North Korea's DDoS Attacks Analyzed Based on IPs
20.6.2017 securityweek APT
Arbor Networks has used the IP addresses shared recently by United States authorities to analyze distributed denial-of-service (DDoS) attacks attributed to the North Korean government. The security firm believes the data may not be as useful for organizations as the U.S. hopes.
Earlier this month, the United States Computer Emergency Readiness Team (US-CERT) released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s Hidden Cobra activities, particularly its DDoS botnet infrastructure.
Hidden Cobra, a threat actor tracked by others as Lazarus Group, is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and banks in Poland. Links have also been found between the group and the recent WannaCry ransomware attacks.
The US-CERT report focused on a DDoS tool dubbed DeltaCharlie. The organization has shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks.
Data from Arbor Networks’ ATLAS infrastructure showed that 24 of the 632 IP addresses provided by US authorities were involved in at least one DDoS attack over a 105-day period between March 1 and June 13, 2017.
The company pointed out that its ATLAS infrastructure, which relies on data shared anonymously by nearly 400 globally distributed service providers, covers roughly one-third of Internet traffic, which means the actual number of IPs involved in attacks during this period is likely higher.
According to Arbor, 16 IPs participated in more than one of the 164 attacks observed by the company. The largest attack peaked at 4.3 Gbps, which is more than enough to disrupt unprotected systems, and the longest attack lasted for 44 hours.
While the largest concentration of IP addresses in the US-CERT report were in Russia, Arbor traced the highest percentage of IPs to Saudi Arabia (6 of 24) and the United Arab Emirates (5 of 24).
The IPs monitored by Arbor were involved in DDoS attacks on most days, but there were some periods with no activity. The longest period with no activity started on April 5, shortly after North Korea launched a missile into the Sea of Japan. While it’s unclear if the two events are in any way related, experts noted that DDoS attacks are often timed with significant geopolitical events.
Of the 164 DDoS attacks observed by researchers, nearly half were aimed at the United States, followed by the U.K., Australia, France, Saudi Arabia and Singapore.
SecurityWeek has reached out to several other DDoS protection companies, but none of them could immediately provide any information on the Hidden Cobra attacks.
Arbor said it conducted an analysis due to the fact that the US-CERT report, which the company has described as vague, was not clear on whether the IPs were bots or part of command and control (C&C) infrastructure, and it also failed to clarify if the IPs were “innocent” reflectors.
Arbor’s analysis – based on the types of attacks observed – suggests that the report lists open reflectors abused by DeltaCharlie and not the actual bots.
“This lack of context makes it difficult for responders to act. Security analysts would treat a list of command-and-control servers differently from a list of bots, and differently from a list of reflectors,” experts said. “Blindly loading such indicators into security systems could potentially cause more harm than good.”
This is not the first time the cybersecurity community has criticized a joint report from the FBI and the DHS. The report released late last year on GRIZZLY STEPPE activity, better known as Cozy Bear (APT29) and Fancy Bear (APT28 and Pawn Storm), failed to demonstrate that Russia was behind the U.S. election hacks.