North Korea or its sympathizers were behind the cyber-attacks that paralyzed a handful of South Korean Websites, including a United States military site earlier this year, according to McAfee.
The malware behind the distributed denial of service attacks that crippled South Korean government sites were highly sophisticated and had numerous capabilities designed to make it stealthy and resilient, according to an in-depth analysis released by McAfee July 5.
McAfee researchers worked with representatives from the South Korean and U.S. governments to complete the analysis, which included details on how the attacks were carried out and why they were so difficult to defend against.
The attack began March 4 when thousands of computers took part in a distributed denial of service attack against 14 Websites in South Korea, including government agencies, prominent businesses and U.S. Forces Korea. The attacks lasted 10 days, after which the malware was designed to self-destruct, according to McAfee.
Considering the botnet was launching aDDoS attack, it was "unusually destructive," Georg Wicherski, a McAfee security researcher, wrote on the company's blog. "In fact, it was analogous to bringing a Lamborghini to a go-cart race," Wicherski said.
The botnet, based in South Korea, used multiple encryption algorithms, including AES, RS4 and RSA, to obfuscate numerous parts of the code and configuration, making analysis challenging, according to Wicherski. Over 40 globally distributed command-and-control servers in countries such as the U.S., Taiwan, Saudi Arabia, Russia and India, dynamically updated infected machines in the botnet with new malware binaries. The botnet had likely infected the machines earlier with malware, which had lain dormant until the instructions were issued to launch the DDoS attack, according to McAfee's analysis.
After the attack ended, the malware deleted and overwrote key files such as the source code and documents before corrupting the master boot record of the system it was installed on, rendering the machine unbootable.
"The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities," Wicherski said.
McAfee researchers compared the incident with a similar attack 20 months earlier, on July 4, 2009, against 40 South Korean and U.S. Websites. The latest attack was "dramatically" more sophisticated, Wicherski said. The attackers clearly learned from the earlier incident, as 14 of the South Korean targets remained the same, but all the U.S.-based sites, including the White House, State Department and the Federal Trade Commission, were dropped. Wicherski said there was a "95 percent chance" that the same group behind the 2009 attacks committed this new attack.
"It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts," Wicherski said.
The attacks were likely designed to test South Korea's cyber-defense and response, and may have been "an armed cyber-reconnaissance operation," Wicherski said. The attackers, whether they are part of the North Korean military as the South Korean government claimed or its sympathizers, are likely testing the defenses and reaction time of the government and civilian networks to a well-organized attack, Wicherski concluded.
McAfee acknowledged there was no clear proof that North Korea was behind the attacks.