What makes SKorea cyberattacks so hard to trace?

Mar 21, 2013 by Peter Svensson
South Korean computer researchers check the shutdown hardwares of Korean Broadcasting System (KBS) at Evidence Acquisition Lab of Cyber Terror Response Center at National Police Agency in Seoul, South Korea, Thursday, March 21, 2013. A Chinese Internet address was the source of a cyberattack on one company hit in a massive network shutdown that affected 32,000 computers at six banks and media companies in South Korea, initial findings indicated Thursday. (AP Photo/Lee Jin-man)

The attacks that knocked South Korean banks offline this week appear to be the latest examples of international "cyberwar." But among the many ways that digital warfare differs from conventional combat: there's often no good way of knowing who's behind an attack.

South Korean authorities said Thursday that the attack, which shut down scores of cash machines and hampered business, had been traced to an "Internet Protocol" address in China. But that doesn't mean the attack was launched from there. The general in is that the attack originated in .

"IP" addresses are, roughly speaking, the phone numbers of the Internet. Each connected computer has a number that identifies it uniquely on the network, so the Chinese implies that a computer in China was involved in the attack.

However, that computer could have been controlled from elsewhere, either because someone bought access to it, or because it's been infected with . To determine the location from which it's being controlled, would need access to that computer, or to the records of the company hosting the computer. That's unlikely to be forthcoming from a .

"China is obviously a popular place to hide things," said Dan Holden, director of security research at Arbor Networks' Security Engineering & Response Team. Chinese authorities are difficult to work with, and there's a language barrier, he said.

Two South Korean computer researchers look at the computer monitors as they check the shutdown computer servers of Korean Broadcasting System (KBS) at Cyber Terror Response Center at National Police Agency in Seoul, South Korea, Thursday, March 21, 2013. A Chinese Internet address was the source of a cyberattack on one company hit in a massive network shutdown that affected 32,000 computers at six banks and media companies in South Korea, initial findings indicated Thursday. (AP Photo/Lee Jin-man)

In addition, China is believed to be conducting its own campaign of cyber-espionage, which means that attacks launched from there are often simply attributed to the Chinese government, even if it isn't responsible for the aggression, Holden said.

"If you are any nation state or even any attacker right now, why wouldn't you hide in China right now?" Holden asked rhetorically.

Apart from tracing the path an attack takes through the Internet, there's another way to figure out who's behind it: analysis of the software involved. Malicious software, or "malware," can provide clues to its creator. Some of those are obvious, like comments inserted into the written code. However, such comments can be easily faked to lead investigators astray. More subtle analysis can be fruitful, according to Christopher Novak, managing principal of the global investigative response team at Verizon Communications Inc.

"In many cases, the malware that you see on the computer is very similar to a cold or an illness that a person gets ... The strain of the cold that I have and the strain of the cold that you have may be slightly different, but when we look at the DNA and makeup and see they're 99.9 percent the same, there's a pretty good chance one of us transmitted it to the other," Novak said. "When we analyze malware codes, we see the elements that are copied and reused, certain programming styles."

Such analysis can yield important clues, but rarely rock-solid attribution. The U.S. Department of Defense has said that a cyberattack can merit a violent response, but first you have to know who to target.

"Digital attribution is extremely difficult and if you want to do it, it takes some serious effort," Holden said.

Explore further: Queen sends first tweet, signed 'Elizabeth R'

5 /5 (1 vote)
add to favorites email to friend print save as pdf

Related Stories

Repeat of SKorea, US cyberattacks does no damage

Jul 08, 2010

(AP) -- Hundreds of computers that caused a wave of outages on U.S. and South Korean government websites last July launched new attacks on the same sites, but no major damage was reported, police said Thursday.

Dozens of South Korean websites attacked

Mar 04, 2011

(AP) -- Hackers attacked about 40 South Korean government and private websites Friday, prompting officials to warn of a substantial threat to the country's computers.

Cyber attack on Seoul's Unification Ministry

Aug 09, 2011

The South Korean ministry which handles relations with North Korea has been targeted by hackers in the latest of a series of online attacks on government and corporate websites, an official said Tuesday.

China hit by 500,000 cyberattacks in 2010

Aug 09, 2011

China said Tuesday it was hit by nearly 500,000 cyberattacks last year, about half of which originated from foreign countries including the United States and India.

Recommended for you

Ebola.com domain sold for big payout

1 hour ago

The owners of the website Ebola.com have scored a big payday with the outbreak of the epidemic, selling the domain for more than $200,000 in cash and stock.

Facebook goes retro with 'Rooms' chat app

Oct 23, 2014

Facebook on Thursday released an application that lets people create virtual "rooms" to chat about whatever they wish using any name they would like.

User comments : 0