Threat Management, Network Security, Malware, Network Security

Cyber retaliation debate: Is North Korea guilty of DDoS?

Though at least one U.S. lawmaker has called on the government to take action against North Korea for cyberattacks that crippled some U.S. and South Korean websites last week, several security experts said Monday that there is not enough proof that the communist state is behind the incidents.

Rep. Peter Hoekstra, R-Mich., told The Washington Times' radio program last week that the attacks were state sponsored and “all fingers point to North Korea.” He urged the United States to send a strong message, warning that in the future, North Korea could shut down a banking system, manipulate financial data, or interfere with the electrical grid, and "people could be killed."

“Whether it is a counterattack on cyber, whether it is more international sanctions...it is time for America and South Korea, Japan and others to stand up to North Korea,” Hoekstra said.

But several cybersecurity experts interviewed by SCMagazineUS.com cautioned that it would be merely speculative to blame North Korea.

“We have to be careful of pointing fingers,” Marcus Sachs, director of the SANS Internet Storm Center, said Monday. “There have been a lot of accusations that the North Koreans are behind it, and there's no actual proof. It's just conjecture.”

In addition, Graham Cluley, Sophos' senior technology consultant, said in a blog post on Monday that Hoekstra's claim of North Korea's involvement is “complete nonsense.”

“No evidence has been produced showing that the government of North Korea [is] behind the denial-of-service attacks,” Cluley said.

Rob Housman, acting executive director at analysis and advocacy organization the Cyber Security Institute, said he understands Hoekstra's frustration and thinks the event should illustrate that the United States must secure its infrastructure.

“Whoever it is, all these entities are looking for an advantage and preparing to use this advantage in a time of conflict,” Housman said.

The DDoS attacks began the July 4 weekend and targeted various United States and South Korean government, military and financial institutions websites, including the Federal Trade Commission (FTC), White House, the New York Stock Exchange and NASDAQ. One of the hardest hit government sites was the FTC, which became unavailable after being pummeled with bogus traffic packets.

Various law enforcement and intelligence services in the United States and South Korea are on the case, but they are facing numerous challenges to finding out who is responsible, Sachs said.

“The odds are extremely slim that we will find out who did it, but a lucky break could happen,” Sachs said.

It is difficult to find the culprit because the attacks were launched by a botnet comprised of tens of thousands of zombie computers that were infected with malicious code, Sachs said. So, the attack was coming from computers around the world driven by some person or group of people behind the botnet.

Also working against law enforcement agencies is the cost of such an investigation in relation to the damage that was done, Sachs said. Especially in a down economy, it may be hard to justify pouring a lot of money into an investigation of an event that did not have significant data loss or monetary damages. 

All of the targeted sites in both the U.S. and South Korea now are operating normally, according to U.S. cybersecurity experts and government officials.

In South Korea, the attacks targeted banking institutions and halted some services, according to a news release issued by the South Korean government. In response to the event, South Korea is preparing to fast track a cybersecurity center, according to a report in The Korea Herald. The center was supposed to be established next year but now will be created within the year, and will be responsible, among other tasks, with protecting major economic and financial organizations against future DDoS attacks.

Sachs said this incident should serve as a lesson that DDoS is an old style of attack, and there are services and technologies that can mitigate it.

And once internet service providers were made aware of the situation, they were able to detect and block the flood of traffic coming from the compromised computers.

“From talking to various ISPs, that's been the No. 1 one thing,” Sachs said. “As soon as they realized there was a problem, they were able to assist and lessen the impact of it.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.