North Korea Mounted DDoS Attack On South Korea

A photograph of South Korean tanks

McAfee has analysed the resilient and destructive botnet that paralysed South Korean Websites in March

North Korea, or its sympathisers, were behind the cyber-attacks that paralysed a handful of Websites in South Korea, including a United States military site, earlier this year, according to McAfee.

The malware behind the distributed denial of service attacks that also crippled South Korean government sites were highly sophisticated and had numerous capabilities designed to make it stealthy and resilient, according to an in-depth analysis released by McAfee.

McAfee Given Insight Into Attacks

McAfee researchers worked with representatives from the South Korean and US governments to complete the analysis, which included details on how the attacks were carried out and why they were so difficult to defend against.

The attack began on March 4 when thousands of computers took part in a distributed denial of service attack against 14 Websites in South Korea, including government agencies, prominent businesses and US Forces. The attacks lasted 10 days, after which the malware was designed to self-destruct, according to McAfee.

Considering the botnet was launching a DDoS attack, it was “unusually destructive” Georg Wicherski, a McAfee security researcher, wrote in the company’s blog. “In fact, it was analogous to bringing a Lamborghini to a go-cart race,” Wicherski said.

The botnet, based in South Korea, used multiple encryption algorithms, including AES, RS4 and RSA, to obfuscate numerous parts of the code and configuration, making analysis challenging, according to Wicherski. Over 40 globally distributed command-and-control servers in countries such as the US, Taiwan, Saudi Arabia, Russia and India, dynamically updated infected machines in the botnet with new malware binaries. The botnet had likely infected the machines earlier with malware, which had lain dormant until the instructions were issued to launch the DDoS attack, according to McAfee’s analysis.

After the attack ended, the malware deleted and overwrote key files such as the source code and documents before corrupting the master boot record of the system it was installed on, rendering the machine unbootable.

“The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities,” Wicherski said.

McAfee researchers compared the incident with a similar attack 20 months earlier, on July 4, 2009, against 40 South Korean and US Websites. The latest attack was “dramatically” more sophisticated, Wicherski said. The attackers clearly learned from the earlier incident, as 14 of the South Korean targets remained the same, but all the US-based sites, including the White House, State Department and the Federal Trade Commission, were dropped. Wicherski said there was a “95 percent chance” that the same group behind the 2009 attacks committed this new attack.

“It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts,” Wicherski said.

The attacks were likely designed to test South Korea’s cyber-defence and response, and may have been “an armed cyber-reconnaissance operations Wicherski said. The attackers, whether they are part of the North Korean military as the South Korean government claimed or its sympathisers, are likely testing the defences and reaction time of the government and civilian networks to a well-organised attack, Wicherski concluded.

McAfee acknowledged there was no clear proof that North Korea was behind the attacks.