The U.S.-South Korea Cyberattack: How Did It Happen?

It sounds like an advanced operation: Hackers hit dozens of high-profile Web sites, knocking the Federal Trade Commission and other government groups completely offline. Days later, South Korea gets a wave of the same treatment.

The description may seem shocking, but a recent series of attacks on U.S. and South Korean Web sites was actually far less sophisticated than one might think. Security researchers are gaining a better understanding of what exactly happened, and why it caused so many major sites to go down.

Understanding the Cyberattack

The cyberattack started over the Fourth of July weekend, when hackers targeted the Web sites of the Federal Trade Commission, the Department of Treasury, and several other U.S. government organizations. Some reports suggest the White House's Web site may have even been a target, though its functionality did not appear to be affected. The FTC's site, however, was one of several offline as late as Monday.

Now, investigators believe a distributed denial-of-service attack was to blame. The attack works by infecting a large number of computers with malware, building up what's commonly called a "botnet." Those machines are then used to send tremendous amounts of data to a site's servers, overwhelming it with more information than it could possibly handle. This past weekend's attack, according to one analysis, sent 20 to 40 gigabytes of data per second.

"Essentially, it just pounds them until they turn over and die," explains Dave Marcus, director of security research and communications for McAfee Avert Labs. "It's like having a firehose, and you're sending more water through than the hose can take."

Still, such an attack is deceptively simple to orchestrate. An expert quoted in The Washington Post called the tactic "amateurish." A White House official added that denial-of-service attacks are common on government Web sites, with a Homeland Security representative noting that attempts are observed on a near-daily basis.

"You'd be surprised how simple it is to do," Marcus says. "Most of the tools are freely available on the Internet, [and] they're not very technically complicated to use."

Searching for Answers

Why, then, did some of these efforts actually succeed? The scope of the attack may provide part of the explanation: Roughly 50,000 PCs are believed to have been overtaken and used. Moreover, the amount of data sent was about 10 times the amount typically transmitted in these types of attacks, according to some estimations. While many of the targeted sites were able to withstand the force, some of the lower-profile ones may not have been fully prepared.

As for who was behind the attacks, some South Korean government officials have speculated that North Korea may have been involved. Some botnet researchers, however, counter that claim, saying the attack didn't appear organized enough to be state-sponsored. Ultimately, finding any definitive answer may prove to be difficult.

"The tools are very much built to ensure confidentiality and anonymity," Marcus says. "The attacks are launched from victimized machines, so in most cases, the owners of the machines themselves are as much victims as the intended targets."

Connect with JR Raphael on Twitter (@jr_raphael) or via his Web site, jrstart.com.

Subscribe to the Security Watch Newsletter

Comments