Perpetrators of Korean cyber attacks could be ‘stalking horse’ operatives

July 13th, 2009

It may not have been North Korea, or its sympathizers, that executed those simplistic, yet highly effective distributed denial-of-services (dDos) attacks against dozens of U.S. and South Korean websites last week.

LastWatchdog has obtained a summary of  analysis by Hanoi-based Bkis Security showing 166,908 botted PCs from 74 countries were used in the attacks. Commands were routed through eight control servers, tied into a master server located in the United Kingdom and running the Windows Server 2003 operating system, according to Bki research director Nguyen Minh Duc, who graciously supplied LW with this graphic:

koreanddos-attack_crop

Bkis analyzed samples of Internet traffic supplied by APCERT, the Korean Computer Emergency Response Team. In order of concentration, the attack bots were located South Korea, the United States, China, Japan, Canada, Australia, the Philippines, New Zealand, the UK, Vietnam and 64 other nations.

Each bot was instructed to randomly connect every three minutes to one of eight servers for instructions on which site to attack next. The instructions were carried in flash.gif files sent to each bot as shown here:

koreaattackip_cropMinh Duc says Bki has turned over the results of its findings to CERT authorities in the US and South Korea. “Having located the attacking source in the UK, we believed it is completely possible to find out the hacker,” he says. “This depends on the US and South Korean governments.”

Of course, just because the master server was located in the UK doesn’t mean the attackers were Brits. The master server itself could be a bot under covert control by an attacker sitting at a keyboard anywhere in the world.

nguyenminhduc_crop“The IP address of the UK server belongs to the ISP: GLOBAL-DIGITAL-BROADCAST,” Minh Duc tells LastWatchdog. “If we can analyze logs on the UK server, I believe that we will have more detailed information about the attackers. This is the IP addresss which controls the C&C servers, it might be a compromised machine, or not. We need more information to give the final conclusion.”

Avi Chesla, VP of Security Products at  Radware, wonders if there might been been several different botnets participating in a staggered, coordinated attack, using the “fast flux” technique.  “Although it’s possible, I find it hard to believe that this attack used only eight C&C servers and a single one with an IP that can be determined,” says Chesla. “Recent botnets development already includes a more advanced C&C infrastructure that makes it very hard to detect.”

Quixotic payload may be part of  ‘ stalking horse’ attack

As to absolving North Korea, Jayson E. Street, a cyber warfare consultant at Netragard, says the attacks were more likely the work of a nation-state interested in experimenting with denial-of-service techniques, file erasure programs and Master Boot destruction. These were components of a uniquely quixotic payload unraveled by Symantec.

Symantec also was first to disclose that the set-up phase of the attack involved using a variant of the 5-year-old MyDoom email virus to assemble a fresh contingent of botted PCs. And Street points out that the attackers carefully targeted government and commercial websites limited to disseminating information to the public; in other words, sites not likely to be as tightly locked down against dDos attacks a, say,  any site conducting financial transactions or collecting sensitive personal data.

jaysonstreet_crop“This attack was both crude and sophisticated at the same time,” says Street. “North Korea simply doesn’t have the sophistication to conduct an attack like this, where you have a botnet spring up overnight, where the attacker tries a few things against specifically targeted websites, and where he’s sure to get a high success rate.”

Street believes this might be the first high-profile example of what he describes as a “stalking horse” attack — in which the perpetrator is carefully and covertly testing attack techniques in the wild. He agrees with LastWatchdog that the perpetrator could even be a would-be mercenary honing his skills before hiring out his services to the highest bidder.

The unusual file erasure and Master Boot self-destruct components are the clinchers for the stalking horse hypothesis. Street believes the attacker/experimenter is meticulously covering his tracks. “It’s kind of hard to do forensics on a machine that’s been wiped, though not impossible.” says Street.

Without pointing fingers at any country, Street observed that Russia and China are known to be actively engaging in asymmetrical warfare , as recently alluded to in this USA TODAY front page story describing breach attempts against government systems.

Chinese attackers laying low because of   ‘Year of 6521’ omen

While visiting Shanghai last spring to attend the SyScan ’09 security conference, Street met with a Chinese contact who offered a very plausible explanation for light hacker turnout at the show, and a general lull in China-based cyber crime activity: the year of 6521 omen.

The contact advised Street that many Chinese hackers believe this is a good year to lay low because of a convergence of portentous anniversaries: the 60th anniversary of Mao Tsi-Tung-led  communist revolution; the 50th anniversary of the Dalai Lama’s exile from Tibet; the 20th anniversary of the Tiananmen Square massacre; and the 10th anniversary of the disbanding of Falun Gong spiritual movement.

Street says he doesn’t believe Chinese attackers were involved in the dDos attacks against the U.S. and South Korea “because most of the Chinese hackers are trying to lay low since this is the year of 6521. This is not superstition; it’s very much a cultural thing.”

And what about the Russians? Street hypothesizes that there could be a parallel to the Russian-led dDos attacks that froze Estonia’s IT systems nationwide in 2007, over a seemingly petty dispute about moving a historical statute.

What happened to Estonia was a kind of a stalking horse attack — if the underlying motivation was to test techniques for shutting down financial transactions and communications systems in a nation highly dependent on Internet connectivity, he says.

“Estonia is one of the most wired countries in the world. They do their voting on line, a lot of their bill paying online, the leader of the country has actually stated that the Internet is a basic human right,” observes Street. “Estonia is where many people think the United States will be in five to 10 years.

“So what better way to test crippling attacks against a country that has large connectivity in a way that wouldn’t provoke much notice from the West?”

–Byron Acohido