10 Days of Rain in Korea

On March 4th of this year, exactly 20 months to the day of a similar incident on US Independence Day in 2009, a botnet based out of South Korea launched Distributed Denial of Service (DDoS) attacks against 40 sites affiliated with South Korean government, military and civilian critical infrastructure as well as U.S. Forces Korea and the U.S. Air Force Base in Kunsan, South Korea.

Fourteen of the targets were the same as in the 2009 attacks, but nearly all of the U.S.-based targets such as The White House, State Department, FAA and FTC were removed from the target list. The modus operandi of the attacks was identical and unusually destructive for typical botnet attacks: the botnet, based in South Korea, was dynamically updated via new malware binaries, launched a relentless DDoS for slightly over a week, and then destroyed the machines it was deployed on by overwriting with zeroes and then deleting key data files such as source code, documents and then zeroing-out the Master Boot Record (MBR) to render the computers unbootable.

In March 2011, however, the level of sophistication was dramatically ramped up, especially for something as simple as a DDoS attack. In fact, it was analogous to bringing a Lamborghini to a go-cart race. Multiple encryption algorithms, such as AES, RC4, and RSA were used to obfuscate numerous parts of the code and configuration of the attack components to slow down the analysis. Over 40 globally distributed multi-tier Command & Control servers (USA, Taiwan, Saudi Arabia, Russia and India accounted for over half of all of servers) were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns. It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts.

So what was the goal of these attacks and why was so much effort employed to do something that’s fairly trivial in this day and age – flood a Web site with purposeless traffic to slow it down or bring completely offline? We believe this incident, which we estimate has a 95% chance of being perpetrated by the same actors as July 4th 2009 attacks, has very clear anti-Korean and anti-U.S. political motivations and potentially is even more insidious. The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities. This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military as the South Korean National Intelligence Agency has asserted, to test the defenses and more importantly the reaction time of the Korean government and civilian networks to a well-organized and highly obfuscated attack. Knowing that would be invaluable in a possible future armed confrontation on the peninsula, since cyberspace has already become the fifth battlespace dimension, in addition to land, air, sea, and space.

We have published an in-depth paper on this incident and McAfee’s analysis of it, detailing information about:

• The target Web sites and methodology of the DDoS attacks
• The different cryptographic algorithms in place and how they have been used to deter analysis
• Interesting mistakes made by the actors involved
• Attribution theory and analysis of intent

As with most initiatives at McAfee, this was a team effort bringing together researchers from McAfee Labs with other departments at McAfee, our partners, and our customers. I would like to give a special thanks to the US-CERT, Department of Defense analysts, and AhnLabs, as well as our own – Dmitri Alperovitch, Brian Contos, Sven Krasser – and countless others for their tireless effort, support, and fighting the good fight every day.