McAfee: Attacks on South Korea Likely Cyberwar Exercise

Wednesday, July 06, 2011



Researchers at McAfee have released a report which examines in detail the March attacks against targets in South Korea, and concludes that the attacks were most likely a cyberwar exercise, possibly conducted by North Korea.

The report, titled "Ten Day of Rain", suggests that the distributed denial of service attacks were aimed at measuring South Korean mitigation efforts and response time in an effort to better hone future attacks.

"While the attack itself seems fairly generic at first glance, there are several things that make this particular combination of targets, malware, and botnet activity different from many we’ve analyzed, warranting our investigation," the report states.

Given the blatant lack of stealth employed in the attack, McAfee researchers believe the operation was not geared towards espionage activities in an effort to steal sensitive data from the government and military systems that were targeted.

"This wasn’t a surgical strike; it was more like a sledgehammer, as most DDoS attacks are. As such, it was noisy, making it easier to detect than a stealthy attack that might be used to steal sensitive data."

McAfee also points out that the operation was designed to last only for a predetermined period before self-destructing - features typically not employed by criminal networks.

"Several steps were taken to ensure that the mission was executed without interruption, within the predefined attack window—and following, ensuring that all vehicles of attack would be destroyed, thus limiting forensic analysis."

Researchers also point out that the complicated nature of the attack, the extensive use of encryption, and the botnet's built-in resiliency do not make sense in light of the pre-programed ten day attack period.

"The level of technical sophistication behind Ten Days of Rain, being used for the relatively simplistic act of a DDoS attack, doesn’t track. Why was so much cryptographic work utilized? Why was a multitier architecture, designed to be so resilient to takedowns, used if the operational life of the bots was only 10 days? Why not keep control of the compromised hosts; why not utilize those systems for future tasks instead of self-destructing?"

Since the evidence indicates that the operation was not designed in a similar fashion as the typical botnet employed by criminal syndicates, McAfee concludes that the attacks must have been structured purely as a cyberwarfare exercise to collect intelligence on South Korea's cyberdefense posture and preparedness.

"This may have been a test of South Korea’s preparedness to mitigate cyberattacks, possibly by North Korea or their sympathizers... the attack itself was very limited and may have been utilized to test and observe how quickly the attack would be discovered, reverse engineered, and mitigated."

McAfee researchers go on to suggest that the data gleaned from the operation could be crucial for fine-tuning future attacks, and that those attacks could be employed in conjunction with traditional military offensive actions.

"Armed with this knowledge, the aggressor could launch cyberattacks, possibly in conjunction with kinetic attacks, with a greater understanding of South Korea’s incident response capabilities. As such, the attackers could better understand their own requirements for a successful campaign."

The researchers conclude that the overwhelming weight of the evidence points to a test of South Korean cyberdefenses that most likely were conducted under the direction of a state sponsor.

"The combination of technical sophistication juxtaposed with relatively limited execution and myopic outcome is analogous to bringing a Lamborghini to a go-cart race. As such, the motivations appear to outweigh the attack, making this truly seem like an exercise to test and observe response capabilities."

The full McAfee report can be found here:

Possibly Related Articles:
Botnets McAfee Attacks DDoS Headlines report Cyber Warfare Cyber Offense Cyber Defense Korea
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.