U.S. officials eye N. Korea in cyber attack
WASHINGTON -- U.S. authorities say they are eyeing North Korea as the origin of the cyber attack that overwhelmed government websites in the United States and South Korea. But they warned it will be difficult to quickly identify the attackers.
Internet addresses have been traced to North Korea, three officials said, but they added that that does not suggest the attack involved the Pyongyang government. The officials spoke on condition of anonymity because of the sensitivity of the matter.
The Internet attack, which stretched on for days beginning over the July 4 holiday weekend, targeted dozens of government and private sites and underscored how unevenly prepared the U.S. government is to block such assaults.
Targets of the most widespread cyber offensive of recent years also included the National Security Agency, Homeland Security Department and State Department, the Nasdaq stock market and The Washington Post, according to an early analysis of the malicious software used in the attacks.
The cyber assault on the White House site had "absolutely no effect on the White House's day-to-day operations," said spokesman Nick Shapiro.
Preventative measures kept whitehouse.gov "stable and available to the general public," Shapiro said, but Internet visitors from Asia may have experienced problems.
South Korean intelligence officials believe the attacks were carried out by North Korea or pro-Pyongyang forces, but many experts in cyberwarfare said it was simply too early to know where the offensive originated.
Many of the U.S. government targets appear to have successfully blunted the sustained computer assaults. But others, such as the Treasury Department, were knocked off-line at times.
Two government officials acknowledged that Treasury's site was brought down, and said the agency had been working with its Internet service provider to resolve the problem. The officials spoke on condition of anonymity because they were not authorized to speak on the matter.
As of last night, Shapiro said, "all federal websites were back up and running."
Ed Donovan, a spokesman for the U.S. Secret Service, said that the cyber attacks slowed access to the agency's website, which operates on the same computer server as Treasury's. But Secret Service's site remained in operation despite the crippling effects of the cyber offensive, Donovan said.
"Our site was never knocked down, but it was slowed down at points," Donovan said. He added that Secret Service's "operational side" was not affected by the attacks.
State Department spokesman Ian C. Kelly told reporters that the department's state.gov website has been under attack since July 5.
"It's still ongoing but I'm told it's much reduced now," Kelly said.
The Associated Press obtained the target list from security experts analyzing the attacks. It was not immediately clear who might be responsible or what their motives were.
The cyber attack did not appear, at least at the outset, to target internal or classified files or systems, but instead aimed at agencies' public sites, creating a nuisance both for officials and the Web consumers who use them.
Ben Rushlo, director of Internet technologies at Keynote Systems, said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.
Keynote Systems is a mobile and website monitoring company based in San Mateo, Calif. The company publishes data detailing outages on websites, including 40 government sites it watches.
According to Rushlo, the Transportation website was "100% down" for two days, so that no Internet users could get through. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70% of the time.
Dale Meyerrose, former chief information officer for the U.S. intelligence community, said that at least one of the federal agency websites got saturated with as many as a million hits per second per attack — amounting to 4 billion Internet hits at once. He would not identify the agency, but said the website is generally capable of handling a level of about 25,000 users.
Meyerrose, who is now vice president at Harris Corp., said the characteristics of the attack suggest the involvement of between 30,000 to 60,000 computers.
He said it appears there was one attack on July 4, which some agencies were able to contain, and then a second round on Tuesday. Meyerrose said that since the attackers would have used surrogate computers, it is still too early to tell where it originated.
South Korea's National Intelligence Service, the nation's principal spy agency, told a group of South Korean lawmakers Wednesday it believes that North Korea or North Korean sympathizers in the South were behind the attacks, according to an aide to one of the lawmakers briefed on the information.
The aide spoke on condition of anonymity, citing the sensitivity of the information. The National Intelligence Service — South Korea's main spy agency — said it couldn't immediately confirm the report.
Amy Kudwa, spokeswoman for the Homeland Security Department, said the agency's U.S. Computer Emergency Readiness Team issued a notice to federal departments and other partner organizations about the problems and "advised them of steps to take to help mitigate against such attacks."
New York Stock Exchange spokesman Ray Pellecchia could not confirm the attack on the trading institution, saying the company does not comment on security issues.
Attacks on federal computer networks are common, ranging from nuisance hacking to more serious assaults, sometimes blamed on China. U.S. security officials also worry about cyber attacks from al-Qaeda or other terrorists.
The widespread attack was "loud and clumsy," which suggests it was carried out by an unsophisticated organization, said Amit Yoran, chief executive at NetWitness Corp. and the former U.S. government cybersecurity chief. "This is not the elegance we would expect from sophisticated adversaries."
Websites of major South Korean government agencies, including the presidential Blue House and the Defense Ministry, and some banking sites were paralyzed Tuesday. An initial investigation found that many personal computers were infected with a virus ordering them to visit major official websites in South Korea and the U.S. at the same time, Korea Information Security Agency official Shin Hwa-su said.