July 2009 cyber attacks
Encyclopedia
The July 2009 cyber attacks were a series of coordinated cyber attacks against major government, news media, and financial websites in South Korea
and the United States
. The attacks involved the activation of a botnet
—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service
, around 50,000 according to Symantec
's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled.
The timing and targeting of the attacks have led to suggestions that they may be originating from the Democratic People's Republic of Korea, aka North Korea
, although these suggestions have not been substantiated.
), targeting both the United States
and South Korea
. Among the websites affected were those of the White House
and The Pentagon
. An investigation revealed that 27 websites were targets in the attack based on files stored on compromised systems.
, the Ministry of Public Administration and Security, the National Intelligence Service
and the National Assembly
.
as well as one of its largest banks and a major news agency. The U.S. State Department
said on July 9 that its website also came under attack. State Department spokesman Ian Kelly
said: "I'm just going to speak about our website, the state.gov website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.
of data per second, not enough to cause major disruptions. Joe Stewart, researcher at SecureWorks
' Counter Threat Unit, said that the data generated by the attacking program appeared to be based on a Korean-language browser.
It is expected that the economic costs associated with websites being down will be large, as the disruption has prevented people from carrying out transactions, purchasing items or conducting business.
, were unsophisticated. Given the prolonged nature of the attacks, they are being recognized as a more coordinated and organized series of attacks. According to the South Korean National Intelligence Service, the source of the attacks was tracked down and the government activated an emergency cyber-terror response team who blocked access to five host sites containing the malicious code and 86 websites that downloaded the code, located in 16 countries, including the United States, Guatemala
, Japan
and the People's Republic of China
, but North Korea was not among them. Later, it has been discovered that the malicious code responsible for causing the attack, identified as W32.Dozer, is programmed to destroy data on infected computers and to prevent the computers from being rebooted. South Korean police are analyzing a sample of the thousands of computers used to crash websites, stating that there is "various evidence" of North Korean involvement, but said they may not find the culprit. Security experts said that the attack re-used code from the Mydoom worm. One analyst thinks that the attacks likely came from the United Kingdom.
On October 30, 2009, South Korea's spy agency, the National Intelligence Service
, stated the origin of the attacks were from North Korea's telecommunications ministry.
South Korea
The Republic of Korea , , is a sovereign state in East Asia, located on the southern portion of the Korean Peninsula. It is neighbored by the People's Republic of China to the west, Japan to the east, North Korea to the north, and the East China Sea and Republic of China to the south...
and the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
. The attacks involved the activation of a botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service
National Intelligence Service (South Korea)
The National Intelligence Service is the chief intelligence agency of South Korea. The agency was officially established in 1961 as the Korea Central Intelligence Agency , during the rule of President Park Chung-hee's military Supreme Council for National Reconstruction, which displaced the...
, around 50,000 according to Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled.
The timing and targeting of the attacks have led to suggestions that they may be originating from the Democratic People's Republic of Korea, aka North Korea
North Korea
The Democratic People’s Republic of Korea , , is a country in East Asia, occupying the northern half of the Korean Peninsula. Its capital and largest city is Pyongyang. The Korean Demilitarized Zone serves as the buffer zone between North Korea and South Korea...
, although these suggestions have not been substantiated.
First wave
The first wave of attacks occurred on July 4, 2009 (Independence Day holiday in the United StatesIndependence Day (United States)
Independence Day, commonly known as the Fourth of July, is a federal holiday in the United States commemorating the adoption of the Declaration of Independence on July 4, 1776, declaring independence from the Kingdom of Great Britain...
), targeting both the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
and South Korea
South Korea
The Republic of Korea , , is a sovereign state in East Asia, located on the southern portion of the Korean Peninsula. It is neighbored by the People's Republic of China to the west, Japan to the east, North Korea to the north, and the East China Sea and Republic of China to the south...
. Among the websites affected were those of the White House
White House
The White House is the official residence and principal workplace of the president of the United States. Located at 1600 Pennsylvania Avenue NW in Washington, D.C., the house was designed by Irish-born James Hoban, and built between 1792 and 1800 of white-painted Aquia sandstone in the Neoclassical...
and The Pentagon
The Pentagon
The Pentagon is the headquarters of the United States Department of Defense, located in Arlington County, Virginia. As a symbol of the U.S. military, "the Pentagon" is often used metonymically to refer to the Department of Defense rather than the building itself.Designed by the American architect...
. An investigation revealed that 27 websites were targets in the attack based on files stored on compromised systems.
Second wave
The second wave of attacks occurred on July 7, 2009, affecting South Korea. Among the websites targeted were the presidential Blue House, the Ministry of DefenseMinistry of National Defense (South Korea)
The Ministry of National Defense is a department within the government of South Korea and responsible for the military branches of South Korea.For more information on the branches see Military of South Korea or* Republic of Korea Army...
, the Ministry of Public Administration and Security, the National Intelligence Service
National Intelligence Service (South Korea)
The National Intelligence Service is the chief intelligence agency of South Korea. The agency was officially established in 1961 as the Korea Central Intelligence Agency , during the rule of President Park Chung-hee's military Supreme Council for National Reconstruction, which displaced the...
and the National Assembly
National Assembly of South Korea
The National Assembly of the Republic of Korea is a 299-member unicameral legislature. The latest general elections were held on April 9, 2008. Single-member constituencies comprise 245 of the National Assembly's seats, while the remaining 54 are allocated by proportional representation...
