DDoS Botnets, North Korea and the Threat of Cyber War

In an interesting development a couple of weeks ago, the United States Computer Emergency Readiness Team (US-CERT) issued a rare bulletin, warning that a North Korean hacking team, dubbed Hidden Cobra, is actively targeting media, aerospace, financial, and critical infrastructure sectors in the United States and around the world.

According to the bulletin, North Korean hackers were responsible for several attacks that date all the way back to 2009, using DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. The North Korean hackers, also dubbed the Lazarus Group or Guardians of Peace, are believed to be linked to the WannaCry ransomware attack in May, which affected computers in over 150 countries.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are most concerned right now that the hacking group is using a botnet creation malware called DeltaCharlie that has been used to launch distributed denial of service (DDoS) attacks. According to the US-CERT bulletin,

“DeltaCharlie is a DDoS tool capable of launching Domain Name System attacks, Network Time Protocol attacks, and Character Generation Protocol attacks. The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”

One interesting aspect about the CERT bulletin is the list of “Mitigation Strategies,” which does not include the fundamental advice of using a DDoS mitigation hardware appliance or scrubbing service. The Bulletin does note: “Network administrators are encouraged to apply the following recommendations, which can prevent as many as 85 percent of targeted cyber intrusions.” That’s OK, unless the cyber intrusion falls into the remaining 15 percent category, I suppose.

On its own, the CERT alert is worrisome. But Cyber Security Intelligence published an additional piece of news last week that it noteworthy; i.e., the North Atlantic Treaty Organization (NATO) would consider a large enough cyber attack against one member an attack on them all. Twenty-nine nations are members of NATO; as cyber war becomes more common, it is more likely that a NATO member may be targeted by an outside nation state.

Before acting, NATO would require substantial evidence that an attack was coordinated by a nation-state, not just an ad hoc group of bad actors. However, figuring out who conducted an attack can take weeks, if not longer because it is extremely difficult for anyone to trace the origins of DDoS attacks. The source is typically 1) a legitimate third-party server, running a service which has been leveraged by an attacker as part of a reflection/amplification attack, or 2) a direct flood attack from a single device, or 3) a botnet of many devices in which the IP source addresses are easily spoofed to ones that cannot be associated with the attacker.

The specter of full-blown cyber warfare is hard to fathom; would it involve DDoS attacks on critical grid infrastructure, and/or financial institutions? Would hospitals, utilities and banking institutions be able to block such an attack? If not, then how long would it take them to recover from a DDoS attack?

There is no reason for alarm at this point, but there is cause for concern, in light of the recent tensions with North Korea, and the US-CERT bulletin, which stated,

“DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives.”

As political and cyber threat landscapes continue to evolve, this issue is worth watching.