U.S. authorities on Wednesday eyed North Korea as the origin of the widespread cyber attack that overwhelmed government Web sites in the United States and South Korea, although they warned it would be difficult to definitively identify the attackers quickly.
The powerful attack that targeted dozens of government and private sites underscored how unevenly prepared the U.S. government is to block such multipronged assaults.
While Treasury Department and Federal Trade Commission Web sites were shut down by the software attack, which lasted for days over the holiday weekend, others such as the Pentagon and the White House were able to fend it off with little disruption.
The North Korea link, described by three officials, more firmly connected the U.S. attacks to another wave of cyber assaults that hit government agencies Tuesday in South Korea. The officials said that while Internet addresses have been traced to North Korea, that does not necessarily mean the attack involved the Pyongyang government.
The officials spoke on condition of anonymity because they were not authorized to speak publicly on the matter.
Additional wave
A South Korean computer security company says an additional wave of cyber attacks is expected to hit major Web sites later Thursday.
Seoul-based antivirus software developer AhnLab said it has analyzed a virus program that sent floods of Internet traffic to paralyze Web sites in the two countries. It found that sites in South Korea would be targeted in a new wave of attacks from 6 p.m. (0900 GMT) Thursday, spokeswoman Hwang Mi-kyung said.
Seven Web sites are likely to be targeted, including those of the Ministry of Public Administration and Security, Kookmin Bank and the mass-circulation Chosun Ilbo newspaper, she said.
South Korean intelligence officials have identified North Korea as a suspect in the attacks and said that the sophistication of the assault suggested it was carried out at a higher level than just rogue or individual hackers.
U.S. officials would not go that far and declined to discuss publicly who may have instigated the intrusion or how it was done.
{
"type": "Slideshow",
"element": null,
"html": null,
"ecommerceEnabled": false
}The fact that a series of computers were involved in an attack, Reitinger said, "doesn't say anything about the ultimate source of the attack."
"What it says is that those computers were as much a target of the attack as the eventual Web sites that are targets," said Reitinger, who heads DHS cybersecurity operations. "They're just zombies that are being used by some unseen third party to launch attacks against government and nongovernment Web sites."
Targets of the most widespread cyber offensive of recent years also included the National Security Agency, Homeland Security Department and State Department, the Nasdaq stock market and The Washington Post, according to an early analysis of the software used in the attacks.
The Associated Press obtained the target list from security experts analyzing the attacks. They provided the list on condition of anonymity because they were not authorized to discuss the investigation.
Other experts in cyber assaults said the incident shined a harsh light on the U.S. government's efforts to protect all of its agencies against Web-based attacks.
‘We are disorganized’
James Lewis, a senior fellow at the Center for Strategic and International Studies, said the fact that both the White House and Defense Department were attacked but didn't go down points to the need for coordinated government network defenses.
"It says that they were ready and the other guys weren't ready," he said. "We are disorganized. In the event of an attack, some places aren't going to be able to defend themselves."
The wave of cyber assaults are known as "denial of service" attacks. Such attacks against Web sites are not uncommon and are caused when sites are so deluged with Internet traffic that they are effectively taken offline. Mounting such an attack can be relatively easy and inexpensive, using widely available hacking programs, and they become far more serious if hackers infect and tie thousands of computers together into "botnets."
Joe Stewart, director of malware research for the counterthreat unit of SecureWorks Inc., said there's no indication yet of a claim of responsibility hidden anywhere in the program behind the attacks. Stewart and other researchers are analyzing the code for clues about the attacker's identity.
Stewart noted that the attacks on U.S. government sites appeared to expand after the initial assaults over the holiday weekend failed to generate any publicity. He said the "target list" contained in the program's code had only five U.S. government sites on it on July 5, but were broadened the next day to include nongovernment sites inside the U.S.
The following day, the South Korean Web sites were added.
"It seems to me they thought the first round wasn't successful ... they felt they weren't getting enough attention because nobody was talking about their attacks," Stewart said.
‘Absolutely no effect’
The cyber assault on the White House site had "absolutely no effect on the White House's day-to-day operations," said spokesman Nick Shapiro. He said that preventive measures kept whitehouse.gov stable and available to the general public but that Internet visitors from Asia may have experienced problems.
All federal Web sites were back up and running, Shapiro said. A State Department spokesman said the agency's site was up but still experiencing problems. A Web site for the U.S. Secret Service had experienced access problems but did not crash, the agency's spokesman said.
The cyber attack did not appear, at least at the outset, to target internal or classified files or systems, but instead aimed at agencies' public sites, creating a nuisance both for officials and the Web consumers who use them.
Ben Rushlo, director of Internet technologies at Keynote Systems, said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.
Keynote Systems is a mobile and Web site monitoring company based in San Mateo, Calif. The company publishes data detailing outages on Web sites, including 40 government sites it watches.
According to Rushlo, the Transportation Web site was "100 percent down" for two days, so that no Internet users could get through. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70 percent of the time.
Dale Meyerrose, former chief information officer for the U.S. intelligence community, said that at least one of the federal agency Web sites got saturated with as many as 1 million hits per second per attack — amounting to 4 billion Internet hits at once. He would not identify the agency, but he said the Web site is generally capable of handling a level of about 25,000 users.
