An analysis by anti malware firm McAfee says that attacks against South Korean government and U.S. military Websites most likely came from North Korea.
Analysis of the March, 2011 attacks and the malware used to carry them out suggest that the mission was carried out by forces in North Korea in order to measure the incident response capabilities of South Korea. The two nations are technically still at war, following the armistice of July, 1953.
McAfee said that it first detected the distributed denial of service (DDoS) attacks on March 04, 2011 from compromised hosts in South Korea. The targets were Korean government and military Websites and the network of U.S. Forces Korea (USFK). While the DDoS was similar to other denial of service attacks, subsequent analysis of the attack and the malware used in it revealed key differences. For one, the attack lasted just 10 days at the conclusion of which the hosts carrying out the attack were disabled by the malware. Second, the malware in question employed a large list of obfuscation and cryptographic ciphers to make analysis of the malware more difficult.
Unlike criminal malware that is designed to facilitate extortion, spam and data theft, the malware behind the South Korean government attacks was purpose built for denial of service attacks and with resiliency and plausible deniability for the attackers as top priorities – not data theft or profit.
Dissimilar from common, criminally backed denial of service attacks, the March attacks were very similar to a series of attacks in July, 2009 against sites in South Korea and the U.S. However, McAfee said it detected evidence of greater sophistication in the March, 2011 attacks, however. Among other things, the March attack had improved command and control (C&C) capabilities, McAfee said.
The sophistication of the attack and attention to resiliency and secrecy don’t jive with the simplicity of the DDoS attacks themselves – what McAfee analysts likened to bringing a Lamborghini to a go-cart race. However, the overkill would be consistent with a North Korean effort to test the South’s ability to respond to cyber attacks.
Any link to North Korea is circumstantial. However, the report does echo other assessments of North Korea’s improving cyber war capabilities. AFP reported in March, 2009, that the North was building its cyber warfare capabilities. South Korea has responded, in part, by investing in “digital bunkers” that could allow small businesses to withstand DDoS attacks.
Read the full report from McAfee here (PDF).