South Korea’s government had advance warning of the DDOS attack in the U.S.

Posted on : 2009-07-11 14:50 KST Modified on : 2019-10-19 20:29 KST
Analysts and lawmakers say belated government response served as a factor prolonging the length of the cyber attack
 Gyeonggi Province
Gyeonggi Province

It has been revealed that the South Korean government knew in advance that the distributed denial of service (DDOS) attacks that paralyzed web sites for major institutions in South Korea and overseas had begun earlier in the U.S., but did not properly handle the situation. Analysts say this means that the government’s sloppy response in effect increased damages resulting from these simultaneously occurring attacks.

According to accounts Friday from officials at the Korea Information Security Agency (KISA) and various security companies, the attacks first struck the Web sites of major government organizations in the U.S., including the White House and the State Department, last Sunday, which was July 4 (local time) or during the Independence Day holiday in the U.S. However, the attacks did not deliver much of a blow due to the swift response of U.S. security authorities. The U.S. evaded the cyber attack by boldly blocking data for which access requests were being received from zombie PCs infected with malicious code located in other countries, including South Korea.

However, while the South Korean government knew through its Computer Emergency Response Team (CERT) that major U.S. sites were suffering a DDOS attack, it considered the attack to be “something that happens all the time” and therefore, decided to not issue a warning. “The DDOS attacks that occur in one year alone in South Korea amount to dozens of cases,” said Ryu Chan-ho, head of the analysis and prevention team at the KISA’s Korea Internet Security Center. “We do not worry about the trivial stuff,” Ryu added. Major nations throughout the world share and respond in real time to information about cyber attacks and hacking through a network of CERTs, and despite prior knowledge, the South Korean government’s belated response to the attack led to an increase in damage and confusion.

A security company official who analyzed the malicious code used in the attack says, “The zombie PCs infected with the malicious code began their attack on U.S. sites on July 5th, prior to the attacks on July 7th against 25 sites in South Korea and the U.S.” The National Intelligence Service also reported in a meeting of the National Assembly’s Intelligence Committee that while “the U.S. took response measures on July 4 and did not suffer much damage, we responded on the evening of the 7th after the situation produced a situation of paralysis.”

The fact that all three sets of domestic cyber attacks began after 6:00 p.m. indicates that this attack began in the U.S., as 6:00 p.m. in South Korea corresponds to 8:00 a.m. in the eastern U.S. “It looks like the attacks were designed to begin at the start of business day to effect U.S. government organizations,” said another security company official. If this is the case, it means that South Korea made the situation worse through fumbling early on in the cyber attack, but ultimately suffered less damage due to the time difference.

The government’s belated response to the cyber attack was also discussed at the National Assembly’s Intelligence Committee. Opposition party lawmakers expressed the position that the response was too slow, noting that the vice-ministerial meeting for the related offices was held at 3:00 p.m. the next day and the warning was issued eight hours after the attack was detected. Grand National Party lawmaker Chung Jin-suk said, “It is not the case that the NIS did nothing.” Chung added, “According to them, they gave notice for the control center to respond, and in particular, made a request to AhnLab to supply a vaccine by the morning of July 8th.”

On the matter of speculation that North Korea or forces loyal to North Korea were the source of the attack, the NIS announced that “North Korea is not among the 16 nations whose IP addresses have been detected thus far.”

Please direct questions or comments to [englishhani@hani.]

Most viewed articles