Part 9 (1/2)
The advent of a netcentric world has changed the threat environment dramatically and, as a result, governments and private corporations need to rea.s.sess how they collect and a.n.a.lyze intelligence on the emerging threats that will impact them.
The recent and as yet unsourced attacks against US and South Korean government websites that began over the Independence Day weekend in July 2009 is an interesting case in point.
Another is the August 2009 DDoS attacks that were launched against one Georgian blogger and that knocked Twitter offline and substantially degraded access to Facebook and LiveJournal.
Project Grey Goose (PGG) investigators looked at both incidents, along with established Internet security companies, US-CERT, and the usual collection of government agencies charged with such tasks. This chapter focuses on how PGG research was done and the conclusions that were reached. It also presents the findings of other agencies and proposes some ideas about how and why radically different findings can emerge from the same set of facts.
Finally, this chapter suggests a new approach to conducting cyber intelligence that takes into account the unique problem set a.s.sociated with cybers.p.a.ce in general and cyber attacks in particular.
The Korean DDoS Attacks (July 2009).
The first set of information that came into the hands of Project Grey Goose investigators was the technical characteristics of the attacks. This information is typically shared between Internet security firms and is fairly objective and noncontroversial.
The best technical a.n.a.lysis came from the Vietnamese security firm BKIS. Figure 5-1 shows a breakdown of what was known about the attacks after BKIS gained control of two of the command and control (C&C) servers.
Figure 5-1. BKIS diagram of the MyDoom attack program Thanks to information shared between KR CERT and AP CERT (of which BKIS is a member), BKIS researchers were able to gain access to two of the C&C servers and determined that the botnet was controlled by a total of eight C&C servers. The zombie PCs in this botnet were instructed to log onto a different, randomly chosen server every three minutes.
More importantly, the researchers discovered the existence of a yet another server, located in the UK, which acted as a master server by controlling the eight C&C servers. This prompted BKIS to name the UK as the source of the attacks.
If the South Korean government (ROK) had wished to retaliate against the botnet authors, and failing that, against the government of the country from which the attack originated, it would have found itself in a very awkward position indeed. Members of the Republic of Korea government, as well as their National Intelligence Service and particularly the ROK press, all levied blame at the North Koreans (DPRK). Not only did the attack not come from the North, it came from an allied nation. But the situation quickly became even more complicated.
The master server was owned by a legitimate British company, Global Digital Broadcast. When it was contacted by its Internet provider, CRI, as well as the UK's Serious Organized Crime Agency, it investigated further and discovered that the master server was not in the UK after all. It was in Miami, Florida, on a server that belonged to Global Digital's partner, Digital Latin America (DLA).
The DLA Miami office connects with Global Digital's Brighton office by way of a virtual private network (VPN), which made it appear as though the master server was in Britain instead of in the United States. An official statement from DLA said that viruses were found on the Miami server, but details on what kind of viruses were not forthcoming.
So once again, as was seen in the case of the StopGeorgia.ru forum, a key component of a malicious attack was hosted not inside the borders of a known adversary but within the United States itself.
This phenomenon has not been adequately addressed or even considered in any of the legal arguments that I have read that make the case for a preemptive first strike or even a nuclear deterrent against the initiators of a cyber attack.
As you'll learn more about in Chapter 8, in 2008, 75% of the C&C servers controlling the world's largest botnets were hosted by a company in Northern California, which was formed by members of Russian organized crime. This is just one example of how cybers.p.a.ce is radically changing the threat environment into one never before seen by senior military leaders.h.i.+p in any nation.
BKIS concluded its report with an a.s.sessment of the size of the botnet, which was far larger than any other estimate issued since the attack began. Symantec estimated 50,000 bots, and the ROK government estimated 20,000. However, BKIS used its own formula and determined that this botnet consisted of 166,908 bots scattered across 74 different countries. The top 10 countries involved were, in order, the ROK, the United States, China, j.a.pan, Canada, Australia, Phillipines, New Zealand, the United Kingdom, and Vietnam.
The Botnet Versus the Malware.
Whereas the botnet showed a relatively high degree of sophistication, the malware was amateurish in comparison: It was based on the code base of a very old virus-MyDoom.
It appeared to be a patchwork of scripts rather than any custom coding, so it was most likey done by someone who is not a coder.
There was no attempt made to avoid AV signatures.
There is some evidence that either it was written to target Korean-language systems or the author used a Korean-language email template.
There was a lot of discussion within the PGG network about possible culprits, but a consensus was never reached. One thing that most investigators agreed on, however, was that the person who created the botnet was not the same person who cobbled together the virus.
Another hypothesis was the possible involvement of organized crime, at least on the botnet side. That theory fell out of favor once it was revealed that the botnet contained a self-destruct feature, suggesting it might have been specifically set up to perform only this task or modified after it was acquired.
