Friday, July 10, 2009

Lawmaker Wants ‘Show of Force’ Against North Korea for Website Attacks

Via (Threat Level) -

A key Republican lawmaker on Thursday urged President Obama to launch a cyber attack against North Korea, or increase international sanctions against the communist country, in the wake of an unknown hacker’s denial-of-service attacks on U.S. and South Korean websites.

Rep. Peter Hoekstra (R-Michigan), the lead Republican on the House Intelligence Committee, said the U.S. should conduct a “show of force or strength” against North Korea for a supposed role in a round of attacks that hit numerous government and commercial websites this week.

Hoekstra, speaking on the conservative America’s Morning News radio show, produced by the Washington Times newspaper, said that “some of the best people in America” had been investigating the attacks and concluded that most likely “all the fingers” point to North Korea as the culprit.

They’re reaching the conclusion that this was a state act and that “this couldn’t be some amateurs,” claimed Hoekstra, in direct opposition to what security experts have actually been saying.

He added that North Korea needed to be “sent a strong message.”


Rep. Peter Hoekstra's idea of launching a cyber couterattack against North Korea sounds very knee-jerky and just plain wrong at this point.....

Point One

As Gadi Evron points out in his DarkReading article, it is silly to just look at the technical information (IP address, exploits used and malware family) and think you can determine who is behind a series of DDoS attacks.

Only with a complete analysis of all-source intelligence can you even begin to make an educated guess about who and where the attackers are based.

The private sector has a ton of very smart security professionals...but most don't have access to classified intelligence (HUMINT, SIGINT, etc)....and thus are making an educated guess with just the technical (network, malware analysis, etc) information.

Even with that in mind, some of those professionals aren't on board with pointing the finger @ North Korea just yet...
The timing is auspicious, but none of the data I have suggests North Korea," Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks' counter-threat unit, told Computerworld, "There's nothing in there to suggest that it's state sponsored."

"Still zero evidence of North Korean involvement," said Stewart when contacted Friday for an update.

Point Two

DDoS attacks are noisy....really dangerous and sophisticated cyber attacks are rarely noisy. In general, I would say attacks like Titan Rain and NASA's Avocado have the potential to damage our national safety & security much much more than any DDoS attack.

DDoS attacks are easy to detect, while that targeted attack against a power plant's SCADA is not. This type of attack could easily be a smokescreen for a much more serious targeted attack.

Point Three

DDoS attacks aren't new...the corporate world has been dealing with these for years. DDoS attacks are a favorite among extortionists for example. The all-volunteer group formerly known as Castlecops put such a dent in cybercrime activities...that bad guys have been trying to DDoS them since 2006.

The methods of protecting against DDoS attacks are just as well known. Clearly, in this case...some sites were better prepared than others. According to the malware analysis conducted by the South Korean anti-virus firm Hauri (PDF)....many non-government sites were targeted.

Were these sites down for an extended amount of time? I wonder why?
Perhaps because they were better prepared for just this type of attack.

Nick Shapiro, a White House spokesman, said that as of the night of July 7, all federal Web sites were back up and running and that the attacks “had absolutely no effect on the White House's day-to-day operations."

"The preventative measures in place to deal with frequent attempts to disrupt's service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected," he added.

So perhaps instead of taking about counterattack...the government should think about building a better defense overall.


  1. Excellent analysis. I'd argue a bit against "point one". I think technical information about the execution of the attack and reverse engineering the malware can give you important information about who is behind an attack. Obviously, that needs to fit in the context of all-source analysis, but IMO it's very informative.

    In this particular case, I'd argue that the technical evidence provided no evidence of a north korean source or state sponsored attack. The attack is unsophisticated, several pieces of code bolted together, and was ultimately ineffective. Based on that, I'd say the chances of it being a nation state are low.

    Likewise, there is little or no direct evidence of north korean involvement. Most people are accusing NK based on the fact it targets the US and South Korea -- which is hardly evidence in my mind.

    My two working hypothesis about the source of the attack are:

    1. It's a stupid prank. This is suggested by the lack of sophistication of the software and the high likelihood the attack wouldn't produce significant impact.

    2. The botnet was hijacked by a competitor and they want it destroyed. This attack is very public and loud. Every AV maker out there is producing signatures and block lists. The more recent payloads are also killing infected machines. IMO, this option is most likely and has the largest evidence.

    When testing the malware, I got some traffic from China and Turkey. That doesn't necessarily imply a source, but it's consistent with what one might see in a typical criminal botnet based in Asia.

    The only thing that stands out as korean are the targets, and a few characters that appear to be korean. See: page 15.

    If it weren't for the targets selected this would have been a very boring botnet. The bot itself, traffic load, and attack vectors are all quite dated.

  2. Thanks Matt, I see your point on my first point...and perhaps the whole point would be better explained in this way - "don't jump to conclusions without all the information". Even network and security professionals from the private sector (which I assume don't have access to high-level classified intel) are stating that the connection to NK is weak.

    Now, is it possible that NK would like to wreck US & South Korean networks? Sure! Some would like highly likely!

    But if this DDoS was NK's attempt on taking us out (as some have stated in the mass media), then I think the two-bit cybercriminals are in a best position to take us out than the North Korean military.