

"DDoS can be done with software from your local cyber criminal," said Dmitri Alperovitch, vice president of threat research for McAfee Labs, in a telephone interview. "The level of effort that went into this one far exceeds any DDoS botnets until now."

The attack didn't try to evade detection -- taking down major websites is guaranteed to draw attention -- but it did seek to impede analysis of the attack, said Alperovitch. The investigators concluded that the attack was political in nature and had a predetermined and narrow focus.

"It was to test the response of the South Korean government," he said. "When you look at who might do that, one actor jumps off the page. The North Korean government would want to see if a future conflict could have a cyber impact as well as a real-life impact."

McAfee didn't find any concrete evidence linking the attacks to North Korea, but Alperovitch said the company is convinced the attack was conducted by the government of the reclusive Asian nation or a group closely allied with it.

The same conclusion was reached by a South Korean government investigation into the attacks.

North and South Korea remain technically at war, having never signed a peace agreement at the close of the Korean War in 1953. The border between the two neighbors is one of the most heavily fortified in the world.

The 2011 attacks showed an additional degree of sophistication over the 2009 attacks, said McAfee. The March incident involved 14 target websites, less than a third of the 40 sites hit in 2009, and this time included no websites in the U.S.

"This time they dropped all the U.S. targets," he said. "They know taking down WhiteHouse.gov serves no purpose, and taking down NYSE.com doesn't impact the US economy because they're hitting the website, not the trading system."

The narrower range of targets and enhancements to the command and control systems indicate the attackers learned several lessons from their first attempt in 2009, said Alperovitch. The lessons learned this time could further be developed to ensure greater success the next time around.

Martyn Williams covers Japan and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionmcafeesecurityExploits / vulnerabilities

More about IDGMcAfee AustraliaNYSE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts