By Ellen Nakashima, Brian Krebs and Blaine Harden
Washington Post Staff Writers
Thursday, July 9, 2009
U.S. and South Korean authorities yesterday were investigating the source of attacks on at least 35 government and commercial Web sites in the two countries, officials said.
In the United States, the attacks primarily targeted Internet sites operated by major government agencies, including the departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission, according to several computer security researchers. But The Washington Post's site was also affected.
South Korea's main spy agency, the National Intelligence Service, said in a statement that it thought the attacks were carried out "at the level of a certain organization or state" but did not elaborate. The South Korean news agency Yonhap and the JoongAng Daily, a major newspaper in Seoul, reported that intelligence officials had told South Korean lawmakers that North Korea or its sympathizers were prime suspects. A spokesman for the intelligence service said that it could not confirm the report.
The attacks were described as a "distributed denial of service," a relatively unsophisticated form of hacking in which personal computers are commanded to overwhelm certain Web sites with a blizzard of data. The effort did not involve the theft of sensitive information or the disabling of crucial operational systems, government and security experts said. But they noted that it was widespread, resilient and aimed at government sites.
Earlier this year, a number of South Korean news organizations reported that North Korea was running a cyberwarfare unit targeting military networks in South Korea and the United States. And North Korea, along with other countries, is known to be looking into U.S. cybersecurity capabilities and vulnerabilities, said Daniel T. Kuehl, an expert on information warfare at National Defense University.
The specter of cyberwarfare has led the Pentagon to develop a new cybersecurity command and raised questions about the government's ability to defend against attacks that could undermine national and financial security.
Experts, however, cautioned against implicating North Korea too soon.
"In the dozens of instances that I worked over the past decade, I cannot recall a single instance in which someone intending to attack came from the source it appeared to have come from," said Dale W. Meyerrose, former chief information officer for the Office of the Director of National Intelligence. "Most attackers in cyberspace try to mask who they really are."
Officials declined to confirm the agencies affected, but according to security researchers and a Korean-language computer security Web site, the White House site was among at least 35 hit. White House spokesman Nick Shapiro said Wednesday that denial-of-service attacks on federal networks are a daily occurrence and that the WhiteHouse.gov site was "stable" and available to the general public, "although visitors from regions in Asia may have been affected."
Over the weekend, tens of thousands of computers around the globe were infected with rogue software -- a bug called MyDoom -- that told them to repeatedly attempt to access the targeted sites, a tactic aimed at driving up traffic beyond the sites' normal capacity and denying access to legitimate users, according to the researchers, many of whom spoke on the condition of anonymity because they are helping with the investigation.
The Department of Homeland Security's U.S. Computer Emergency Response Team received the first reports of the attacks on July 4 and assessed the threat through the weekend, said Philip Reitinger, deputy undersecretary of the department's National Protection and Programs Directorate. "We talked to our partners, analyzed the scope and nature of attack, developed a series of recommended actions," and provided the analysis and recommendations to other agencies, contractors and private-sector firms that might be affected, he said.
By Tuesday evening, officials said, all federal sites were up and running.
The DHS shared copies of the computer bug with private-sector partners that could help analyze it and devise mitigation measures, security consultants said.
"DHS helped improve the efficiency of the response," said Amit Yoran, chief executive of NetWitness, a Herndon security firm.
Tamping down the attacks, however, took several days because the technology that would be most effective at scouring the Web traffic for the code was not widely deployed by Internet providers and telecommunications companies, said Peder Jungck, founder and chief technology officer of Cloudshield, a California cybersecurity firm.
"They had to go searching, needle-in-a-haystack style, to track all the specific computer locations" that were flooding Web sites with requests, "and then creating big lists of what machines to block," he said.
Several security consultants said it was too early to say exactly how many computers may have been taken over to help perpetrate the attack. Jose Nazario, security research manager of Arbor Networks, estimated the number to be in the "low tens of thousands," although other experts have put the total at closer to 60,000.
At least one expert described the software as "amateurish" and full of programming errors.
But Barry Greene, a security expert at Juniper Networks, which makes the hardware that many Internet service providers use to route traffic, said what set this attack apart from others was the sheer number of government sites on the hit list and that the attackers kept changing their targets and techniques.
"Each time a target would do some mitigation, the attackers would switch things around a little bit," he said. "That suggested that this wasn't some brainless attack: Someone was watching the effects that this had. Someone was keeping their fingers on the button."
In addition to government sites, several commercial Web sites were attacked, including those operated by Nasdaq and the New York Stock Exchange.
In South Korea, no classified information was compromised during the attacks in the past two days, the country's intelligence agency said, adding that it would present an analysis of the attacks to parliament on Thursday.
Targeted government sites included those of the Foreign Ministry, the ruling party, parliament and the U.S.-South Korean military command. Also targeted were two large South Korean banks, a newspaper and the country's largest Internet portal. Most sites had returned to normal by Wednesday afternoon.
North Korea in recent months has provoked its neighbors by launching a long-range missile, detonating its second nuclear device and repeatedly threatening war. On the Fourth of July, it launched seven missiles into the Sea of Japan.
Determining who was behind the attack requires deep forensic and analytical work. So, said Yoran, "the North Korean angle should be highly suspect until we have more evidence, which is probably going to take weeks to play out."
Harden reported from Tokyo.