I read....86 IPs from 18 countries?

This is a cyberwar?
What about propaganda for the Rockefeller cybersecurity legislation?
I know, I've slipped into paranoia. It seems to be the place that makes the most sense to me.

skullaria wrote:
I read....86 IPs from 18 countries?

Its more, but...

What about propaganda for the Rockefeller cybersecurity legislation?

I didn't think about it, but you're exactly right. They are certainly leveraging it that way, even if they didn't create it.

Its a strange attack - NK wouldn't have done something this silly. It looks like something a teenager would have done - but I also don't think there are a lot of fan boy hackers who think NK is cool and want to support their interests. You see islamist stuff like that, but generally speaking people in NK don't have Internet access.

Its possible that there are people in SK who think NK is cool. I've never run into that but I guess such a subculture wouldn't be completely surprising.

However, on many levels your theory makes more sense. In particular, I don't think an NK fanboy would have been savvy enough to do it on the 4th of July at the same time as an NK missile launch - it was too well timed.

The implications of this are disturbing.

Decius wrote:

skullaria wrote:
I read....86 IPs from 18 countries?

Its more, but...

What about propaganda for the Rockefeller cybersecurity legislation?

I didn't think about it, but you're exactly right. They are certainly leveraging it that way, even if they didn't create it.

Its a strange attack - NK wouldn't have done something this silly. It looks like something a teenager would have done - but I also don't think there are a lot of fan boy hackers who think NK is cool and want to support their interests. You see islamist stuff like that, but generally speaking people in NK don't have Internet access.

Its possible that there are people in SK who think NK is cool. I've never run into that but I guess such a subculture wouldn't be completely surprising.

However, on many levels your theory makes more sense. In particular, I don't think an NK fanboy would have been savvy enough to do it on the 4th of July at the same time as an NK missile launch - it was too well timed.

The implications of this are disturbing.

Be wary of seeing conspiracy within actions that can be explained by idiocy, especially with it comes to Congress.

Of course there are members of congress trying to leverage this to reinforce their points. Does anything ever happen that isn't used by some member of Congress to use to "prove" they are right about something?

Hoekstra seems to have used it to "prove" he is a hawk on the DPRK. I didn't review everything from the news conference, but I didn't hear anything said about the Rockefeller bill or any other piece of legislation. Just the obligatory "we've got to do something!"

And either way, the whole situation appears to have hit the news cycle with a thud. There is no active media attention. In the long-term, it's going to be hard to use this in an alarmist way, because when reviewing past events the actual analysis stands out, as opposed to the one news conference where a lawmaker declared "this couldn’t be some amateurs".

As far as the actual attack goes..

In your thoughts above, you only seem to be addressing ideology as a motivator. Money is the more common driver when a state sponsors actions. I don't see anything that rules out DPRK sponsorship. However, I don't see anything that indicates it either.

The pedigree of the malware used doesn't rule out a skilled/experienced actor either. If you are going to launch a offensive information operation, you wouldn't use your newest most rad tool first. Going straight for your best tools devalues the asset by exposing it to analysis and detection. You'd use the oldest most exposed tool that can still be effective to achieving your goal.

I still haven't seen enough information to make a determination about anything. Idiot teenage hacker? Idiot teenage hacker getting pumped money from somewhere? Skilled attacker getting pumped money and using old tools to appear like an idiot teenage hacker? Who knows...

I'd be interested in knowing how long the majority of the machines in the botnet had been infected. Was this an old botnet? Fairly new infections? Was there anything about the command hosts that connected the incident to others? Answers to some of these questions could move the indicator one way or the other..

Rattle wrote:
The pedigree of the malware used doesn't rule out a skilled/experienced actor either. If you are going to launch a offensive information operation, you wouldn't use your newest most rad tool first. Going straight for your best tools devalues the asset by exposing it to analysis and detection. You'd use the oldest most exposed tool that can still be effective to achieving your goal.

I agree with most of what you are saying, with the exception of this.

Basically, if you were competent you'd use something that isn't detected by every A/V on the planet, because its easy to do that (there are off the shelf tools that do it) and it would increase the effectiveness of your attack by infecting a larger number of hosts.

That means this attacker either wasn't interested in being as effective as they could be, or they weren't very experienced/capable. Most experts are assuming the later (see what wired is reporting). A point for teenagers.

Its notable that the worm destroys the computers it infects and includes a message about independence day. Its rare that worms destroy the computers they infect, because the attacker wishes to continue to use the botnet to launch future attacks - infected controlled hosts are a valuable thing to have if you like to launch DDOS attacks.

This whole thing was orchestrated for this particular attack, and the attacker had no interest in launching future attacks of this sort. A point against teenagers.

There are lots of people who have a political or economic interest in influencing US policy who aren't intelligence agencies and may not necessarily have access to the most sophisticated technical capabilities.

I don't think the north korea angle adds up because I think north korea wouldn't bother launching DDOS attacks, and if they did, they'd want to demonstrate technical proficiency. Conficker, for example, is the sort of thing that looks like a professional operation that genuinely disturbs security experts. This only disturbs non-experts - its the kind of thing that would scare politicians but not professionals. Perhaps it was intended that way.

I agree with most of what you are saying, with the exception of this.

Basically, if you were competent you'd use something that isn't detected by every A/V on the planet, because its easy to do that (there are off the shelf tools that do it) and it would increase the effectiveness of your attack by infecting a larger number of hosts.

That means this attacker either wasn't interested in being as effective as they could be, or they weren't very experienced/capable. Most experts are assuming the later (see what wired is reporting). A point for teenagers.

Its notable that the worm destroys the computers it infects and includes a message about independence day. Its rare that worms destroy the computers they infect, because the attacker wishes to continue to use the botnet to launch future attacks - infected controlled hosts are a valuable thing to have if you like to launch DDOS attacks.

This whole thing was orchestrated for this particular attack, and the attacker had no interest in launching future attacks of this sort. A point against teenagers.

There are lots of people who have a political or economic interest in influencing US policy who aren't intelligence agencies and may not necessarily have access to the most sophisticated technical capabilities.

I don't think the north korea angle adds up because I think north korea wouldn't bother launching DDOS attacks, and if they did, they'd want to demonstrate technical proficiency. Conficker, for example, is the sort of thing that looks like a professional operation that genuinely disturbs security experts. This only disturbs non-experts - its the kind of thing that would scare politicians but not professionals. Perhaps it was intended that way.

If it is teenagers, the long standing "don't destroy the computer" line is disturbing to see crossed. Given the amount of malware we have floating around these days, if even 10% of it destroyed the host, we'd have computers rolling over at a rate many would find alarming.

But in the end, that would probably be a good thing for computer security in general. Many organizations that don't take infection as seriously as they should would suddenly get very serious about it.

Since my reply, the South Koreans are claiming that they have intelligence that the DPRK was behind it. I'm not sure what to make of that. They blame everything on the north. However, they could have something.

The other thing I noticed is it was 'timed' to coincide exactly with a big east coast Gartner conference. Gartner is big with the govt. Not sure why, like THEY have some special insight. lol

Now we all know how travel goes, so I bet this one was the one that the govt. East coast - VA, DC, NJ ect, would have been hopping to. I noticed just from my twitter feed that several friends were going - it seemed to be well attended.

So was it timed to co-incide with the absense of top security consultants/experts/CIO/CTOs?

Oh, and don't put ANYTHING past Rockefeller. Anything.
Remember, he said he wished the Internet had never been invented?
Wonder why it pains him so? bleh. I do not trust him.
I can't help it, I'm a black hat thinker if there ever was one.