Wednesday, July 8, 2009

Korean cyber-activities

Ahn Young-joon/Associated Press
Employees of the Korea Internet Security Center inside a monitoring room in Seoul on Wednesday.

Over the fourth of July weekend 14 government web sites in the United States including the The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web and 11 in South Korea were attacked by an unattributed Distributed Denial of Service (DDOS) attack. The sites in South Korea included the Presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank and other well known sites. According to an article by Robert McMillan,
"On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack, one security expert said after being briefed by the US-CERT on Tuesday. "It's the biggest I've seen," said the expert, who asked not to be identified because he was not authorised to discuss the matter. By Tuesday it was averaging about 1.2 gibabytes per second, he said."
The New York Times (and others) quote a South Korean paper: "Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups.A spokesman at the intelligence agency said it could not confirm the Yonhap report, which said that the spy agency briefed lawmakers about their suspicions on Wednesday." Given the targets it seems like an intuitive conclusion, the question of course would be what actual technical intelligence / SIGINT says.

Some other interesting points on this attack is that most of the bots used were located in South Korea, with South Korean officials stating at least 12,000 were in S. Korea. Also of interest is the allegation by unnamed S. Korean intelligence officials that N. Korea routes its attacks through Chinese Internet connections. Again, would seem intuitive, where else are they going to go through?

All sorts of guesses an innuendo out there... some point out a single anti-capitalist controlling the bot-net might have launched the attacks, while the S. Korean National Intelligence service is quoted in the NYT article saying that "“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level".

What I found interesting in reading all the articles on this story was the lack of tie-in to prior stories on cyber activity on the Korean peninsula. Of particular interest to me were these two stories:

The first, from Kevin Coleman at DefenseTech, claims that "North Korea Poised for Cyber Salvo" He claims in his April 20th, 2009 story that
Most military strategist agree that cyber attacks are an excellent first strike weapon. In these specific circumstances, cyber attacks might be considered by Pyongyang as an appropriate and proportional response to the U.N. Security Council's condemnation and reinforcement of existing sanctions. High probability targets if DPRK launches cyber attacks include South Korea and the fifteen countries that make up the current U.N. Security Council that include -- permanent members-China, France, Russian Federation, the United Kingdom and the United States -- and ten non-permanent members Austria, Japan, Uganda, Burkina Faso, Libyan Arab Jamahiriya, Vietnam, Costa Rica, Mexico, Croatia and Turkey. This calls for increased vigilance by cyber security professionals guarding the critical infrastructure of those targets identified above.
He also posts some unsubstantiated but intriguing claims regarding the state of North Korean capabilities:
  • Unit: 121

  • Established: 1998

  • Force Size: 12,000 declining

  • Cyber Budget: $56+ million.

  • Goal: To increase their military standing by advancing their asymmetric and cyber warfare capabilities.

  • Experience: Hacked into South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems.

  • Threat Rating: North Korea is ranked 8th on the cyber capabilities threat matrix developed in August 2007 and updated February 2009.

  • Cyber Intelligence/Espionage: Basic to moderately advanced weapons with significant ongoing development into cyber intelligence.

  • Offensive Cyber Weapons: North Korea now has the technical capability to construct and deploy an array of cyber weapons. They have moderately advanced distributed denial of service (DDoS) capabilities with moderate virus and malicious code capabilities. Hacking capabilities are moderate to strong with an experience rating of limited to moderate.

I'm guessing he nailed it on the head. There's some garbage in the talk back section of his article, but a posting this his speech for the hearing before the U.S.-CHINA economic and security review commission on "CHINA’S PROPAGANDA AND INFLUENCE OPERATIONS, ITS INTELLIGENCE ACTIVITIES THAT TARGET THE UNITED STATES, AND THE RESULTING IMPACTS ON U.S. NATIONAL SECURITY". I've included a link to the transcribed notes here. If you look into it he's a Senior Fellow at Technolytics, which focuses on policy type work in cyberspace. In his testimony he said he was formerly the Chief Strategist at Netscape, so he appears to be a technically sharp guy who can follow where Internet/technology trends are heading. It could always be a random group or individual but I believe his prediction appears to have been prescient.

The second series of articles of interest relate to articles describing North and South Korean plans for military operations in Cyberspace. While there is lots of data out there, some recent articles are interesting. First, an unnamed intelligence official quoted in South Korean Yonhap news service led to this May 5th AP story:

SEOUL, South Korea — North Korea runs a cyberwarfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service, a news report said Tuesday.

The North's military has expanded the unit, staffing it with about 100 personnel, mostly graduates of a Pyongyang university that teaches computer skills, Yonhap news agency reported, citing an intelligence agency it didn't identify.South Korea's Defense Ministry said it is aware that Pyongyang has been training hackers in recent years but did not provide details and had no other comment.The National Intelligence Service — South Korea's main spy agency — said it could not immediately confirm the Yonhap report.

Not even two months later on June 26th news developments came out regarding a South Korean Cyber Command, analogous to recent developments in the US towards a comprehensive Cyber Command, created specifically in response to North Korean Cyber activities. The articles don't say much but mention the creation of the cyber command and some of their staffing plans.

While I'm on the topic of communist countries and military operations cyberspace, I stumbled across an article on "Peopledaily" saying that 94% of Chinese "Netizens" favor the creation of a Chinese Cyber Command. Pretty funny... do they not realize how active their government already is? Or maybe they are really saying they just want them to come out of the closet and be more transparent? Either way I found it amusing... (tongue-in-cheek:) hopefully those PRC leaders take this advice to heart and get moving on it!

The Washington Times reported that according to the mass circulation South Korean newspaper JoongAng Ilb:

The spy agency told lawmakers Friday that a research institute affiliated with the North's Ministry of People's Armed Forces received an order to "destroy the South Korean puppet communications networks in an instant," the mass-circulation JoongAng Ilbo newspaper reported.

The paper, citing unidentified members of parliament's intelligence committee, said the institute, known as Lab 110, specializes in hacking and spreading malicious programs. The Ministry of People's Armed Forces is the secretive nation's defense ministry.

The NIS - South Korea's main spy agency - said it couldn't confirm the report. Calls to several key intelligence committee members went unanswered Saturday. The agency, however, issued a statement late Saturday saying it has "various evidence" of North Korean involvement, though it has not reached a conclusion.

Also on July 10th 2009 the 20,000+ machines that were infected by a bot-net and used to launch the DOS attacks begin wiping themselves out:

The malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications.

The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.

This will primarily affect machines in S. Korea, which represents the bulk of the bot-net.

And finally, S. Korea was warned in advance of the attacks but both countries (particularly S. Korea) were poorly prepared to deal with the DOS. Potential methods for dealing with the DOS include distributing their sites across multiple nodes, cutting off adversarial IPs/ranges quickly, and adding contingency bandwidth.

More updates:
According to police investigating: "The DDoS attackers hacked two Korean Web sites, based in Seoul and Busan, and switched the program update files of the sites with their malicious codes". Furthermore the zombie computers were primarily infected by those two hacked web servers, according to 21 of the 27 zombie machines that they sampled. The command and control servers were all based in other countries: London, Miami, and others. Still working to identify the sources...