About the Author
View more articles by Chad O'Carroll
Chad O'Carroll has written on North Korea since 2010 and writes between London and Seoul.
With tensions high on the peninsula, NK NEWS was attacked repeatedly last week in a coordinated effort that saw the website go down for several hours for four consecutive days. The same time the attacks occurred, high profile hacking group Anonymous made public its hacking successes against several North Korean state news websites and a number of officially controlled North Korea social media accounts.
Although NK NEWS has no affiliation to the DPRK Government, the website routinely receives correspondence from people who believe the project is sponsored by Pyongyang. It’s therefore possible that hackers at Anonymous targeted NK NEWS in the belief that the site was simply another North Korean asset, worthy of attack. This theory is backed up by further hacking attempts received late on April 15, the same day as a new wave of Anonymous coordinated hacks were made against North Korean websites.
But in recent weeks numerous South Korean websites and North Korea focused news services (such as Daily NK and Open Radio North Korea) were also hacked, in attacks subsequently reported to have emanated in North Korea itself. If true, this opens the possibility of North Korea being involved in the spate of attacks that also took NK NEWS offline, though it is impossible to know for certain.
Finding out who is behind a cyber attack is an extremely difficult business, though important clues can be determined from the manner in which a website is attacked. To help better understand what happened to NK NEWS last week, especially in the broader context of inter-Korean tensions, we spoke to our server administrator Tomasz Chmielewski to find out more.
1 – Please explain the types of attacks NK NEWS suffered from Saturday through Tuesday last week.
They were typical DDoS (distributed denial of service) attacks. However, we experienced three different types of attacks, all at the same time:
1. We were flooded with queries targeting port 80 (where the webserver is running) and the attackers were opening lots of new connections to us, yet never requesting any further data from the web server.
In layman’s terms, you can compare this to a lot of people dialing your number, but as you go to pick up the phone and say “hello?”, there is no answer – so you repeat “hello” a few more times, before you hang up. Then imagine that happening, thousands of times per second. This was performed from many locations around the world, which caused issues for our server.
2. ICMP flood – interestingly, we were also flooded with ICMP requests, although this is not something which caused too much problems. The
attackers were hoping to saturate our bandwidth.
3. DNS query flood – we were also flooded with DNS queries, which is also interesting, as we don’t run a DNS server on our server. Again, the attackers were hoping to saturate our bandwidth with this type of attack.
Apart from the above, we also received thousands of login attempts with random/guessed passwords. And today we received numerous “SQL injection” attempts, an issue where the attacker tries to inject malicious code into the website through the contact form.
2 – How sophisticated were the attacks? What would be an approximate cost in time / resources to conduct these kind of attacks?
The attacks were not too sophisticated when it comes to the technical side. They were just flooding the server with a lot of queries.
On the other hand, “nec Hercules contra plures…” – there were so many attackers coming in from such a wide variety of geographical locations that we had hard times serving the traffic.
Certainly, what the attackers did – a distributed denial of service attack (DDoS) – *is* more sophisticated when you consider it is being conducted from computers around the world.
Typically, these kinds of attacks are performed from botnets of infected (usually Windows) personal computers. If the attackers didn’t own the botnet themselves, they could buy access to it through some kind of underground service.
3 – Do we have any idea of who conducted the attacks? Is it ever possible to know?
I don’t think it’s possible to find out. But while automated login attempts are something that nearly *every* site suffers from, DDoS attacks of this scale are usually a targeted thing. Usually there will be political or business reasons behind a DDoS attack; in this case, I’d imagine anyone who triggered the attack was probably politically motivated.
4 – The NK NEWS attacks occurred at a time when other North Korea focused websites were being attacked and came just days after several big websites in South Korea were hacked. The South Korean government accused North Korea of being behind these attacks – do you think there is any way a national government can be ever be this confident of the perpetrator?
According to the reports, they’ve conducted quite a detailed analysis. They will never know with 100% certainty who was really behind these
attacks, but most traces lead to North Korea.
5 – What does your company do to help remedy security vulnerabilities?
My company, Virtall, will help you find weak spots in your systems, fix them, then optimize and design for future growth.
6 – Any final remarks about hacking and Koreas? Do you think there is political motivation or we should just read all the hacking as something we have to live with?
There seem to be a lot of political motivation here.
Hacking is something we’ll have to live with for – there are more and more ordinary people using systems which were seen as “for professionals only” a few days ago; still, these systems are not designed to cope with the most common pitfalls (using weak passwords, dictionary password attacks).