March Attack On South Korea Might Have Been A Test Run, Researchers Say

A cyberattack that affected the South Korean government and 40 affiliated sites might have been the work of North Korea, researchers said yesterday.

In a blog and report posted Tuesday, McAfee researchers suggested that the March attack bears strong similarities to the attack made on South Korea in July 2009, but is significantly more sophisticated.

"Fourteen of the targets were the same as in the 2009 attacks, but nearly all of the U.S.-based targets -- such as the White House, State Department, FAA, and FTC -- were removed from the target list," the blog states. "The modus operandi of the attacks was identical and unusually destructive for typical botnet attacks: the botnet, based in South Korea, was dynamically updated via new malware binaries, launched a relentless DDoS for slightly over a week, and then destroyed the machines it was deployed on."

The March 2011 attack was much more sophisticated, the researchers say: "In fact, it was analogous to bringing a Lamborghini to a go-cart race."

McAfee says that multiple encryption algorithms, such as AES, RC4, and RSA, were used to obfuscate numerous parts of the code and configuration of the March attack. "More than 40 globally distributed multi-tier command and control servers were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns," the researchers say.

Why would such sophistication be used in a simple DDoS attack? "We believe this incident -- which we estimate has a 95 percent chance of being perpetrated by the same actors as the July 4th 2009 attacks -- has very clear anti-Korean and anti-U.S. political motivations and is potentially is even more insidious," the blog states. "This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military as the South Korean National Intelligence Agency has asserted, to test the defenses -- and more importantly, the reaction time of the Korean government and civilian networks -- to a well-organized and highly obfuscated attack."

A detailed report (PDF)offers a look at the target websites, the methodology of the DDoS attack, and specifics on the cryptographic algorithms used to obfuscate the attack.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.