The July 2009 cyberattacks were a series of coordinated

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

s against major government, news media, and financial websites in

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...

and the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a

DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host A ...

attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to

Symantec Symantec may refer to: *An American consumer software company now known as Gen Digital Inc. *A brand of enterprise security software purchased by Broadcom Inc. Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...

's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems. The targeting and timing of the attacks—which started the same day as a North Korean short-range ballistic missile test—have led to suggestions that they may be from

North Korea North Korea, officially the Democratic People's Republic of Korea (DPRK), is a country in East Asia. It constitutes the northern half of the Korea, Korean Peninsula and shares borders with China and Russia to the north, at the Yalu River, Y ...

, although these suggestions have not been substantiated. Researchers would later find links between these cyberattacks, the DarkSeoul attacks in 2013, and other attacks attributed to the

Lazarus Group Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team ) is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, resea ...

. This attack is considered by some to be the beginning of a series of DDoS attacks carried about by Lazarus dubbed "Operation Troy."

Timeline of attacks

First wave

The first wave of attacks occurred on July 4, 2009 ( Independence Day holiday in the United States), targeting both the

and

. Among the websites affected were those of the

White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in 1800. ...

The Pentagon The Pentagon is the headquarters building of the United States Department of Defense. It was constructed on an accelerated schedule during World War II. As a symbol of the U.S. military, the phrase ''The Pentagon'' is often used as a metony ...

, the

New York Stock Exchange The New York Stock Exchange (NYSE, nicknamed "The Big Board") is an American stock exchange in the Financial District of Lower Manhattan in New York City. It is by far the world's largest stock exchange by market capitalization of its listed c ...

, the

Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large nati ...

, the

NASDAQ The Nasdaq Stock Market () (National Association of Securities Dealers Automated Quotations Stock Market) is an American stock exchange based in New York City. It is the most active stock trading venue in the US by volume, and ranked second ...

, and

Amazon Amazon most often refers to: * Amazons, a tribe of female warriors in Greek mythology * Amazon rainforest, a rainforest covering most of the Amazon basin * Amazon River, in South America * Amazon (company), an American multinational technology c ...

Second wave

The second wave of attacks occurred on July 7, 2009, affecting South Korea. Among the websites targeted were the presidential

Blue House Cheong Wa Dae ( ko, 청와대; Hanja: ; ), also known as the Blue House, is a public park that formerly served as the executive office and official residence of the president of South Korea from 1948 to 2022. It is located in the Jongno distri ...

, the Ministry of Defense, the

Ministry of Public Administration and Security Ministry of Security and Public Administration (MOSPA, Korean: 안전행정부), formerly Ministry of Public Administration and Security (MOPAS), was a ministry of the national government of South Korea. The ministry was in charge of the civil and ...

, the National Intelligence Service and the

National Assembly In politics, a national assembly is either a unicameral legislature, the lower house of a bicameral legislature, or both houses of a bicameral legislature together. In the English language it generally means "an assembly composed of the repre ...

. Security researcher

Chris Kubecka Chris Kubecka is an American computer security researcher and cyberwarfare specialist. In 2012, Kubecka was responsible for getting the Saudi Aramco network back up and running after it was hit by one of the world's most devastating Shamoon cyberat ...

presented evidence multiple

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...

and

United Kingdom The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and North ...

companies unwittingly helped attack South Korea due to a

W32.Dozer W3 or W-3 may refer to: * W3 (tram), a class of electric trams built by the Melbourne & Metropolitan Tramways Board * W3, a postcode district in the W postcode area * Apple W3, a wireless chip used in the Apple Watch Series 4. * PZL W-3 Sokół, ...

infections, malware used in part of the attack. Some of the companies used in the attack were partially owned by several governments, further complicating attribution. Siem 6

Third wave

A third wave of attacks began on July 9, 2009, targeting several websites in South Korea, including the country's National Intelligence Service as well as one of its largest banks and a major news agency. The

U.S. State Department The United States Department of State (DOS), or State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs of other nati ...

said on July 9 that its website also came under attack. State Department spokesman Ian Kelly said: "I'm just going to speak about our website, the state government website. There's not a high volume of attacks. But we're still concerned about it. They are continuing." U.S. Department of Homeland Security spokesperson Amy Kudwa said that the department was aware of the attacks and that it had issued a notice to U.S. federal departments and agencies to take steps to mitigate attacks.

