Cyber Attack On South Korea and US Was A Test Run-McAfee

courtesy  www.nytimes.com

North Korea or its sympathizers were likely responsible for the cyberattack against South Korean government and banking websites earlier this year, according to a new analysis that said it also appears to have been linked to the 2009 massive computer-based attack that brought down U.S. government Internet sites.

A study by computer security software maker McAfee Inc. concludes that the attack that targeted more than two dozen sites in South Korea was a type of reconnaissance mission to see how quickly South Korea's government detected the problem and recovered from it. The McAfee report, expected to be released Tuesday, said clues in the code suggest that the attack was probably engineered by North Korea or its sympathizers.

The cyberattack started over the Fourth of July weekend, when hackers targeted the Web sites of the Federal Trade Commission, the Department of Treasury, and several other U.S. government organizations. Some reports suggest the White House's Web site may have even been a target, though its functionality did not appear to be affected. The FTC's site, however, was one of several offline as late as Monday.

McAfee security researcher Georg Wicherski deemed the attacks "an armed cyber reconnaissance operation of sorts" aimed at assessing defenses and reaction times of South Korean government and civilian networks.

"Knowing that would be invaluable in a possible future armed confrontation on the peninsula, since cyberspace has already become the fifth battlespace dimension, in addition to land, air, sea, and space," Wicherski said.

The DDoS attacks were made by usurping control of virus-infected computers in South Korea to overwhelm targeted websites with simultaneous requests for pages or information.

Tactics used in the attacks were more destructive than typically seen when legions of infected computers are commanded in "botnets" by hackers, according to McAfee.

The botnet in South Korea was programmed to perform DDoS attacks for 10 days and then self-destruct, frustrating investigators by overwriting or deleting files and codes to the extent the computers could not be booted up.

While the Match attacks were underway, encryption algorithms were used to mask parts of malicious code and stymie analysis by defenders. "This wasn't a surgical strike; it was more like a sledgehammer, as most DDoS attacks are," the McAfee report said.

"The attackers relied on the encryption to buy them more time against reverse engineering until the DDoS attack window expired."

Steps were taken to ensure that the mission was executed without interruption, within the predefined attack window, and then all vehicles of attack would be destroyed, the report concluded.

South Korean prosecutors said North Korean hackers were behind the so-called denial-of-service attack early this spring, but The North's Ministry of the People's Armed Forces denied it.

Because of the difficulties in determining exactly who launched the attack, there is no way to declare it an act of war by another country or an act of cyberterrorism, espionage or more basic crime by a militant group or others. International officials, in fact, are still trying to define cyberwar.

The Defense Department is poised to release its new cybersecurity strategy which declares cyber as a warfighting domain and begins to lay out how the U.S. can respond to cyberattacks. And U.S. officials are working with allies and international organizations to develop guidelines governing the use of computer-based capabilities as weapons.

President Barack Obama signed execute orders a few months ago that provide commanders guidance on how they can use cyber operations as part of their military arsenal.