McAfee Suggests North Korea Was Behind DDoS Against South's Websites

Security giant McAfee claims that DDoS attacks against South Korean websites seen back in March might have been a North Korean exercise.

According to a newly published McAfee report called "Ten Days of Rain" [pdf], the malware used to carry out the attacks was configured to disable itself after ten days.

Furthermore, it used complex obfuscation and cryptographic ciphers not commonly encountered in cyber criminal malware, not to mention that designed for denial of service.

The attacks occurred at the beginning of March and targeted almost thirty governmental and military websites in South Korea, including the U.S. Forces Korea (USFK) one.

The infected machines that participated in the attack were spread across 18 countries, but most of them were located in South Korea.

South Korean officials claimed at the time that the attacks had little impact because of the anti-DDoS measures implemented by KrCERT/CC after the crippling attacks of 2009.

Back in July 2009, a botnet of 60,000 computers attacked many commercial and governmental websites in South Korea. Because many of the infected machines used in the attack were located in the country, the incident affected the entire Internet infrastructure, slowing connectivity down to a crawl.

Following the incident, South Korean authorities launched a large scale campaign to clean the infected computers and educate users about cyber threats.

The piece of malware used in the March attack was very similar to the one used in 2009. Both were configured to disable themselves after a predefined period of time, but the one used this year displayed a higher level of sophistication, especially in the command and control infrastructure.

All of these details have led McAfee analysts to conclude that the attacks were cyberwar exercises probably executed by North Korea in order to test the South's defense capabilities.

"This stuff is much more insidious and much more dangerous to national security than what Anonymous is doing," Dmitri Alperovitch, vice president of threat research for McAfee Labs, told Reuters.