Go to contents

March DDoS attack was N.Korean cyber war drill: US expert

March DDoS attack was N.Korean cyber war drill: US expert

Posted July. 09, 2011 09:15,   


“North Korea’s cyber attack was not a surgical strike but an omnidirectional bombardment with sledgehammers.”

This is what Dmitri Alperovitch, vice president of threat research for the American computer security company McAfee, said in a phone interview with The Dong-A Ilbo Thursday on the North’s distributed denial-of-service (DDoS) attacks on South Korea’s major websites in March.

He said the attack was to test the South Korean government’s ability to react, adding, "The North conducted a cyber war drill to find out how difficult it is to incapacitate the security networks of South Korea’s major government organizations in case of war.”

“The March DDoS attacks were very peculiar,” Alperovitch said, adding, “North Korea is the sole country that can launch such attacks.”

Alperovitch has led the publication of “Ten Days of Rain,” an expert analysis of DDoS attacks targeting South Korea released Tuesday.

At the request of Seoul, McAfee, the California-based IT security service arm of Intel, studied attacks against South Korean websites launched in July 2007 and March this year.

The following is excerpts from the interview with Alperovitch.

Dong-A: What do you mean by “peculiar.”

Alperovitch: Generally, a DDoS attack is a relatively easy form of cyber attack aimed at slowing or stopping the flow of information on a certain website by planting malicious codes. The software used in the latest attack was designed in a very sophisticated manner, however. It’s like a Lamborghini sports car at a competition for strollers.

Dong-A: Why do you think North Korea was behind the attack?

Alperovitch: Such sophisticated technology was used just to disrupt computer networks. This means the attacks had other purposes, that is to say a political purpose. The only entity that can carry out such attacks with a political purpose is North Korea. The North’s goal was to see how swiftly South Korea can detect problems with its security networks and establish a defense system.

Dong-A: How sophisticated was the latest DDoS attack?

Alperovitch: They used multiple encryption algorithms to prevent the attacks from being thwarted. This is not normal in DDoS attacks. In addition, malicious codes were continuously updated in servers in the U.S., Taiwan and Saudi Arabia to prevent destruction of malicious codes.

Dong-A: How do the attacks in July last year compare with those in March?

Alperovitch: Analyses on malicious codes employed in the two attacks found many similarities. I am sure that both attacks originated from the same adversary.

Dong-A: Unlike the attacks in 2009, American websites were spared from this year’s attacks.

Alperovitch: North Korea apparently calculated that the disruption of American security networks was of little use.

Dong-A: What caused you to join the investigation into DDoS attacks against South Korea?

Alperovitch: A host of U.S. websites such as those of the White House and the State Department were affected by the 2009 attacks. At the time, we studied the incident in cooperation with the (South) Korean network security company AhnLab at the request of the (South) Korean government. Ten to 12 researchers of our company worked for the investigation for 4-5 weeks.

Dong-A: What does the report’s title “Ten Days of Rain” mean?

Alperovitch: This means that a flood of malicious codes were detected for the 10 days from March 4 but they disappeared afterwards without a trace. The title is also to urge South Korea to make preparations as the ten-day attacks can be a prelude to much bigger attacks by North Korea.