North Korea Mounted DDoS Attack On South Korea

North Korea, or its sympathisers, were behind the cyber-attacks that paralysed a handful of Websites in South Korea, including a United States military site, earlier this year, according to McAfee.

The malware behind the distributed denial of service attacks that also crippled South Korean government sites were highly sophisticated and had numerous capabilities designed to make it stealthy and resilient, according to an in-depth analysis released by McAfee.

McAfee Given Insight Into Attacks

McAfee researchers worked with representatives from the South Korean and US governments to complete the analysis, which included details on how the attacks were carried out and why they were so difficult to defend against.

The attack began on March 4 when thousands of computers took part in a distributed denial of service attack against 14 Websites in South Korea, including government agencies, prominent businesses and US Forces. The attacks lasted 10 days, after which the malware was designed to self-destruct, according to McAfee.

Considering the botnet was launching a DDoS attack, it was “unusually destructive” Georg Wicherski, a McAfee security researcher, wrote in the company’s blog. “In fact, it was analogous to bringing a Lamborghini to a go-cart race,” Wicherski said.

The botnet, based in South Korea, used multiple encryption algorithms, including AES, RS4 and RSA, to obfuscate numerous parts of the code and configuration, making analysis challenging, according to Wicherski. Over 40 globally distributed command-and-control servers in countries such as the US, Taiwan, Saudi Arabia, Russia and India, dynamically updated infected machines in the botnet with new malware binaries. The botnet had likely infected the machines earlier with malware, which had lain dormant until the instructions were issued to launch the DDoS attack, according to McAfee’s analysis.

After the attack ended, the malware deleted and overwrote key files such as the source code and documents before corrupting the master boot record of the system it was installed on, rendering the machine unbootable.

“The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities,” Wicherski said.

McAfee researchers compared the incident with a similar attack 20 months earlier, on July 4, 2009, against 40 South Korean and US Websites. The latest attack was “dramatically” more sophisticated, Wicherski said. The attackers clearly learned from the earlier incident, as 14 of the South Korean targets remained the same, but all the US-based sites, including the White House, State Department and the Federal Trade Commission, were dropped. Wicherski said there was a “95 percent chance” that the same group behind the 2009 attacks committed this new attack.

“It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts,” Wicherski said.

The attacks were likely designed to test South Korea’s cyber-defence and response, and may have been “an armed cyber-reconnaissance operations Wicherski said. The attackers, whether they are part of the North Korean military as the South Korean government claimed or its sympathisers, are likely testing the defences and reaction time of the government and civilian networks to a well-organised attack, Wicherski concluded.

McAfee acknowledged there was no clear proof that North Korea was behind the attacks.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

5 mins ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

53 mins ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

17 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

18 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

19 hours ago

NHS Scotland Confirms Clinical Data Published By Ransomware Gang

NHS Dumfries and Galloway condemns ransomware gang for publishing patients clinical data after cyberattack earlier…

20 hours ago