Information Assurance


Edd Hardy (on Telegraph website) speculates on the cause of the South Korea attack.

by Shannon Simpson | Mar 22, 2013

CNS' Edd Hardy, Penetration Testing Team Manager and Cyber Security expert recently appeared on the Telegraph website to speculate on the source of recent hacks against South Korea.

Edd follows up on this with the below blog:
In recent days we have seen a lot of publicity about the computer problems in South Korea.  The media started talking rapidly about the attacks coming from North Korea and that it was state sponsored cyber warfare. 



Its important to say at this stage that very little information is actually available, most of it is simply speculation.  The current understanding of the situation is that six organisations in South Korea were attacked and that the attack was a virus.  According to several sources quoted by the media the malicious code overwrites the MBR on the disk.  The MBR is the Master Boot Record, this is type of boot sector, effectively it contains information about how the disks is split up.  Without it when the computer boots it wont be able to do anything as it wont know where anything is.  So in the case of this attack, once the code has been injected and the computer rebooted, it wont be able to boot up, therefore nothing will work. 


A number of media sources are now reporting that the IP addresses associated with the attack have come from China.  However its really important to note that that really means nothing, only an idiot would attack someone from their own address, an attacker will use proxy servers to resend their attacks, a good attacker will string together a chain of these servers so it becomes very hard to trace them.  Each time you find one you have to trace it back to another, as they are frequently in different countries with different legal systems it can be very complex, expensive and often impossible to trace the actual origin of the attack. 


In todays world it is likely and expected that all Governments  will have the technical skill to both attack and protect themselves, as everything is connected to the internet this seems entirely logical.  A number of Governments such as the USA openly talk about having and being prepared to use offensive cyber attacks.  In fact there is already a manual about how to conduct Cyber Warfare The Tallinn Manual on the International Law Applicable to Cyber Warefare , a sort of Geneva convention for hacking countries.  Interestingly it identifies systems that should not be targeted e.g Medical systems or systems used for humanitarian reasons. 


What is particularly interesting is the willingness to blame North Korea.  North Korea is very restricted state with very limited access to computers and very very limited access to the internet.  Given this it would be surprising if the attack originated from North Korea as was not sanctioned.  However South Korea is one of the worlds most connected countries with a very high level of access to the internet.  The comparison is interesting, if you were the technologically open society would you admit to being hacked by your neighbours from the North with very little experience or connectivity.  If North Korea was behind the attacks it would be interesting to know if they performed it themselves or if they simply subcontracted to groups on the internet who have the capability (and there are lots of hackers for hire).


The key point to take from this is not that Governments have this capability or that they will use it, that's no surprise to anyone, its that the defence is the same regardless of it being a Government, Organised Crime, Terrorist, Vigilante Hacker groups or just bored kids.  Frankly it is irrelevant who has done it , the fact is its been done and it could probably have been avoided through simple security practices.  Security is about simplicity, its about keeping things simple and doing them properly.  Its about making sure that you update and patch systems, that you build them to a secure standard, that you have good policies in place, that you have antivirus and spam filtering and that you teach your users about security and that they should be suspicious. 


Its likely the origin of the attack will never be fully understood or disclosed but it doesn't really matter, what does matter is that we are utterly dependent on the interconnected computers in our lives and that a huge number of them are vulnerable to attacks, instead of spending the time blaming each other we should be securing them, its not rocket science, we know how to do it , we just have to actually do it.