Highlights
– Thousands of compromised computers attack public and private websites in the US and South Korea
– US and Korean government agencies along with government contractors are following three paths in an attempt to discover those responsible for the attacks
– South Korea will likely increase spending on cyber-security to address future attacks
On July 4, 2009 thousands of compromised computers participating in a botnet began attacking several public and private websites in South Korea and the United States. The distributed denial of service (DDoS) attacks were aimed at preventing legitimate connections to the websites – effectively knocking the sites offline. New waves of attacks -from an estimated 50,000 compromised computer systems located mainly in South Korea – continued throughout the week as the compromised computers received instructions from its controller to attack additional websites. The attacks prompted both governments to partner with private companies in setting up special task forces and research units to find those responsible.
Preliminary investigative results showed that the worm, which infected all of the botnet participating computers, resembled a fast-spreading e-mail worm from 2004 called “MyDoom.” The results also showed the worm was written around July 3, 2009 indicating it infected tens of thousands of computers in just a few days, before they started attacking en masse.
Investigations
According to one official with the SANS Institute, a US-based computer security organization, the Department of Homeland Security (DHS), the National Security Agency (NSA) and a number of government contractors got involved in the investigation. The agencies are following three paths in an effort to gain some clues:
•Analysts are studying copies of the malicious code, which have been shipped out to dozens of cyber security companies. The analysts are looking for errors or other hints that would point them to the source.
•Investigators, including many who speak foreign languages, are roaming Internet chat rooms hoping to find someone bragging about the attacks or providing clues as to its origin.
•Others are following the electronic trail, tracing the attacks back to the initially infected computers.
Korea has taken its investigation one step further. On July 9, 2009 Korea’s National Police Agency, Seoul’s Central District Persecutors’ Office along with other government agencies formed task forces to track down the origin and identity of those behind the attacks. Seoul’s Central District Persecutors’ Office established an Internet crime investigation team consisting of 10 experts, while the National Police Agency formed a 24-member team solely devoted to the probe.
North Korean Fingerprints?
Some US officials have speculated that the attacks might be sponsored by the North Korean government or launched by hackers sympathetic to the country given the fact that many of the sites attacked were US and Korean government websites. According to a news report published by South Korea’s Yonhap news agency in May 2009, US and North Korea officials stated that Pyongyang has increased the country’s ability to launch a computer attack on both countries. According to a report published by the news agency on July 11, 2009, South Korea’s National Intelligence Service (NIS) on July 10 told lawmakers in a closed-door briefing that a North Korean research center called “Number 110” seems to have orchestrated the attacks. The research center, which comes under the wing of the General Staff of the People’s Army, “is a well-trained unit on cyber attacks” the source told the news agency. We note, however, that analysts and former US government officials quoted on July 9, 2009 said that despite their best efforts, they believe there is about a 10 percent chance their investigation will produce a strong suspect.
Despite the small chance of either government being able to pinpoint those ultimately responsible, the attacks serve as a reminder of weaknesses still present in governmental cyber-security systems. In the near to medium-term, we expect government officials and politicians to increase their demands for more research, personnel, and money to help fight the increased security risks to public and private information systems. Industry analysts are expecting the US federal government’s spending on cyber-security to grow at a compounded annual growth rate of more than 8 percent, from $8.2 billion in 2009 to $12.2 billion in 2014.
Malware Set To Destroy Infected Computers
For over a week, computer security researchers have been pouring over the code of the virus responsible for infecting the computers that are a part of the attacking botnet to see if they can glean any information about its authors and any future instructions.
According to the researchers, the virus was designed to download a payload from a set of Web servers. Included in that payload was a Trojan horse program that contained instructions to start copying files such as Microsoft Word and Adobe Acrobat documents into an encrypted container – inaccessible to the user – before deleting the files when the infected computer’s internal clock reached July 10, 2009. The Trojan was designed to overwrite the data on the hard drive with a message that reads “memory of the independence day,” followed by as many “u” characters as it took to write over every sector of every physical drive attached to the compromised system.
South Korea Likely To Increase IT Budget
Currently, South Korea is one of the most highly-networked country’s in the world, and in the near to medium-term, we expect the Korean government to boost the amount of money it spends on cyber-security to increase the protection of its economically vital digital infrastructure. Currently the government allocates less than one percent of its annual IT-industry budget on security, compared with 5-12 percent in other major economies.