U.S. & South Korea Cyber Attacks Traced to the U.S., Britain
(WIRED) International fingerpointing in the recent cyber attacks against U.S. and South Korean websites has widened to include Great Britain, as researchers examining the attacks trace them to a server in the United Kingdom.
But the British company that owns the server says it, in turn, traced the attacks to a VPN connection originating in Miami, Florida.
With hawks in Congress and the press urging President Barack Obama to launch an all-out cyber war in retaliation for the website outages, things are looking bad for the Sunshine State. Though it should be noted that the Miami connection was likely just another proxy used by the hacker, who could be based in the U.S. or anywhere else.
Researchers at Bkis Security in Hanoi, who reported findings about the British server on their company’s blog, say that the denial-of-service attacks that struck more than three dozen government and commercial sites last week were launched from more than 166,000 computers in 74 countries controlled by a server in the UK. The IP range for the server is 195.90.118.xxx, which is registered to Global Digital Broadcast, which streams digital TV content from Latin America to consumers.
A company representative was unavailable for comment.
But in a July 14 press release, the company indicated that it had traced the attacks to a VPN connection from Miami controlled by Digital Latin America, a Buenos Aires-based company with a facility in Florida that provides technical services to providers of digital content.
According to the post, the Digital Latin America connection was set up as “an exploit finder,” presumably used by the botnet herder to rustle up vulnerable computers to use in the attack.
A spokeswoman for Digital Latin America confirmed that Global Digital Broadcast contacted the company Tuesday morning about the role its network may have played in the attacks. Amaya Ariztoy, general counsel for Digital Latin America, said that the server allegedly used for the attack provides streaming services to a third company that provides digital content, which in turn transferred the signal to Global Digital Broadcast in the UK.
“We’re investigating and cooperating with authorities,” Ariztoy said, while noting that the company had not yet been contacted by any authorities investigating the issue.
Bkis, which is a member of Vietnam’s Computer Emergency Response Team, was asked to investigate the attacks by South Korea’s Computer Emergency Response Team.
They found that zombie computers used in the cyber attacks were located around the world, primarily in South Korea, the United States, China and Japan, and were part of eight different botnets. U.S. researchers had previously estimated that systems used in the attack numbered around 60,000.
The Bkis researchers found that every three minutes the infected computers randomly contacted one of eight servers to receive instructions. After gaining control of two of the botnet command and control servers, the researchers examined their logs and discovered that they were in turn contacting the master server in the UK, which was running a Microsoft Windows operating system.
[Updated with response from Digital Latin America.]
(USA Today) Evidence has surfaced that the denial-of-service attacks that crippled dozens of U.S. and South Korean web sites last week may not have been perpetrated by North Korea, as widely surmised.
Bkis Security has just disclosed analysis showing that 166,908 botted PCs from 74 countries were used in the attacks. Commands were routed through eight control servers, tied into a master server located in the United Kingdom and running the Windows Server 2003 operating system, says Bkis research director Nguyen Minh Duc.
Hanoi-based Bkis analyzed samples of the attack code at the behest of APCERT, the Korean Computer Emergency Response Team. It found bots carrying out the attacks located South Korea, the United States, China, Japan, Canada, Australia and 68 other nations. Each bot randomly connected every three minutes to one of the eight control servers to receive instructions on which website to attack next. The control servers, in turn, received commands routed through the master server.
“Having located the attacking source in the UK, we believe it is completely possible to find the hacker,” says Minh Duc. “This depends on the US and South Korean governments.” He said Bkis has turned over its findings to authorities in both nations.
Just because the master server was located in the UK doesn’t mean the attackers were Brits. The human controller could be sitting at a keyboard anywhere in the world. However, Jayson E. Street, a cyber warfare consultant at security firm Netragard, says the attacks were more likely the work of a nation-state or perhaps mercenary hacker testing attack techniques, while purposely deflecting blame to North Korea.
A big cyberattack requires computer expertise. “North Korea doesn’t have the sophistication to conduct an attack like this,” says Street.
Another sign that the true attackers aren’t North Koreans, and really don’t want to be identified: some of the bots used in the attacks have begun to self destruct. Symantec has identified several hundred attack bots that received a second set of instructions. These machines began to erase all work files associated with office, business and development applications, says Vincent Weafer, vice president of Symantec Security Response. And the instructions also called for destroying the Master Boot program so as to render the PC inoperable the next time the user reboots.
What all that means is that some of the botted PCs carrying out the denial of service attacks subsequently began to wipe out all application files — and ultimately self destructed. “It’s kind of hard to do forensics on a machine that’s been wiped,” says Street.