South Korean web attacks might have been war drill
BOSTON (Reuters) - Attacks that crippled South Korean government websites in July 2009 and again in March 2011 might have been cyber war drills conducted on behalf of North Korea, according to security software maker McAfee Inc.
That would make the South Korean attacks more menacing than recent attacks by hacker activists, or "hactivists," such as the groups Anonymous and Lulz Security. Those groups have temporarily shut down high-profile websites, including those of MasterCard, the CIA and NATO.
Hactivists attack as a form of electronic protest, but the attacks on South Korea were likely Internet reconnaissance missions to test the impact that cyber weapons could have in wartime, said Dmitri Alperovitch, vice president of threat research for McAfee Labs.
"This stuff is much more insidious and much more dangerous to national security than what Anonymous is doing," he said.
McAfee made the claim in a technical analysis of malicious software hackers used to launch the March 2011 denial of service attacks against South Korean websites. Denial-of-service attacks shut down websites by overwhelming them with traffic.
The document, which was released on Tuesday, said the attackers likely built the army of computers that launched the attacks by infecting healthy PCs with malicious software at a popular South Korean file-sharing site.
Once the PCs were infected, they became part of a "botnet," or army of enslaved computers, the hackers managed remotely from "command and control centers."
That botnet was used on March 4 to attack some 40 websites in South Korea, according to McAfee.
"It was a very rapid operation -- very constrained with specific goals," Alperovitch said. "The intent was to see what level of damage you can do in a very rapid time period."
The hackers responsible for the attacks tried to make it difficult for researchers to figure out what they were doing.
They encrypted their software, or scrambled it to make it difficult to study, and also programed it to destroy itself and its host PC 10 days after the March 4 attack began.
It is highly rare for botnet herders to instruct infected computer systems to attack themselves. They typically try to keep enslaved computers running as long as possible so they can use their botnet to perform many tasks.
The hackers likely worked so hard to hide their tracks because they wanted to make it difficult for authorities to ascertain the real purpose of the attacks, Alperovitch said.
They were cyber war drills designed to determine how difficult it would be to take down key government websites in the event of war, he added.
McAfee is a subsidiary of chipmaker Intel Corp.
(Reporting by Jim Finkle; editing by Andre Grenon)