South Koreans test the First Law of Cyberwarfare

So is there another cyberwar in the making? Today, a flurry of news reports say – almost in unison – that the web-sites of various arms of the US government have been under denial-of-service attacks since July 4th, while a host of South Korean web-sites – many of them belonging to the government, but also a few of those belonging to banks – have been hit as well (if you are still reading that far into the article, you probably are not very concerned about your online safety – I would immediately turn down your computer if I were you! Panic is the first thing you should do!)

Instead of telling you what we know, let me highlight what we DO NOT KNOW:

1. We do not know that cyber-attacks have actually happened. That’s right, US officials have refused to discuss the story – all we know is that a DHS spokeswoman issued a warning to federal agencies, advising them how to deal with attacks. Well, it would still be reassuring to have someone from the US government actually acknowledge the problem…I am thinking aloud here but what if the attacks were just friendly fire or a test, meant to test the US preparedness to deal with cyber-attacks on July4th (when they started)? You never know unless someone speaks on the record…The fact that a web-site is not available – one of the fundamental claims made by the AP article on the subject, for example – does not mean that it’s automatically under a DDOS attack. There are many other reasons why it may not be available, some of them very trivial.  

2. We do not know whether the current cyber-attacks are different from those that plague the work of the US networks/web-sites every day. Or their only difference is that they have happened on July 4th? Even the DHS spokeswoman acknowledged that "the US sees attacks on its networks every day, and measures have been put in place to minimize the impact on federal Web sites".

3. We do not know if there are ANY connections between the attacks on targets in South Korea and those on the United States. If so, it hasn’t been established by ANYONE. I don’t have much data at hand, but I think that on any given day, we can pick any government at random and be sure that at least one of their web-site is under some sort of DDOS attack on that day. This doesn’t mean that there is a vast conspiracy against governments; it only means that DDOS attacks are extremely common and there is a good chance that more than one government web-site could be hit in a day. UPDATE: Just got off the phone with Jose Nazario of Arbor Networks; he told me that the attacks seem to originate from the same botnet, which doesn’t appear very sophisticated (for the geeks out there: Nazario told me that the attacks peaked at 23 megs per second/ 55,000 packets and involved http flood against port 80, none of which is particularly threatening)

4. We do not know if this is at all related to the North Korean missile test last week-end. We probably do not even know if this is anyhow connected to North Korea (even less so to its government). So far the only claim pointing to North Korea are South Korean spies – not exactly a very unbiased group – and South Korean parliamentarians, who, if I may, do not appear as very credible sources on the origin of cyber-attacks. South Koreans have been trying to push their "OMG, North Koreans are attacking us" (that’s the same North Korea where mere mortals are usually denied access to computers and the Internet, in case you were wondering) several times this year – actually, almost every month some non-news item surfaced that helped to push this narrative. By effectively linking their own attacks to attacks on the US government web-sites, I think they have finally succeeded in heeding the world’s attention to the "cyber" capabilities of the North Koreans (according to the South Korean intelligence, the hotbed of the North Korean cyberwarfare rests in the secretive Mirim college, where elite hackers are trained; the problem is that one doesn’t really need any elite hackers to launch DDOS attacks…). UPDATE: As per my conversation with Nazario, there seems to be no link/trace to North Korea in Arbor’s data either.

So let me venture to propose the First Law of Cyberwarfare: when in doubt, blame the attacks on the most convenient geopolitical enemy, no proof required. It usually helps if the enemy is perceived to be an evil totalitarian state – or, at least, harboring some imperialistic or extremist plans. Look around and this explains all the geopolitical cyber-squabbling of the last two years: Russia-Estonia, Russia-Georgia, US-China, Israel-Gaza, and now South Korea-North Korea. Most interestingly, it is an accusation that, for various, reasons is impossible to deny; I mean, if the technology-backward North Korea is deemed capable (at least, by the media) of launching a sophisticated cyber-attack on South Korea, every country can now be suspected of harboring dangerous cyber-ambitions.

What’s even more interesting is that if the botnet didn’t include two batches of targets – i.e. American and South Korean web-sites – chances are we wouldn’t be even talking about it. Both countries get attacked on a a regular basis; but the fact that now there are two of them involved – and this follows a missile launch by the North Korea – makes it look like a new type of cyberwar that North Koreans might be fighting. I think there is something fishy about very visible efforts to blame everything on the North Koreans – particularly, given that the South Korean spies have been trying to do that for several months now… 

P.S. here is what seems to be like the full list of targets of this attack posted on a South Korean web-site with some other details about the botnet:

South Korea

– banking.nonghyup.com
– blog.naver.com
– ebank.keb.co.kr
– ezbank.shinhan.com
– mail.naver.com
– www.assembly.go.kr
– www.auction.co.kr
– www.chosun.com
– www.hannara.or.kr
– www.mnd.go.kr
– www.mofat.go.kr
– www.president.go.kr
– www.usfk.mil

USA:

– finance.yahoo.com
– travel.state.gov
– www.amazon.com
– www.dhs.gov
– www.dot.gov
– www.faa.gov
– www.ftc.gov
– www.nasdaq.com
– www.nsa.gov
– www.nyse.com
– www.state.gov
– www.usbank.com
– www.usps.gov
– www.ustreas.gov
– www.voa.gov
– www.voanews.com
– www.whitehouse.gov
– www.yahoo.com
– www.washingtonpost.com
– www.usauctionslive.com
– www.defenselink.mil
– www.marketwatch.com
– www.site-by-site.com