Effects

Despite the fact that the attacks targeted major public and private sector websites, the South Korean Presidential office suggested that the attacks were conducted with the purpose of causing disruption, rather than stealing data. However, Jose Nazario, manager of a U.S. network security firm, claimed that the attack is estimated to have produced only 23

megabit The megabit is a multiple of the unit bit for digital information. The prefix mega (symbol M) is defined in the International System of Units (SI) as a multiplier of 106 (1 million), and therefore :1 megabit = = = 1000 kilobits. The megabit h ...

s of data per second, not enough to cause major disruptions. That being said, web sites reported service disruptions for days following the attack. Later, it was discovered that the malicious code responsible for causing the attack, Trojan.Dozer and its accompanying dropper W32.Dozer, was programmed to destroy data on infected computers and prevent the computers from being rebooted. It is unclear if this mechanism was ever activated. Security experts said that the attack re-used code from the

Mydoom mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ...

worm to spread infections between computers. Experts further shared that the malware used in the attack "used no sophisticated techniques to evade detection by anti-virus software and doesn't appear to have been written by someone experienced in coding malware." It was expected that the economic costs associated with websites being down would be large, as the disruption had prevented people from carrying out transactions, purchasing items or conducting business.

Perpetrators

It is not known who is behind the attacks. Reports indicate that the type of attacks being used, commonly known as distributed denial-of-service attacks, were unsophisticated. Given the prolonged nature of the attacks, they are being recognized as a more coordinated and organized series of attacks. According to the South Korean National Intelligence Service, the source of the attacks was tracked down and the government activated an emergency cyber-terror response team who blocked access to five host sites containing the malicious code and 86 websites that downloaded the code, located in 16 countries, including the United States,

Guatemala Guatemala ( ; ), officially the Republic of Guatemala ( es, República de Guatemala, links=no), is a country in Central America. It is bordered to the north and west by Mexico; to the northeast by Belize and the Caribbean; to the east by H ...

Japan Japan ( ja, 日本, or , and formally , ''Nihonkoku'') is an island country in East Asia. It is situated in the northwest Pacific Ocean, and is bordered on the west by the Sea of Japan, while extending from the Sea of Okhotsk in the north ...

and the

People's Republic of China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...

, but North Korea was not among them. The timing of the attack led some analysts to be suspicious of North Korea. The attack started on July 4, 2009, the same day as a North Korean short-range ballistic missile launch, and also occurred less than one month after the passage of UN Security Council Resolution 1874, which imposed further economic and commercial sanctions on North Korea in response to an underground nuclear test conducted earlier that year. South Korean police analyzed a sample of the thousands of computers used by the botnet, stating that there is "various evidence" of the involvement of North Korea or "pro-North elements," but said they may not find the culprit. Intelligence officials with the South Korean government warned lawmakers that a "North Korean military research institute had been ordered to destroy the South's communications networks." Joe Stewart, researcher at SecureWorks' Counter Threat Unit, noted that the data generated by the attacking program appeared to be based on a Korean-language browser. Various security experts have questioned the narrative that the attack originated in North Korea. One analyst thinks that the attacks likely came from the United Kingdom, while technology analyst Rob Enderle hypothesizes that "overactive students" may be to blame. Joe Stewart of SecureWorks speculated that attention-seeking behavior drove the attack, though he notes that the breadth of the attack was "unusual." On October 30, 2009, South Korea's spy agency, the National Intelligence Service, named North Korea as the perpetrator of the attack. According to head of the NIS

Won Sei-hoon Won Sei-hoon (born January 31, 1951) is a former South Korean public servant. Born in Yeongju, he obtained a Masters in Urban Administration from Hanyang University. In 2009, he was appointed the 10th Director of the National Intelligence Servi ...

, the organization found a link between the attacks and North Korea via an IP address that the North Korean Ministry of Post and Telecommunications allegedly " asusing on rent (from China)."

References

{{DEFAULTSORT:July 2009 Cyber Attacks 2009 in South Korea 2009 in the United States Cyberattacks 2000s internet outages

Timeline of attacks

First wave

Second wave

Third wave

Effects

Perpetrators

See also

References