U.S., South Korea Targeted in Swarm of Internet Attacks

Employees monitor traffic at the Korea Internet Security Center in Seoul. Some think the North carried out the attacks. (Ahn Young-Joon/AP)

The DHS shared copies of the computer bug with private-sector partners that could help analyze it and devise mitigation measures, security consultants said.

"DHS helped improve the efficiency of the response," said Amit Yoran, chief executive of NetWitness, a Herndon security firm.

Tamping down the attacks, however, took several days because the technology that would be most effective at scouring the Web traffic for the code was not widely deployed by Internet providers and telecommunications companies, said Peder Jungck, founder and chief technology officer of Cloudshield, a California cybersecurity firm.

"They had to go searching, needle-in-a-haystack style, to track all the specific computer locations" that were flooding Web sites with requests, "and then creating big lists of what machines to block," he said.

Several security consultants said it was too early to say exactly how many computers may have been taken over to help perpetrate the attack. Jose Nazario, security research manager of Arbor Networks, estimated the number to be in the "low tens of thousands," although other experts have put the total at closer to 60,000.

At least one expert described the software as "amateurish" and full of programming errors.

But Barry Greene, a security expert at Juniper Networks, which makes the hardware that many Internet service providers use to route traffic, said what set this attack apart from others was the sheer number of government sites on the hit list and that the attackers kept changing their targets and techniques.

"Each time a target would do some mitigation, the attackers would switch things around a little bit," he said. "That suggested that this wasn't some brainless attack: Someone was watching the effects that this had. Someone was keeping their fingers on the button."

In addition to government sites, several commercial Web sites were attacked, including those operated by Nasdaq and the New York Stock Exchange.

In South Korea, no classified information was compromised during the attacks in the past two days, the country's intelligence agency said, adding that it would present an analysis of the attacks to parliament on Thursday.

Targeted government sites included those of the Foreign Ministry, the ruling party, parliament and the U.S.-South Korean military command. Also targeted were two large South Korean banks, a newspaper and the country's largest Internet portal. Most sites had returned to normal by Wednesday afternoon.

North Korea in recent months has provoked its neighbors by launching a long-range missile, detonating its second nuclear device and repeatedly threatening war. On the Fourth of July, it launched seven missiles into the Sea of Japan.

Determining who was behind the attack requires deep forensic and analytical work. So, said Yoran, "the North Korean angle should be highly suspect until we have more evidence, which is probably going to take weeks to play out."

Harden reported from Tokyo.