WASHINGTON — North Korea or its sympathizers were likely responsible for the cyberattack against South Korean government and banking websites earlier this year, according to a new analysis that said it also appears to have been linked to the 2009 massive computer-based attack that brought down U.S. government Internet sites.
A study by computer security software maker McAfee Inc. concludes that the attack that targeted more than two dozen sites in South Korea was a type of reconnaissance mission to see how quickly South Korea's government detected the problem and recovered from it. The McAfee report, expected to be released Tuesday, said clues in the code suggest that the attack was probably engineered by North Korea or its sympathizers.
It is difficult to tell exactly who was responsible for the attacks, said Dmitri Alperovitch, vice president of threat research at computer-security software maker McAfee Inc., in an interview with The Associated Press. But he said a detailed study of the attack and the computer code used in the 2009 and 2011 attacks show with 95 percent certainty that they were done by the same perpetrator.
South Korean prosecutors said North Korean hackers were behind the so-called denial-of-service attack early this spring, but The North's Ministry of the People's Armed Forces denied it.
Because of the difficulties in determining exactly who launched the attack, there is no way to declare it an act of war by another country or an act of cyberterrorism, espionage or more basic crime by a militant group or others. International officials, in fact, are still trying to define cyberwar.
The Defense Department is poised to release its new cybersecurity strategy which declares cyber as a warfighting domain and begins to lay out how the U.S. can respond to cyberattacks. And U.S. officials are working with allies and international organizations to develop guidelines governing the use of computer-based capabilities as weapons.
President Barack Obama signed execute orders a few months ago that provide commanders guidance on how they can use cyber operations as part of their military arsenal.
The murkiness of the issue is evident in the most recent example of possible cyberwarfare – the discovery of the Stuxnet worm that targeted Iran's nuclear program last year. The malicious software, which infected laptops at Iran's Bushehr nuclear power plant, is considered a highly sophisticated harbinger of future cyberattacks against computer systems that control critical infrastructure, such as power plants.
Iranian officials have charged that the United States or Israel were behind the attack. And cybersecurity experts say that only a government with sophisticated computer skills, such as the U.S., Israel, Germany, China, Russia or Britain, would have the ability to create such a code.
Cyber experts, however, say they have found no clues in the code to point to a country of origin.
A denial-of-service attack, which floods a website's servers with enormous amounts of webpage requests, is a popular and easily perpetrated hacking activity.
But according to McAfee's analysis, the attack earlier this year was more sophisticated than usual, using layers of encryption to prevent detection and destruction. And in a highly unusual move, it was set to last for just 10 days. Then the malware in the network of infected computers – called a botnet – was designed to self-destruct.
Generally hackers or criminals want to keep the infected computers available so they can scour them for passwords, financial information or other data that can be used to steal money or important secrets.
The short duration of the attack, coupled with the sophisticated layers of protection, suggests there were political, rather than criminal motivations, Alperovitch said.
It was, he said, like "bringing a Lamborghini to a go-cart race."
The 2009 attack – which began on July 4 – included some of the same computer codes as this year's attack and was also routed through machines in South Korea. It hit more than a dozen of the same websites. There were no sites in America targeted in this year's attack, but several websites of U.S. military bases in South Korea were hit.
U.S. authorities initially said there were indications that the 2009 attack originated in North Korea, but later some said they had ruled that out. One problem is that much of North Korea's Internet connectivity runs through China or Japan, making it difficult to trace.
The analysis, said Alperovitch, underscores the growth of cyber as a battlefield, and shows that countries are testing each other to evaluate how well they can withstand a cyberattack.
U.S. officials have warned that the next major assault against America could be a cyberattack that could target critical infrastructure such as financial systems, the electrical grid or power plants. And they've acknowledged that computer-based attacks will likely be part of any new conflicts, possibly as a first strike that opens the door for a bombing or other kinetic attack.
McAfee worked with customers and partners in the private sector and in government that were affected by the attack, to mitigate it at the time, and to analyze and reverse engineer the code. Analysts from the Defense Department and the Department of Homeland Security's U.S. Computer Emergency Response Team also worked with McAfee on the study.
Associated Press writer Jordan Robertson contributed to this report.