July 2009 cyberattacks
The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled.
Timeline of attacks
The first wave of attacks occurred on July 4, 2009 (Independence Day holiday in the United States), targeting both the United States and South Korea. Among the websites affected were those of the White House and The Pentagon. An investigation revealed that 27 websites were targets in the attack based on files stored on compromised systems.
The second wave of attacks occurred on July 7, 2009, affecting South Korea. Among the websites targeted were the presidential Blue House, the Ministry of Defense, the Ministry of Public Administration and Security, the National Intelligence Service and the National Assembly. Security researcher Chris Kubecka presented evidence multiple European Union and United Kingdom companies unwittingly helped attack South Korea due to a W32.Dozer infections, malware used in part of the attack. Some of the companies used in the attack were partially owned by several governments, further complicating attribution.
A third wave of attacks began on July 9, 2009, targeting several websites in South Korea, including the country's National Intelligence Service as well as one of its largest banks and a major news agency. The U.S. State Department said on July 9 that its website also came under attack. State Department spokesman Ian Kelly said: "I'm just going to speak about our website, the state.gov website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.
Despite the fact that the attacks have targeted major public and private sector websites, the South Korean Presidential office has suggested that the attacks are targeted towards causing disruption, rather than stealing data. However, Jose Nazario, manager of a U.S. network security firm, claimed that the attack is estimated to have produced only 23 megabits of data per second, not enough to cause major disruptions. Joe Stewart, researcher at SecureWorks' Counter Threat Unit, said that the data generated by the attacking program appeared to be based on a Korean-language browser.
It was expected that the economic costs associated with websites being down would be large, as the disruption had prevented people from carrying out transactions, purchasing items or conducting business.
It is not known who is behind the attacks. Reports indicate that the type of attacks being used, commonly known as distributed denial-of-service attacks, were unsophisticated. Given the prolonged nature of the attacks, they are being recognized as a more coordinated and organized series of attacks. According to the South Korean National Intelligence Service, the source of the attacks was tracked down and the government activated an emergency cyber-terror response team who blocked access to five host sites containing the malicious code and 86 websites that downloaded the code, located in 16 countries, including the United States, Guatemala, Japan and the People's Republic of China, but North Korea was not among them. Later, it has been discovered that the malicious code responsible for causing the attack, identified as W32.Dozer, is programmed to destroy data on infected computers and to prevent the computers from being rebooted. South Korean police are analyzing a sample of the thousands of computers used to crash websites, stating that there is "various evidence" of North Korean involvement, but said they may not find the culprit. Security experts said that the attack re-used code from the Mydoom worm. One analyst thinks that the attacks likely came from the United Kingdom.
- 2007 cyberattacks on Estonia
- Cyber Storm Exercise
- Moonlight Maze
- Titan Rain
- Comparison of computer viruses
- Denial-of-service attack
- "New 'cyberattacks' hit S Korea". BBC News. 2009-07-09. Retrieved 2009-07-09.
- Claburn, Thomas (2009-07-10). "Cyber Attack Code Starts Killing Infected PCs". InformationWeek. Retrieved 2009-07-10.
- Mills, Elinor (2009-07-10). "Botnet worm in DOS attacks could wipe data out on infected PCs". CNET News. Retrieved 2009-07-12.
- Williams, Martyn (2009-07-14). "UK, not North Korea, source of DDOS attacks, researcher says". IDG News Service. Archived from the original on 2011-06-15.
- "Pyongyang blamed as cyberattack hits S Korea". Financial Times. 2009-07-09. Retrieved 2009-07-09.
- Kim, Hyung-Jin (2009-07-08). "Korean, US Web sites hit by suspected cyberattack". Associated Press. Archived from the original on July 11, 2009. Retrieved 2009-07-09.
- McDevitt, Caitlin (2009-07-09). "Cyberattack Aftermath". Reuters. Archived from the original on July 12, 2009. Retrieved 2009-07-09.
- "Governments hit by cyberattack". BBC News. 2009-07-08. Retrieved 2009-07-09.
- Markoff, John (2009-07-09). "Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea". The New York Times. Retrieved 2009-07-09.
- "Cyber Attacks Hit Government and Commercial Websites". Foxreno.com. 2009-07-08. Archived from the original on 2009-07-12. Retrieved 2009-07-09.
- "28c3: Security Log Visualization with a Correlation Engine". December 29, 2011. Retrieved November 4, 2017.
- "Official: S. Korea web sites under renewed attack". Associated Press. 2009-07-09. Archived from the original on July 15, 2009. Retrieved 2009-07-09.
- "US State Department under cyberattack for fourth day". AFP. 2009-07-10.
- "S Korea's presidential office says no damage done from hacker attacks". Xinhua. 2009-07-08. Retrieved 2009-07-09.
- Han, Jane (2009-07-09). "Cyber Attack Hits Korea for Third Day". Korea Times. Archived from the original on 2009-07-11. Retrieved 2009-07-09.
- Arnoldy, Ben (2009-07-09). "Cyberattacks against US, S. Korea signal anger – not danger". Christian Science Monitor.
- Jiyeon, Lee (2009-07-11). "Cyberattack rocks South Korea". GlobalPost. Retrieved 2009-07-11.
- Kim, Kwang-Tae (2009-07-12). "S. Korea analyzes computers used in cyberattacks". Associated Press. Archived from the original on July 16, 2009. Retrieved 2009-07-12.
- Zetter, Kim (2009-07-08). "Lazy Hacker and Little Worm Set Off Cyberwar Frenzy". Wired News. Retrieved 2009-07-09.
- "N. Korean ministry behind July cyberattacks: spy chief". Yonhap. October 30, 2009.