Community hub
Recent from talks
Contribute something to knowledge base
Content stats: 0 posts, 0 articles, 0 media, 0 notes
Members stats: 0 subscribers, 0 contributors, 0 moderators, 0 supporters
Subscribers
Supporters
Contributors
Moderators
Hub AI
2009 DDoS attacks against South Korea AI simulator
(@2009 DDoS attacks against South Korea_simulator)
Hub AI
2009 DDoS attacks against South Korea AI simulator
(@2009 DDoS attacks against South Korea_simulator)
2009 DDoS attacks against South Korea
The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.
The targeting and timing of the attacks—which started the same day as a North Korean short-range ballistic missile test—have led to suggestions that they may be from North Korea, although these suggestions have not been substantiated. Researchers would later find links between these cyberattacks, the DarkSeoul attacks in 2013, and other attacks attributed to the Lazarus Group. This attack is considered by some to be the beginning of a series of DDoS attacks carried about by Lazarus dubbed "Operation Troy."
The first wave of attacks occurred on July 4, 2009 (Independence Day holiday in the United States), targeting both the United States and South Korea. Among the websites affected were those of the White House, The Pentagon, the New York Stock Exchange, the Washington Post, the NASDAQ, and Amazon.
The second wave of attacks occurred on July 7, 2009, affecting South Korea. Among the websites targeted were the presidential Blue House, the Ministry of Defense, the Ministry of Public Administration and Security, the National Intelligence Service and the National Assembly. Security researcher Chris Kubecka presented evidence multiple European Union and United Kingdom companies unwittingly helped attack South Korea due to a W32.Dozer infections, malware used in part of the attack. Some of the companies used in the attack were partially owned by several governments, further complicating attribution.
A third wave of attacks began on July 9, 2009, targeting several websites in South Korea, including the country's National Intelligence Service as well as one of its largest banks and a major news agency. The U.S. State Department said on July 9 that its website also came under attack. State Department spokesman Ian Kelly said: "I'm just going to speak about our website, the state government website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.
Despite the fact that the attacks targeted major public and private sector websites, the South Korean Presidential office suggested that the attacks were conducted with the purpose of causing disruption, rather than stealing data. However, Jose Nazario, manager of a U.S. network security firm, claimed that the attack is estimated to have produced only 23 megabits of data per second, not enough to cause major disruptions. That being said, web sites reported service disruptions for days following the attack.
Later, it was discovered that the malicious code responsible for causing the attack, Trojan.Dozer and its accompanying dropper W32.Dozer, was programmed to destroy data on infected computers and prevent the computers from being rebooted. It is unclear if this mechanism was ever activated. Security experts said that the attack re-used code from the Mydoom worm to spread infections between computers. Experts further shared that the malware used in the attack "used no sophisticated techniques to evade detection by anti-virus software and doesn't appear to have been written by someone experienced in coding malware."
It was expected that the economic costs associated with websites being down would be large, as the disruption had prevented people from carrying out transactions, purchasing items or conducting business.
2009 DDoS attacks against South Korea
The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.
The targeting and timing of the attacks—which started the same day as a North Korean short-range ballistic missile test—have led to suggestions that they may be from North Korea, although these suggestions have not been substantiated. Researchers would later find links between these cyberattacks, the DarkSeoul attacks in 2013, and other attacks attributed to the Lazarus Group. This attack is considered by some to be the beginning of a series of DDoS attacks carried about by Lazarus dubbed "Operation Troy."
The first wave of attacks occurred on July 4, 2009 (Independence Day holiday in the United States), targeting both the United States and South Korea. Among the websites affected were those of the White House, The Pentagon, the New York Stock Exchange, the Washington Post, the NASDAQ, and Amazon.
The second wave of attacks occurred on July 7, 2009, affecting South Korea. Among the websites targeted were the presidential Blue House, the Ministry of Defense, the Ministry of Public Administration and Security, the National Intelligence Service and the National Assembly. Security researcher Chris Kubecka presented evidence multiple European Union and United Kingdom companies unwittingly helped attack South Korea due to a W32.Dozer infections, malware used in part of the attack. Some of the companies used in the attack were partially owned by several governments, further complicating attribution.
A third wave of attacks began on July 9, 2009, targeting several websites in South Korea, including the country's National Intelligence Service as well as one of its largest banks and a major news agency. The U.S. State Department said on July 9 that its website also came under attack. State Department spokesman Ian Kelly said: "I'm just going to speak about our website, the state government website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.
Despite the fact that the attacks targeted major public and private sector websites, the South Korean Presidential office suggested that the attacks were conducted with the purpose of causing disruption, rather than stealing data. However, Jose Nazario, manager of a U.S. network security firm, claimed that the attack is estimated to have produced only 23 megabits of data per second, not enough to cause major disruptions. That being said, web sites reported service disruptions for days following the attack.
Later, it was discovered that the malicious code responsible for causing the attack, Trojan.Dozer and its accompanying dropper W32.Dozer, was programmed to destroy data on infected computers and prevent the computers from being rebooted. It is unclear if this mechanism was ever activated. Security experts said that the attack re-used code from the Mydoom worm to spread infections between computers. Experts further shared that the malware used in the attack "used no sophisticated techniques to evade detection by anti-virus software and doesn't appear to have been written by someone experienced in coding malware."
It was expected that the economic costs associated with websites being down would be large, as the disruption had prevented people from carrying out transactions, purchasing items or conducting business.