MANDIANT Breaking News Analysis: Disruption in the Pacific Rim

Recent hack attacks denying access to a number of South Korean and U.S. government agency web sites and financial institution web sites, provide an opportunity to examine the fundamental differences between disruptive, attention-grabbing attacks and state-sponsored cyber attacks.

In our always-on, breaking news culture, jumping the gun on the intent and origins of an attack can put geopolitical relationships at risk. The job of the media is to deliver facts that can be verified, and support its news content with insight, expertise and speculation from industry sources on what transpired and who might be responsible.

In the case of the U.S. and South Korean web site denial of service attacks, it took less than 24 hours for the world media to independently confirm, and largely dispel, reports that this particular spate of attacks was 'state-sponsored' by the North Korean government or its sympathizers, after reports to the contrarydominated the headlines in Asia the preceding night.

In an interview with Reuters, MANDIANT Executive Vice President Michael Malin outlined the following differentiators between spot attacks committed to disrupt and gain attention, and state-sponsored cyber-attacks conducted with deeper scale and intent. Malin's view was corroborated by other industry research and opinions:

  1. Sophistication

    Low-tech attacks, Distributed Denial of Service (DDoS) for example, were more commonplace in the late nineties. They feature less sophistication, greater disruption and are designed to make a point, grab attention or feed into a hacker's notoriety and ego.

    State-sponsored attacks, commonly known in government circles as the Advanced Persistent Threat (APT), are far more sophisticated and perpetual in nature. These attacks are intricate, complex and involve a consistent attack stream using a marked increase in human and technology resources to keep its enemy constantly in a reactive position.

  2. Anonymity

    Home-grown, low-tech cyber-crime is more likely to be detected eventually and unearthed through traditional criminal investigation and forensic analysis. In many instances, these hackers operate in small clusters or individually, and enjoy the limelight of their acts, including being brought to justice.

    State-sponsored cyber-crime is more mysterious, typically conducted under the mainstream radar, highly covert, and targeted at government, energy, financial services or other critical infrastructure. These conspirators are backed by governments or regimes, and identified more as state-sponsored organizations rather than individuals.

  3. Sensitivity

    Very simply, applying the same characteristics and profile types of our serial cyber-offenders, was the crime specific to the compromise of classified or confidential information? Or more focused more on creating spot havoc and high-profile disruption?

  4. The MANDIANT view:

    This attack appeared to be more of a denial of service attack rather than the traditional state-sponsored act. In our experience, state-sponsored actors fly under the radar to either gain access or steal information versus denying or degrading a service.

    By better understanding the scope, profile and motives of cyber criminals, we can more effectively identify, anticipate and remediate the crimes they commit.

    MANDIANT continues to address the Advanced Persistent Threat, finding evil and solving crime for some of the most critical government organizations and high-value commercial enterprises.

    For more in-depth coverage on the South Korea/US web site denial of service attacks, including commentary from MANDIANT Executive Vice President Michael Malin, access the following story from Reuters: http://www.reuters.com/article/newsOne/idUSTRE5680CC20090709