Analysis: Was North Korea behind the DDOS attack?

The evidence is sketchy at best

The cyberattacks that took down prominent U.S. and South Korean Web sites in the last week have apparently ended but the search for those responsible is only just beginning. North Korea has emerged as a likely culprit, especially among politicians, but was it really behind the attacks?

The country makes a convenient target for blame. After the six-nation talks broke down, the country reneged on its pledge to halt nuclear development and has been rattling the cages of the U.S. and South Korea with a nuclear test and several short and medium-range missile launches. The latest launches, of seven missiles, were taking place as the cyberattacks began on prominent U.S. Web sites on July 4 -- the country's Independence Day holiday.

North Korea's name first came up earlier this week when government officials in the U.S. and South Korea started pointing fingers, but none was willing to go on the record -- typically a hint that the information might not be proven. Nevertheless, the reports gave added validity to the notion that North Korea was behind the DDOS (distributed denial of service) attacks and the suspicion began to feed off itself and grow.

On Friday, South Korea's National Intelligence Service (NIS) said in a private briefing for lawmakers that a division of the North's army was to blame, according to attendees quoted by local media. The NIS has yet to make a public statement on the matter.

Security researchers aren't so sure.

"The timing is auspicious, but none of the data I have suggests North Korea," Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks' counter-threat unit, told Computerworld, "There's nothing in there to suggest that it's state sponsored."

"Still zero evidence of North Korean involvement," said Stewart when contacted Friday for an update.

Could North Korean even launch such an attack?

The country is generally technically backward. There are just over a million telephone lines installed in the country of 26 million people, home PCs are rare and Internet access is heavily restricted, but advancing in IT has been one of the nation's prime goals since supreme leader Kim Jong-Il made it so at the turn of the century.

Most of North Korea's IT expertise is centered on the Korea Computer Center, Kim Il Sung University and Kim Chaek University of Technology. There, students study computer programming, have limited Internet access and, according to some experts, are fed into the Kim Il-Sung Military Academy where they receive specialist cyberwarfare training.

Those who've seen North Korea's IT expertise have been generally impressed by its level of sophistication. In a report in 2004 South Korea's Defense Ministry warned that North Korea was training as many as 600 hackers and its level of competence had already reached that of advanced countries.

North Korea's sophistication in hacking makes it less likely to be behind the attacks, said some researchers. The code used in the attacks was based on the MyDoom virus from several years ago and there's no attempt to get around antivirus software -- surely something an attack by knowledgeable programmers would do.

Even if it was behind the attacks, spotting North Korean Internet traffic can be a tricky business.

While the country has its own block of IP (Internet Protocol) addresses, none of them are apparently in use and the few North Korean Web sites that exist on the Internet are almost all located in China or Japan.

Instead, connectivity for the country comes via connections to Chinese providers and that would make the traffic appear as Chinese. It would only be with more careful analysis of the individual addresses in use that it might be possible to suspect North Korean data.

To date there's no hard evidence of where the attacks came from, so no party can be ruled out. The governments of other nations, which are almost certainly all involved in the same, murky world of cyberespionage, do their best to hide their tracks, so why wouldn't North Korea do the same?

The true origin of the week's attacks is likely never to be known, but one thing's for sure: As the world comes to rely more and more on the Internet and computers, they won't be the last.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon