After much speculation that North Korea was responsible
for the cyberattacks against U.S. and South Korean websites
, new evidence shows that the attacks trace back to a "master server" in the U.K.
But a cybersecurity expert in the United States warned that before declaring the case closed, it would be wise to consider whether the master server was compromised and controlled by someone else.
Vietnamese security vendor, Bach Khoa Internetwork Security, reported in a blog post
on Tuesday that it analyzed a sample of the malware used in the attacks, said to be a variant of the MyDoom worm
. The researchers were able to trace the sample, provided by the Korean Computer Emergency Response Team, back to eight command-and-control servers connected to a master server based in the U.K.
By gaining control of two of the eight command-and-control servers, the researchers were able to analyze their logs and find the IP address of the master server they were being controlled by, they said.
“Having located the attacking source in U.K., we believed that it is completely possible to find out the hacker,” Bach Khoa said in its blog post.
But Marcus Sachs, director of the SANS Internet Storm Center, said this does not necessarily mean the attack was launched by someone in the U.K.
“Just because a ‘master' has an IP address registered in the U.K. does not mean that a person in the U.K. is behind it all,” Sachs told SCMagazineUS.com in an email Tuesday.
It is possible that whomever is responsible for the attacks is leveraging other compromised machines, located outside of the U.K., to give the master its instructions, Sachs said.
In its analysis, Bach Khoa also found that 166,908 compromised machines from 74 countries were used to launch the attacks. Formerly, cybersecurity researchers believed that up to 60,000 zombies were used in the attack. Most of the offending machines were located in South Korea, the United States and China.