Saturday, July 03, 2010

North Korea Not Believed to Be Responible for 2009 Attacks

A series of attacks targeting U.S. government and South Korean web sites during early July of 2009 were initially blamed on North Korea:
"In the days after the fast-moving, widespread attack, analysis pointed to North Korea as the likely starting point because code used in the attack included Korean language and other indicators."
But according to unnamed "cybersecurity experts" in the article this no longer appears to be the case. Of course, with the same type of flawed analysis, the "experts" can now speculate who else might be involved:
"These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor."
The article, as usual, provides little to no details that can be independently analyzed and appears to be confused about the exact nature of the attack, The article first describes the attacks as "...crippling strikes, known as "denial of service" attacks" but later says "...the attacks were largely restricted to vandalizing the public Web pages..." of the victims.

That confusion aside, this is another classic case of "cybersecurity experts" trying to use only technical analysis to determine motive. By itself, it just doesn't work (see Analyzing the Google Attacks - Plenty of Room for Mistakes). To assume that the use of the Korean language in attack code implies the source is North (or South) Korea is a very weak inference. It might be true but other explanations (such as a Korean national in San Francisco or a Korean speaker in Japan) are equally likely.

It requires more than a few technical indicators to develop a strong case showing source and motive.

US largely ruling out NKorea in 2009 cyberattacks