Meyerrose, who is now vice president at Harris Corp., said the characteristics of the attack suggest the involvement of between 30,000 to 60,000 computers.
The widespread attack was "loud and clumsy," which suggests it was carried out by an unsophisticated organization, said Amit Yoran, chief executive at NetWitness Corp. and the former U.S. government cybersecurity chief. "This is not the elegance we would expect from sophisticated adversaries."
Officials agreed, however, that the incident brings to the forefront a key 21st-century threat.
"It tells you that cyber attacks are real. It's a very serious problem and one of the more serious facing us, along with terrorism, and China and Russia are the main threats," said Rep. Dutch Ruppersburger, D-Md., who was briefed on the incident.
The Korea Information Security Agency also attributed the attacks to denial of service.
Yang Moo-jin, a professor at Seoul's University of North Korean Studies, said he doubts whether the impoverished North has the capability to knock down the Web sites.
But Hong Hyun-ik, an analyst at the Sejong Institute think tank, said the attack could have been done by either North Korea or China, saying he "heard North Korea has been working hard to hack into" South Korean networks.
N. Korean sympathizers behind attacks?
On Wednesday, the National Intelligence Service told a group of South Korean lawmakers it believes that North Korea or North Korean sympathizers "were behind" the attacks, according to an aide to one of lawmakers who was briefed on the information.
An aide to another lawmaker who was briefed also said the NIS suspects North Korea or its followers were responsible.
The aides spoke to The AP on condition of anonymity and refused to allow the names of the lawmakers they work for to be published, citing the classified nature of the information.
Both aides told The AP that the information was delivered in writing to lawmakers who serve on the National Assembly's intelligence committee. The National Intelligence Service — South Korea's main spy agency — declined to confirm the information.
South Korea's Yonhap news agency said military intelligence officers were looking at the possibility that the attack may have been committed by North Korean hackers and pro-North Korea forces in South Korea. South Korea's Defense Ministry said it could not confirm the report.
Stewart said the attack software contained few clues about its origins, although a line of text deep in within the malware carried the cryptic message "get/china/dns."
Attack ‘thoroughly’ prepared
Earlier Wednesday, South Korea's NIS said in a statement that 12,000 computers in South Korea and 8,000 computers overseas had been infected and used for the cyber attack.
The agency said it believed the attack was "thoroughly" prepared and committed by hackers "at the level of a certain organization or state." It said it was cooperating with the American investigators to examine the case.
The outages were caused by so-called denial of service attacks in which floods of computers all try to connect to a single site at the same time, overwhelming the server that handles the traffic, the Korea Information Security Agency said.
In South Korea, 12 sites were initially attacked Tuesday, followed by attacks Wednesday on 10 others, including those of government offices, banks, vaccine firms and Web portals, agency official Shin Hwa-su said.
South Korean media reported in May that North Korea was running a cyber warfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service.
An initial investigation in South Korea found that many personal computers were infected with a virus program ordering them to visit major official Web sites in South Korea and the United States at the same time, Korean information agency official Shin Hwa-su said. There has been no immediate reports of similar cyber attack in other Asian countries.
Yonhap said that prosecutors have found some of the cyber attacks on the South Korean sites were accessed from overseas. Yonhap, citing an unnamed prosecution official, said the cyber attack used a method common to Chinese hackers.
Prosecutors were not immediately available for comment.
Shin, the Information Security Agency official, said the initial probe had not yet uncovered evidence about where the cyber outages originated. Police also said they had not discovered where the outages originated. Police officer Jeong Seok-hwa said that could take several days.
Some of the South Korean sites remained unstable or inaccessible Wednesday. The site of the presidential Blue House could be accessed, but those for the Defense Ministry, the ruling Grand National Party and the National Assembly could not.
Ahn said there were no immediate reports of financial damage or leaking of confidential national information. The alleged attacks appeared aimed only at paralyzing Web sites, she said.
South Korea's Defense Ministry and Blue House said that there has been no leak of any documents.
So could the North have carried out such an attack — or hired others to do it?
“That is very possible because those attacks are not very complicated,” said Andre Rickardsson, an information technology security expert at Sweden’s Bitsec Consulting. “North Korea is a country that sends up rockets and builds nuclear weapons, so why not build a virus? It’s not difficult.”
Paul Cornish, director of the International Security Program at the Chatham House think tank in London, agreed. “You don’t need to amass great armies, it can all be done covertly and cheaply,” by hiring outside expertise, he said.
Difficult to document
Documenting cyber attacks against government sites is difficult, and depends heavily on how agencies characterize an incident and how successful or damaging it is.
Government officials routinely say their computers are probed millions of times a day, with many of those being scans that don't trigger any problems. In a June report, the congressional Government Accountability Office said federal agencies reported more than 16,000 threats or incidents last year, roughly three times the amount in 2007. Most of those involved unauthorized access to the system, violations of computer use policies or investigations into potentially harmful incidents.
The Homeland Security Department, meanwhile, says there were 5,499 known breaches of U.S. government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006.
Peter Sommer, an expert on cyber-terrorism at the London School of Economics, cautioned against coming to quick conclusions as to who may have been behind the attacks, as any instigator would disguise where the attacks were coming from.
“Initial diagnoses are often wrong,” he said.
More on