North Korea steps forward as new cyberwar villian
March DDOS against South Korea may have been dry run for real attack
Those of you who are connoisseurs of international cyberthreat conspiracies – both the entertaining Men in Black-ish type and the all-our-infrastructure-belong-to-them that is a lot more dull but a lot more frightening for being largely true – will be excited to hear there is another franchise player on the field.
In March North Korea -- whose impression of a cartoonishly extreme Evil Empire has set the standard for smothering repression, campily ridiculous Fearless Leaders and quiet dignity among the starving masses – launched a DDOS attack that knocked down a handful of South Korean web sites, according to an investigation conducted by security software vendor McAfee.
Except for the home page of the U.S. Forces Korea – which is primarily a PR site used by the U.S. Eighth Army to distribute information to civilians, not for actual military communications – all the 14 sites hit were South Korean companies with no particular political significance, despite indications North Korea is training a coterie of cyberwarriors at foreign colleges.
The tipoff that the attack wasn't just part of an extortion attempt or bit of ordinary vandalism was that it was far too meta to be the work of casual or commercial hackers, according to a report from McAfee, which assembled its information with the help of the U.S. and South Korean governments.
(The McAfee report on the South Korean attack titled, poetically, 10 Days of Rain, is available for download here.)
Usually, DDOS attacks come from botnets – armies of zombie PCs infected with malware so they can be remotely controlled by command servers run by attackers.
In this attack there were at least two botnets – the one that launched the DDOS, and a second layer that sent them the orders. McAfee wasn't able to trace back far enough to figure out for sure who was giving the command botnet its orders.
Most botnets are built in hierarchies, just like any other network. First-tier zombies receive commands from the server and pass them on to a pre-determined list of other infected PCs.
That multitier design helps keep the net working when one segment gets closed down and keeps communications from bottlenecking.
Few, if any botnets use a completely separate command tier whose whole job is to control the rest of the hierarchy and hide the identity of the attackers by making it even harder than it would be otherwise to track commands and authorizations back through the first botnet and into the second.
All the communications were encrypted – often with different algorithms, to make commands and authentication codes harder to track and subvert.
The best part – from the Bond's-visit-with-Q part of this particular movie – is that the botnets would drive the DDOS attack for as long as 10 days, then self destruct to avoid capture.
On a pre-set schedule, the malware deleted many of its own critical files, then corrupted the master boot record of the host PC's hard drive to make the disk unusable and the files difficult to recover even with forensic software, according to an IDG News Service analysis of the report.
That's a lot of trouble and expense to go to for an attack that didn't try to force money out of the victims or make a vocal public point, as most attacks by hactivists or criminals would have.
The level of sophistication of the network, command mechanism, encryption and self-destruct, self-concealment showed far more work and sophistication than could be justified by a DDOS attack.
"DDOS can be done with software from your local cyber criminal," said Dmitri Alperovitch, vice president of threat research for McAfee Labs, in a telephone interview with IDG News. "The level of effort that went into this one far exceeds any DDoS botnets until now."
McAfee's conclusion was that the attack wasn't actually an attack. It was a probe to see how fast the South Korean government and military, backed by the U.S. military, could respond, stop the DDOS, decrypt and reverse-engineer the malware and track the attack back to its source.
Since no irreversible harm was done, even an investigation that showed the DDOS came straight from the personal laptop of the most recent generation of Fearless Leader wouldn't justify a response from the U.S. and South Korea that was "kinetic" (.mil-speak for "things that explode and kill people).
So even if the attack was a glorious failure, the risk of serious retaliation was small.
Not failing immediately, on the other hand, would give North Korea very good sense of how well South Korea would respond to an attack on more important targets (its phone and radio networks for example). And that would give the North Koreans a much better idea of how effective a cyberattack would be that was launched in conjunction with and attack IRL, according to the report.
There is no hard evidence pointing to North Korea as the source of the attack – or that it was responsible for a very similar one in 2009 launched by a much more simplistic botnet but much wider range of targets.
"When you look at who might do that, one actor jumps off the page," Alperovitch told IDGNS. "The North Korean government would want to see if a future conflict could have a cyber impact as well as a real-life impact."
"The combination of technical sophistication juxtaposed with relatively limited execution and myopic outcome is analogous to bringing a Lamborghini to a go-cart race," the report concludes colorfully. "As such, the motivations appear to outweigh the attack, making this truly seem like an exercise to test and observe response capabilities."
Doesn't that make you feel better about the distant possibility of significant cyberwar attacks on the West?
I mean, who cares that the attack came from a radically oppressive, heavily militarized hereditary dictatorship tucked out of the shipping lanes but close enough to the Big Tiger for Beijing to watch someone attack Americanized military forces with digital weapons?
Does one little DDOS across the DMZ necessarily mean China, North Korea or anyone else will be watching to see how coordinated digital and kinetic attacks combine to increase a target's multimodal Fubar potential?
Or does it just mean we have one more shadowy figure to populate the post Cold-War conspiracy ecosystem?
If the attack does turn out to be North Korean, and does turn out to be significant in what is turning the Internet into an online game of Risk played with pixels and bits instead of plastic pawns, I just hope I'm wrong in the assumption that I know who gets to be the pawns.