.
Third wave
A third wave of attacks began on July 9, 2009, targeting several websites in South Korea, including the country's National Intelligence ServiceNational Intelligence Service (South Korea)
The National Intelligence Service is the chief intelligence agency of South Korea. The agency was officially established in 1961 as the Korea Central Intelligence Agency , during the rule of President Park Chung-hee's military Supreme Council for National Reconstruction, which displaced the...
as well as one of its largest banks and a major news agency. The U.S. State Department
United States Department of State
The United States Department of State , is the United States federal executive department responsible for international relations of the United States, equivalent to the foreign ministries of other countries...
said on July 9 that its website also came under attack. State Department spokesman Ian Kelly
Ian Kelly
Ian Kelly is a British actor and biographer.-Life and career:Kelly studied at Cambridge University and UCLA Film School.He has appeared in The Pitmen Painters at the National Theatre and A Busy Day in London's West End and in New York in his own one-man plays and also in the US premiere of Ron...
said: "I'm just going to speak about our website, the state.gov website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.
Effects
Despite the fact that the attacks have targeted major public and private sector websites, the South Korean Presidential office has suggested that the attacks are targeted towards causing disruption, rather than stealing data. However, Jose Nazario, manager of a U.S. network security firm, claimed that the attack is estimated to have produced only 23 megabitsMegabit
The megabit is a multiple of the unit bit for digital information or computer storage. The prefix mega is defined in the International System of Units as a multiplier of 106 , and therefore...
of data per second, not enough to cause major disruptions. Joe Stewart, researcher at SecureWorks
SecureWorks
SecureWorks, Inc Headquartered in Atlanta, Georgia, SecureWorks, Inc. is a U.S.-based managed security services provider that provides information security services and protection of computer, network and information assets from malicious activity or cybercrime for its customers...
' Counter Threat Unit, said that the data generated by the attacking program appeared to be based on a Korean-language browser.
It is expected that the economic costs associated with websites being down will be large, as the disruption has prevented people from carrying out transactions, purchasing items or conducting business.
Perpetrators
It is not known who is behind the attacks. Reports indicate that the type of attacks being used, commonly known as distributed denial-of-service attacksDenial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
, were unsophisticated. Given the prolonged nature of the attacks, they are being recognized as a more coordinated and organized series of attacks. According to the South Korean National Intelligence Service, the source of the attacks was tracked down and the government activated an emergency cyber-terror response team who blocked access to five host sites containing the malicious code and 86 websites that downloaded the code, located in 16 countries, including the United States, Guatemala
Guatemala
Guatemala is a country in Central America bordered by Mexico to the north and west, the Pacific Ocean to the southwest, Belize to the northeast, the Caribbean to the east, and Honduras and El Salvador to the southeast...
, Japan
Japan
Japan is an island nation in East Asia. Located in the Pacific Ocean, it lies to the east of the Sea of Japan, China, North Korea, South Korea and Russia, stretching from the Sea of Okhotsk in the north to the East China Sea and Taiwan in the south...
and the People's Republic of China
People's Republic of China
China , officially the People's Republic of China , is the most populous country in the world, with over 1.3 billion citizens. Located in East Asia, the country covers approximately 9.6 million square kilometres...
, but North Korea was not among them. Later, it has been discovered that the malicious code responsible for causing the attack, identified as W32.Dozer, is programmed to destroy data on infected computers and to prevent the computers from being rebooted. South Korean police are analyzing a sample of the thousands of computers used to crash websites, stating that there is "various evidence" of North Korean involvement, but said they may not find the culprit. Security experts said that the attack re-used code from the Mydoom worm. One analyst thinks that the attacks likely came from the United Kingdom.
On October 30, 2009, South Korea's spy agency, the National Intelligence Service
National Intelligence Service (South Korea)
The National Intelligence Service is the chief intelligence agency of South Korea. The agency was officially established in 1961 as the Korea Central Intelligence Agency , during the rule of President Park Chung-hee's military Supreme Council for National Reconstruction, which displaced the...
, stated the origin of the attacks were from North Korea's telecommunications ministry.
See also
- 2007 cyberattacks on Estonia2007 cyberattacks on EstoniaCyberattacks on Estonia refers to a series of cyber attacks that began April 27, 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about the relocation of the Bronze Soldier of...
- Cyberterrorism
- Cyber Storm ExerciseCyber Storm ExerciseThe Cyber Storm exercise was a simulated exercise overseen by the Department of Homeland Security that took place February 6 through February 10, 2006 with the purpose of testing the nations defenses against digital espionage...
- Moonlight MazeMoonlight MazeThe name Moonlight Maze refers to an incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at The Pentagon, NASA, United States Department of Energy, private universities, and research labs that had begun in March 1998 and had been going on for nearly two...
- Titan RainTitan RainTitan Rain was the designation given by the federal government of the United States to a series of coordinated attacks on American computer systems since 2003...
- List of computer viruses
- Denial-of-service attackDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...