Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/22/2014
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

North Korea Experiencing Internet Outages, Raising Questions About US Retaliation

Is it coincidence, or is a DDoS on North Korea's Internet infrastructure a "proportional response" by the US?

Three days after the US government officially blamed the North Korean government for masterminding the Sony attacks and President Obama promised that the US would "respond proportionally" to them, North Korea is reportedly experiencing widespread Internet outages -- prompting the question of whether or not the US has struck back with a cyberattack of its own.

North Korea Tech first reported that the country's Internet link was "flaky." It quoted Doug Madory, director of Internet analysis at Dyn Research, as saying: "I haven't seen such a steady beat of routing instability and outages in KP before. Usually there are isolated blips, not continuous connectivity problems. I wouldn't be surprised if they are absorbing some sort of attack presently."

Madory told The New York Times that North Korea's networks were "under duress," and that "This is consistent with a DDoS attack on their routers."

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, disagrees. "I don't think this is something we can speculate about just yet," he tells us. He believes that the little we know about the outage right now is more in line with a technical problem. The US has asked the Chinese government for assistance, and if this does turn out to be a DDoS, it's possible that China could have acted on its own to disrupt the North Korean Internet infrastructure.

Friday, the US officially blamed the North Korean government for the attacks on Sony, but it did not describe the attacks as an act of war. President Obama said Friday, "I don't think it was an act of war. I think it was an act of cyber vandalism that was very costly, very expensive."

Alperovitch concurs. Some within the industry still question whether or not the North Korean government is truly to blame, but Alperovitch attributes the attacks to "Silent Chollima," a North Korean hacking group that CrowdStrike has been following since 2006 and believes to be state-sponsored.

Silent Chollima has previously focused its efforts on South Korean targets, including some US military stations within South Korea. An American entertainment company may be a rather different type of target, but Alperovitch believes that the attackers were indeed motivated to attack Sony in response to The Interview -- a comedy about assassinating North Korean leader Kim Jong-Un, which was supposed to hit theaters Christmas Day but has now been canceled.

"The movie is a big motivation," says Alperovoitch. In North Korean culture, such subject matter would be considered a significant insult. Months ago, the North Korean government declared that The Interview was, itself, an act of war. "I think we should take them at their word."

After the US officially pointed the finger at Pyongyang, North Korean officials responded harshly. They requested that American and North Korean experts conduct a joint investigation into the Sony attacks, and they warned that there will be "grave consequences" if the US declines that request.

In an official statement, the North Korean National Defense Commission said "Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the 'symmetric counteraction' declared by Obama."

This bears a resemblance to the threats hackers made last week about physical attacks on cinemas that air The Interview. Alperovitch says that North Korea does not have the capabilities to carry out that kind of violence on American soil. "That's blustering. They're known to do this."

US-CERT releases new details about malware
US-CERT issued an alert Friday about targeted destructive malware that appears to be that which was used in the Sony attacks. The alert desecribes the malware as a "Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company."

The malware toolkit comes with five key components: a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. To propogate, the worm uses brute-force attacks to guess authentication credentials for SMB connections. If the worm obtains access, a "file share is established and file is copied and run on the newly-infected hostattack."

The listening tool listens for connections on ports 195 and 444. US-CERT states "During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase 'National Football League.'"

The backdoor can perform a great number of tasks, including file transfer, system survey, process manipulation, file time matching, proxy capability, arbitrary code execution, and command line execution, as well as functionality to "open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks."

The proxy tool listens to TCP port 443 and can "fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files," according to the alert.

The destructive hard drive tool is the real nasty part, but it's more dangerous on a machine running with adminstrator privileges than one with usual user privileges. With admin privileges, "the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data... If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable."

US-CERT offered a long list of recommendations for combating these attacks and preparing for business continuity and incident response in the event of such an attack. For example, it advises organizations to perform daily backups, perform periodic "offline" backups to removable media, establish emergency communications plans, disable credential caching, and disable web and email capability on admin accounts.

Will The Interview be seen?
The movie may ultimately be seen in some form. Sony was widely criticized for canceling the release. On Thursday, the Guardians of Peace purportedly gave Sony the OK to release the film, as long as it removed the Kim Jong-Un death scene.

Meanwhile, Anonymous has threatened Sony that it had better release the movie -- or else. In a letter to Sony Entertainment CEO Michael Lynton, uploaded to Pastebin on Sunday, representatives of Anonymous expressed their "sympathy," stated that "we all know the hacks didn't come from North Korea," and declared that the "cowardly" decision to cancel the movie release was "denying us the privilege of the Freedom of Information Act."

The message concluded with a threat: "Release 'The Interview' as planned, or we shall carry out as many hacks as we are capable of to both Sony Entertainment, and yourself."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2014 | 5:20:36 PM
Re: Internet outages
That may be true but China would not US do that. They are not convinced that North Korea is behind the Sonny attack tough.
geriatric
50%
50%
geriatric,
User Rank: Moderator
12/23/2014 | 8:36:34 AM
Signal to Noise Ratio...
Dmitri Alperovitch, co-founder and CTO of CrowdStrike:

"The movie is a big motivation," says Alperovoitch. In North Korean culture, such subject matter would be considered a significant insult. Months ago, the North Korean government declared that The Interview was, itself, an act of war. "I think we should take them at their word."

This bears a resemblance to the threats hackers made last week about physical attacks on cinemas that air The Interview. Alperovitch says that North Korea does not have the capabilities to carry out that kind of violence on American soil. "That's blustering.

Who is this man, and exactly what are his credentials that we should take ANY stock in what he says about U.S. foreign policy?

The only way to tell if Kim Jong-Un is lying is if his lips are moving. That's an established fact.

 
BillB031
100%
0%
BillB031,
User Rank: Strategist
12/22/2014 | 7:28:54 PM
Internet outages
Ah, lets see.  Submarine, launches mini sub to cut underwater communication cables?  lol
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.