Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

North Korea Experiencing Internet Outages, Raising Questions About US Retaliation

Is it coincidence, or is a DDoS on North Korea's Internet infrastructure a "proportional response" by the US?

Three days after the US government officially blamed the North Korean government for masterminding the Sony attacks and President Obama promised that the US would "respond proportionally" to them, North Korea is reportedly experiencing widespread Internet outages -- prompting the question of whether or not the US has struck back with a cyberattack of its own.

North Korea Tech first reported that the country's Internet link was "flaky." It quoted Doug Madory, director of Internet analysis at Dyn Research, as saying: "I haven't seen such a steady beat of routing instability and outages in KP before. Usually there are isolated blips, not continuous connectivity problems. I wouldn't be surprised if they are absorbing some sort of attack presently."

Madory told The New York Times that North Korea's networks were "under duress," and that "This is consistent with a DDoS attack on their routers."

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, disagrees. "I don't think this is something we can speculate about just yet," he tells us. He believes that the little we know about the outage right now is more in line with a technical problem. The US has asked the Chinese government for assistance, and if this does turn out to be a DDoS, it's possible that China could have acted on its own to disrupt the North Korean Internet infrastructure.

Friday, the US officially blamed the North Korean government for the attacks on Sony, but it did not describe the attacks as an act of war. President Obama said Friday, "I don't think it was an act of war. I think it was an act of cyber vandalism that was very costly, very expensive."

Alperovitch concurs. Some within the industry still question whether or not the North Korean government is truly to blame, but Alperovitch attributes the attacks to "Silent Chollima," a North Korean hacking group that CrowdStrike has been following since 2006 and believes to be state-sponsored.

Silent Chollima has previously focused its efforts on South Korean targets, including some US military stations within South Korea. An American entertainment company may be a rather different type of target, but Alperovitch believes that the attackers were indeed motivated to attack Sony in response to The Interview -- a comedy about assassinating North Korean leader Kim Jong-Un, which was supposed to hit theaters Christmas Day but has now been canceled.

"The movie is a big motivation," says Alperovoitch. In North Korean culture, such subject matter would be considered a significant insult. Months ago, the North Korean government declared that The Interview was, itself, an act of war. "I think we should take them at their word."

After the US officially pointed the finger at Pyongyang, North Korean officials responded harshly. They requested that American and North Korean experts conduct a joint investigation into the Sony attacks, and they warned that there will be "grave consequences" if the US declines that request.

In an official statement, the North Korean National Defense Commission said "Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the 'symmetric counteraction' declared by Obama."

This bears a resemblance to the threats hackers made last week about physical attacks on cinemas that air The Interview. Alperovitch says that North Korea does not have the capabilities to carry out that kind of violence on American soil. "That's blustering. They're known to do this."

US-CERT releases new details about malware
US-CERT issued an alert Friday about targeted destructive malware that appears to be that which was used in the Sony attacks. The alert desecribes the malware as a "Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company."

The malware toolkit comes with five key components: a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. To propogate, the worm uses brute-force attacks to guess authentication credentials for SMB connections. If the worm obtains access, a "file share is established and file is copied and run on the newly-infected hostattack."

The listening tool listens for connections on ports 195 and 444. US-CERT states "During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase 'National Football League.'"

The backdoor can perform a great number of tasks, including file transfer, system survey, process manipulation, file time matching, proxy capability, arbitrary code execution, and command line execution, as well as functionality to "open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks."

The proxy tool listens to TCP port 443 and can "fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files," according to the alert.

The destructive hard drive tool is the real nasty part, but it's more dangerous on a machine running with adminstrator privileges than one with usual user privileges. With admin privileges, "the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data... If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable."

US-CERT offered a long list of recommendations for combating these attacks and preparing for business continuity and incident response in the event of such an attack. For example, it advises organizations to perform daily backups, perform periodic "offline" backups to removable media, establish emergency communications plans, disable credential caching, and disable web and email capability on admin accounts.

Will The Interview be seen?
The movie may ultimately be seen in some form. Sony was widely criticized for canceling the release. On Thursday, the Guardians of Peace purportedly gave Sony the OK to release the film, as long as it removed the Kim Jong-Un death scene.

Meanwhile, Anonymous has threatened Sony that it had better release the movie -- or else. In a letter to Sony Entertainment CEO Michael Lynton, uploaded to Pastebin on Sunday, representatives of Anonymous expressed their "sympathy," stated that "we all know the hacks didn't come from North Korea," and declared that the "cowardly" decision to cancel the movie release was "denying us the privilege of the Freedom of Information Act."

The message concluded with a threat: "Release 'The Interview' as planned, or we shall carry out as many hacks as we are capable of to both Sony Entertainment, and yourself."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/27/2014 | 5:20:36 PM
Re: Internet outages
That may be true but China would not US do that. They are not convinced that North Korea is behind the Sonny attack tough.
User Rank: Moderator
12/23/2014 | 8:36:34 AM
Signal to Noise Ratio...
Dmitri Alperovitch, co-founder and CTO of CrowdStrike:

"The movie is a big motivation," says Alperovoitch. In North Korean culture, such subject matter would be considered a significant insult. Months ago, the North Korean government declared that The Interview was, itself, an act of war. "I think we should take them at their word."

This bears a resemblance to the threats hackers made last week about physical attacks on cinemas that air The Interview. Alperovitch says that North Korea does not have the capabilities to carry out that kind of violence on American soil. "That's blustering.

Who is this man, and exactly what are his credentials that we should take ANY stock in what he says about U.S. foreign policy?

The only way to tell if Kim Jong-Un is lying is if his lips are moving. That's an established fact.

User Rank: Strategist
12/22/2014 | 7:28:54 PM
Internet outages
Ah, lets see.  Submarine, launches mini sub to cut underwater communication cables?  lol
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.
PUBLISHED: 2019-12-09
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.