Who is behind the US/S Korea Cyber Attacks?
Last Updated on Thursday, 9 July 2009 03:46 Written by admin Thursday, 9 July 2009 03:46
Like many of my colleagues, much of my time in the past 24 hours has been spent examining what little evidence is available in determining who was behind the DDoS attacks on U.S. and South Korean government and commercial Web sites. Project Grey Goose researchers came to the same conclusions that other security firms have come to – there is no hard evidence in the code that points to the DPRK, and there are some characteristics that tend to rule out its development by DPRK programmers:
- It’s based on the code base of a very old virus – MyDoom.
- It appears to be a patchwork of scripts rather than any custom coding, so it was done by someone who is most likely not a coder.
- There was no attempt made to avoid AV signatures.
- There is some evidence that it was either written to target Korean language systems or the author used a Korean language email template.
Why would these characteristics rule out an official DPRK operation? Because although the DPRK suffers from some extreme limitations in its power grid, telecommunications infrastructure, etc., it’s defense complex is the country’s second largest industry and part of its relatively large military budget goes to training highly educated young North Koreans in one of 7 technical research facilities; the top 3 being:
Pyongyang Informatics Center (PIC)
Today the PIC employs over 200 qualified software engineers whose average ages is 28 years with 1.5 computers per person [Park 01]. The PIC primarily focuses on software development and is responsible for the development of the General Korean Electronic Publication Systems, 3D CAD, embedded Linux software, web applications, interactive programs, accounting software, and more recently virtual reality software. It is reported that the PIC is responsible for developing the filters to be used between the Kwang Myong Intranet and the Internet.
Korea Computer Center (KCC)
The KCC was established in 1990 by Kim Il Sung to promote computerization in the DPRK. At its inception, the KCC employed approximately 800 employees who appeared to have an average age of 26. Today Kim Jong Il’s son Kim Jong Nam, who also heads North Korea’s intelligence service, the State Security Agency (SSA), heads the KCC. Kim Jong Nam is also the chairman of North Korea’s Computer Committee. In May 2001 the South Korean newspaper The Chosun Ilbo reported that Kim Jong Nam had moved the SSA’s overseas intelligence gathering unit, which operates primarily by hacking and monitoring foreign communications, into the KCC building. In 2001, South Korean media reported that the KCC was nothing less than the command center for Pyongyang’s cyber warfare industry, masquerading as an innocuous, computer geek-filled software research facility.
Silver Star Laboratories (Unbyol)
The Silver Star Laboratories (SSL) was established in 1995 under the Korean Unbyol General Trading Corporation. According to Kang Yong Jun, the director of SSL, the average age of the researchers at SSL is 26 years, with most graduating from Kim Il Sung University and other distinguished universities across the country. Prospective employees are usually graduates of the Pyongyang Senior Middle School No.1, a genius-training center.
SSL has developed such programs as Silver Mirror, a remote control program, communications, and artificial intelligence software. SSL also produces several language recognition programs and multimedia software, in addition to taking special orders from foreign companies [KCNA 98]. The SSL won the championship at the fourth and fifth annual FOST Cup World Computer Go Championship competitions held in 1998 and 1999, respectively.
In other words, this rather smallish botnet which was amateurishly crafted would not have passed muster at any of the official IT research facilities associated with the DPRK. These are well-educated individuals, some having attended the Indian Institute of Technology (one of the world’s top technology schools) and the quality of their work is high.
That leaves the most likely candidate to be a Non-state Korean hacker living in China or Japan who saw an opportunity to embarrass the U.S. and South Korea and took it. Once the malware proved itself in its first round of attacks, I suspect that this individual found some allies who expanded the target list and may make some additional modifications (such as adding a C&C component) in the near future.
The information on the DPRK’s technical schools came from DEVELOPING A RELIABLE METHODOLOGY FOR ASSESSING THE COMPUTER NETWORK OPERATIONS THREAT OF NORTH KOREA by Christopher Brown, NPS September 2004, which is by far the best review of DPRK’s Information Warfare capabilities that I have found.
[...] in ubiwar by Tim Stevens on 10 July 2009 I’ve been waiting for this. Jeff Carr provides his assessment of why DPRK might not be the driving force behind the recent DDoS attacks on US and South Korea. In [...]
Excellent post as always.
The KCIA blew some of their reputation in late 1990s because of spreading disinformation, however they (with name change) have managed to be a bit more persistent as to their message. For instance they have been saying since 2004 that the “Automated Warfare Institute” is graduating 100 programmers a year..an assertion that was repeated only on June 4th in the ROK English press….
Here one of the original articles back in the day:
http://english.chosun.com/w21data/html/news/200405/200405270038.html