SEOUL, South Korea–A wave of cyberattacks aimed at 27 American and South Korean government agencies and commercial Web sites temporarily jammed more than a third of them over the past five days, and several sites in South Korea came under renewed attack on Thursday.
The latest bout of attacks, which affected service on one government and six commercial Web sites in South Korea, was relatively minor, and all but two of the sites were fully functional within a few hours, said an official from the state-run Korea Communications Commission.
“An aggressive distribution of vaccine programs against the attack has helped fight back,” the official, Shin Hwa-soo, said. “But we are not keeping our guard down. We are distributing the vaccine programs as widely as possible and monitoring the situations closely because there might be a new attack.”
Officials and computer experts in the United States said Wednesday that the attacks, which began over the July 4 weekend, were unsophisticated and on a relatively small scale, and that their origins had not been determined. They said 50,000 to 65,000 computers had been commandeered by hackers and ordered to flood specific Web sites with access requests, causing them to slow or stall. Such robotic networks, or botnets, can involve more than a million computers.
The Web sites of the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department were all affected at some point over the weekend and into this week, The Associated Press reported Tuesday, citing American officials.
A White House spokesman, Nick Shapiro, said in a statement on Wednesday that “all federal Web sites were back up and running” by Tuesday night and that the White House site had also been attacked.
He said, “The preventative measures in place to deal with frequent attempts to disrupt whitehouse.gov’s service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected.”
The Web site of the New York Stock Exchange also came under attack, as well as the sites of Nasdaq, Yahoo’s finance section and The Washington Post.
Researchers who are following the attacks said that they began July 4 and focused on the small group of United States government Web sites, but that the list later expanded to include commercial sites in the United States and then commercial and government sites in South Korea. Files stored on computers that are part of the attacking system show that 27 Web sites are now targets.
In South Korea, at least 11 major sites have slowed or crashed since Tuesday, including those of the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, the mass-circulation newspaper Chosun Ilbo and the top Internet portal Naver.com, according to the government’s Korea Information Security Agency.
On Wednesday, some of the South Korean sites regained service, but others remained unstable or inaccessible.
“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level,” the South Korean spy agency, the National Intelligence Service, said in a statement, adding that it was cooperating with the American authorities to investigate the attacks.
The spy agency said the attacks appeared to have been carried out by a hostile group or government, and the news agency Yonhap reported that the agency had implicated North Korea or pro-North Korean groups.
A spokesman at the intelligence agency said it could not confirm the Yonhap report about North Korea’s possible role. The opposition Democratic Party accused the spy agency of spreading rumors to whip up support for an antiterrorism bill that would give it more power.
Although most of the North Korean military’s hardware is decrepit, the South Korean authorities have recently expressed concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operated through the Chinese Internet network and tried to hack into American and South Korean military networks. United States computer security researchers who have examined the attacking software and watched network traffic played down the sophistication and extent of the attacks.
“I would call this a garden-variety attack,” said Jose Nazario, manager of security research at Arbor Networks, a network security firm that is based in Chelmsford, Mass. He said that the attackers were generating about 23 megabits of data a second, not enough to cause major disruptions of the Internet at most of the sites that were being attacked.
“The code is really pretty elementary in many respects,” he added. “I’m doubting that the author is a computer science graduate student.”
As for possible origins, there were only hints. One researcher, Joe Stewart, of Secureworks’ Counter Threat Unit in Atlanta, said the attacking software contained the text string “get/China/DNS,” with DNS referring to China’s Internet routing system. He said that it appeared that the data generated by the attacking program was based on a Korean-language browser.
Amy Kudwa, a Department of Homeland Security spokeswoman, said that the agency was aware of the attacks and that it had issued a notice to federal departments and agencies, as well as to other partner organizations, advising them of steps to take to help mitigate attacks.
Choe Sang-Hun reported from Seoul, and John Markoff from San Francisco. Sharon Otterman contributed reporting from New York.
Entire contents, Copyright © 2009 The New York Times. All rights reserved.