PGG investigators also explored the possibility that the botnet was acquired by a state from members of organized crime in an exchange for favors. This would protect the state by maintaining plausible deniability and misdirection.
In this scenario, the state brings in its own technologists to make some modifications and deliver the payload, which was purposefully cobbled together from a five-year-old virus to propel the misdirection strategy even further.
How many states have the technical know-how and strategic connections with organized crime to pull this off? Probably all of the usual suspects. Possible motivations, however, are not clear.
In my opinion, the most likely scenario is a nonstate Korean hacker living in China or j.a.pan who saw an opportunity to embarra.s.s the United States and South Korea and took it.
I expanded the investigation from the purely technical aspects to include a geopolitical component and that is how I made the conclusion I did. That meant looking into the cyber warfare capabilities of the ROK's popular choice for a villain-the Democratic People's Republic of Korea (DPRK), also known as North Korean.
The DPRK's Capabilities in Cybers.p.a.ce.
North Korea is an interesting dichotomy. It is a society on the edge of disintegrating due to intense poverty, almost no infrastructure, a weak power grid, and a lack of natural resources. Forget about Internet access anywhere but within the DPRK military.
That's because it spends almost of all its money on its military, particularly on training its highly educated young people in one of seven research labs, according to a paper auth.o.r.ed by Christopher Brown while at the Naval Postgraduate School in September 2004, t.i.tled ”Developing a Reliable methodology for a.s.sessing the Computer Network Operations Threat of North Korea.”
The top three labs in 2004, as described by Brown, were: Pyongyang Informatics Center (PIC) ”Today PIC employs over 200 qualified software engineers, whose average age is 28, with 1.5 computers per person (according to Chan-Mo Park's article 'Current Status of Software Development in DPRK and Collaboration between the South and North,' August 2001). The PIC primarily focuses on software development and is responsible for the development of the General Korean Electronic Publication Systems, 3D CAD, embedded Linux software, web applications, interactive programs, accounting software, and more recently virtual reality software. It is reported that the PIC is also responsible for developing the filters to be used between the Kw.a.n.g Myong Intranet and the Internet.”
Korea Computer Center (KCC) ”The KCC was established in 1990 by Kim Il Sung to promote computerization in the DPRK. At its inception, the KCC employed approximately 800 employees whose average age was 26. Today Kim Jong Il's son, Kim Jong Nam-who also heads North Korea's intelligence service, the State Security Agency (SSA)-heads the KCC. He is also the chairman of North Korea's Computer Committee. In May 2001, the South Korean newspaper the Chosun Ilbo reported that Kim Jong Nam had moved the SSA's overseas intelligence gathering unit, which operates primarily by hacking and monitoring foreign communications, into the KCC building. In 2001, the South Korean media reported that the KCC was nothing less than the command center for Pyongyang's cyber warfare industry, masquerading as an innocuous, computer-geek-filled software research facility.”
Silver Star Laboratories (Unbyol) ”Silver Star Laboratories (SSL) was established in 1995 under the Korean Unbyol General Trading Corporation. According to Kang Yong Jun, the director of SSL, the average age of the researchers at SSL is 26 years, with most graduating from Kim Il Sung University and other distinguished universities across the country. Prospective employees are usually graduates of the Pyongyang Senior Middle School No.1, a genius-training center.
”SSL has developed such programs as Silver Mirror, a remote control program, communications, and artificial intelligence software. SSL also produces several language recognition programs and multimedia software, in addition to taking special orders from foreign companies (Korean Central News Agency, 'Silver Star Laboratories of Korea,' pet.i.tions, held in 1998 and 1999, respectively.”
In other words, North Korea doesn't have the infrastructure to sustain a civilian hacker population. All of its money and all of its talent (meaning young people who show the requisite abilities) are part of its military establishment.
The payload portion of this botnet woudn't have pa.s.sed muster at any of the official IT research facilities a.s.sociated with the DPRK. These are well-educated individuals, some having attended the Indian Inst.i.tute of Technology (one of the world's top technology schools), and the quality of their work is high.
A Korean hacker who wasn't part of the DPRK military wouldn't have the resources inside the DPRK to run this attack. More likely, either he is a DPRK-approved student at an Indian, Chinese, or j.a.panese university, or he is living in another country as an illegal.
Another alternative would be a Russian or Chinese hacker who simply wanted to set up a scenario that would embarra.s.s the United States and throw suspicion onto a likely fall guy-the DPRK.
What were the consequences of this attack? It showed how vulnerable certain government websites still are, both in the United States and South Korea.
US sites that went down during the Independence Day weekend attack included the Department of Transportation, the Secret Service, and the Federal Trade Commission. The State Department website was attacked and experienced degraded service. The White House and Department of Defense sites were also attacked, but experienced no negative impact.