On the Fourth of July, 36 popular Internet sites and government web pages in South Korea and the United States were targeted in an attempt to knock them offline. An initial slowness or unavailability of sites such as www.president.go.kr, mail.naver.com, and www.faa.gov began to look suspicious, and operators of those sites reported that they were receiving an enormous spike in nonsense Internet traffic, up to an extremely unusual 20 to 40 gigabytes per second. This was the beginning of a long-lasting and resilient distributed denial-of-service (DDoS) attack on 13 Korea-based and 23 US-based web sites which has lasted the entire week, and is not yet finished. Although the culprit has not yet been identified, an analysis of the attack can give several clues as to the motivations of the attacker and the objectives of the attack.
A DDoS attack is an attack performed by what can be euphemistically called a massive choir of computers which all send information requests to the same set of targets under the direction of a malicious person who has gained control of them using a computer virus. This particular choir of computers, usually called a botnet, was unusually large and sent an unusually large amount of information to its targets, 10 times larger than the normal expected size of a DDoS attack. After some analysis, computer security experts have said that this botnet was created using a modification of the 5 year old MyDoom virus, which became famous in 2004 for being the fastest-spreading email virus in history. Computers located in 16 different countries are being used in the attack. The virus was distributed with a list of 36 web sites to attack, and the start date of July 4th. There have been some rumors saying that the virus includes one more command - to completely overwrite the hard drives of the infected computers on July 10th, destroying the botnet and leaving no trace behind, but that has not yet been confirmed.
Temporary Effects
The immediate effect of the attack was a mild media panic. Popular web portals and banks in Korea were targeted, causing people to immediately take notice. The hit list of the virus itself included both Korean and US web sites. Sites in Korea included a cornucopia of Nonghyup Bank, KEB Bank, Shinhan Bank, Naver Blogs, Naver Mail, Auction.co.kr, the Chosun Ilbo newspaper, the Grand National Party, the National Assembly, the Ministry of National Defense, the Ministry of Foreign Affairs and Trade, the Blue House, and US Forces Korea. This smattering of bank web sites, one newspaper, one e-commerce site, one political party, and several government web portals does lend itself to some analysis.
In the US, there were more sites affected. Private sector web sites included Amazon.com, Yahoo, Yahoo Finance, the NASDAQ, US Bank, the New York Stock Exchange, The Washington Post, US Auctions Live, MarketWatch, and Site-by-Site. Some of these web sites are still offline, and one - US Auctions Live - has been dropped by its Internet Service Provider because of the attack, and is in the process of moving to another host. There were also a laundry list of US government departments affected: the US Department of State, Department of Homeland Security, Department of Transportation, Federal Aviation Administration, Federal Trade Commission, National Security Agency, US Treasury, Voice of America radio station, White House, and US Department of Defense. A few of the sites are still inaccessible as of this writing, but it was reported that the White House web site was able to quickly filter out the offending traffic and maintain its online presence without interruption.
All the major news sites in both Korea and the US picked the story up immediately, and the Korean National Intelligence Service was quick to point the finger at North Korea. However, there has been some problem coming up with evidence to support this allegation, in fact there is not yet any evidence of who or what could be responsible for the attacks at all.
Circumstantial Confusion
The only evidence that anyone has so far is the circumstantial evidence of the attack itself. Some thought about the attack can yield deductions which seem to point to a politically-motivated statement by a single amateur individual or a small group of amateurs.
The first important aspect of the attack to consider is what it did not do. For all of the governmental organizations attacked, the most the attack did was publicly embarrass them a little. The web sites involved are not critical to the day to day functions of the governmental departments, so their operations have not been affected; only their pride has been damaged. No data was lost or stolen, no havoc was wrought. The bank web sites are a little more important - bank customers would have been inconvenienced and could not have done online banking during the disruption. The financial sites probably lost advertising revenue, but nothing too serious. Auction.co.kr and Amazon.com might have lost money by being inaccessible to their customers, and as such were potentially the hardest hit. But this is all temporary. The attack was not designed to gain anything or destroy anything permanently - it was only designed to create a media stir and make a statement of some sort.
The second important aspect of the attack to consider is the targets. The person or persons responsible have definitely made their enemies clear - they do not like South Korea and the US very much at all. In Korea, they don't like banks, one online auction site, government organizations, the conservative Grand National Party, the conservative Chosun Ilbo newspaper, or the online portal Naver.
However, in the US their targets become more confusing. They don't like badly-designed, unpopular investment information sites, the New York stock exchange and the NASDAQ, booksellers, one bank, one liberal newspaper, Yahoo.com, and a host of government agencies. These targets do have some consistency - financial and government sites, but some additions are just confusing. Why go after one conservative paper in Korea and one liberal paper in the US Why go after Auction.co.kr in Korea and Amazon.com in the US Why attack those specific banks in Korea and only one bank in the US
Even more confusing is the sites that they did not target. Why go after the Korean online portal Naver and not its rival Daum Auction.co.kr is small potatoes compared to the company which recently acquired it - eBay.com. Yahoo is a respectable target with about a 10% share of the online search market, but what about search giant Google This rather confusing list of targets with its unusual omissions seems to be the work of a somewhat out of touch liberal anti-capitalist, or him and his friends.
Finally, one should also consider the technical method used to instigate the attack. The virus is five years old and rather famous. According to security experts it has been sloppily modified to fit its current role. While the size and strength of the botnet is impressive, that is something that only takes time to develop. Also, similar methods have been used in the past by groups of amateur hackers for political reasons - in Estonia and in Georgia. In Estonia, political disagreements with Russia caused Russian hackers to attack and attempt to deface Estonian political and government web sites in 2007. Also, in the recent Georgia-Russia conflict, evidence suggests that the Russian government offered web site target lists to Russian hackers, who enthusiastically set up smaller-scale botnet attacks similar to this one to disrupt Georgian government web sites. The evidence here seems to point strongly to another amateur attack, similar to those used by Russian hackers against Estonia and Georgia, not a government or professional organization.
So, while the truth is not clear yet, the current circumstantial evidence seems to point to a slightly out-of-touch anti-capitalist amateur hacker or group of hackers associated with the liberal Korean political scene who are seeking to make a statement. And, just to make them upset, they should be labeled hooligans, or perhaps cyber-hooligans. This attack is most likely a quasi-professional, highly technical rage against the capitalist machine. It may be annoying, but will have no lasting effects, and is probably not the harbinger of peninsular war.
