Beware of Correlation



Correlation does not imply causation.” If you’re into “cyberwar” read and repeat this three times.

When it comes to internet-based attacks, such as the recent DDoS attacks against in South Korea and the U.S., questions arise regarding the identity and motivations of those responsible for the attacks. Because attribution is difficult, if not close to impossible, in these types of cases speculation based on correlated events tends to overshadow a cautious, evidence-based approach.

This case had all the right ingredients: attacks on South Korean and U.S. governmental sites timed on July 4th with Independence Day and the availability of a convenient adversary, North Korea, which had just test fired short range missiles a day earlier.

It didn’t take long for North Korea to emerge as the suspect, in part, thanks to the South Korea’s National Intelligence Service which told the NYT that the attack “was not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level.” Rumours of North Korean involvement circled in the South Korean media. The WP reported on previous reports of a North Korean cyberwarfare unit. Thousands of headlines such as “North ‘ordered crippling cyber-attacks‘” and “North Korea launched cyber attacks, says south” later we were caught up in a cyberwar frenzy.

Taking the “hype-ster” prize was Nicholas Eberstadt, a senior fellow at the American Enterprise Institute:

“The cyber attacks are part of an asymmetric warfare strategy,” says Nicholas Eberstadt, senior fellow at the American Enterprise Institute in Washington. “Part of an effective confrontation with the US war machine would be the ability to disable US information [systems].”

Mr. Eberstadt sees the cyber attacks as an integral component of North Korean testing of atomic devices on May 25 and in October 2006, as well as a recent flurry of tests of missiles that may one day be able to carry nuclear warheads.

“They may look like malicious cyber pranks,” he says, “but the greater purpose is clear. When one looks at the nuclear chessboard, their security is integrally tied to this type of warfare.” In order to launch a nuclear-tipped missile, he says, the North Koreans need a cyber warfare component in their arsenal.

However, I think that at least some of the hype was curtailed thanks to an early an strong sense of caution put forward by some experts. These people saw through the hype and focused on the facts:

Jose Nazario, quoted in the NYT:

“I would call this a garden-variety attack,” said Jose Nazario, manager of security research at Arbor Networks, a network security firm that is based in Chelmsford, Mass… “The code is really pretty elementary in many respects,” he added. “I’m doubting that the author is a computer science graduate student.”

Amit Yoran in the WP:

Yoran, “the North Korean angle should be highly suspect until we have more evidence, which is probably going to take weeks to play out.”

Shadowserver:

First we have seen no evidence to point a finger at North Korea. How could we tell anyway without an extensive investigation and access to all kinds of logs and other data? Unless someone has a lot of extra information, this has to be pure wild speculation as well. Cyberwar? NO way! The term Cyberwar gets thrown around all the time. It’s hard to define and everyone has differing views. However, I would venture to say this is far from what most people would call a Cyberwar. It is a bit closer to Cyber Terrorism but definitely not Cyberwar.

Gunter Ollmann of Damballa:

While a lot of the analysis is still ongoing – and likely to continue long after the public looses interest – I’ve come to the conclusion that this DDoS attack has very little to do with North Korea and only consipiritory theorists could conclude that this is a state-sponsored kick off to cyber-war.

Sure enough, the blame game changed and the UK was fingered as the “source” of the attacks.

Why? Because a Vietnamese security company “gained control ” of 2 of the command and control servers and found that the “master” control server had an IP address in a range assigned to the UK. The headlines changed: “British hackers claimed to be behind US and Korean attacks“. Really? Because the IP address of the control server correlated with a range assigned to the UK?

Locating sources of attacks, both the bots and the C&C’s, based on geographic location of the IP address and fusing it with biased correlations to determine the indentity of the attackers is not a very useful way for understanding internet-based attacks. According to Bkis (the guys who “acquired” two of the C&C’s) there were 166,908 zombies spread across 74 countries with South Korea, the USA, and China being the top three. What about the C&C’s? The dropper connects to three IP’s one in Germany, Austria and the USA. The malware also connected to IP’s in Turkey, USA, Pakistan, Mexico, Guatemala, Taiwan, Thailand and newrozfm.com which is hosted in Turkey.

Luckily, none actually were in North Korea.

Geographic correlations are not irrelevant, but one must be cautious about jumping to conclusions. The same can be said for socio-polical events that happen to coincide with internet-based attacks. Finally, the “blame your enemy” reaction needs to be treated with an appropriate level of skepticism.

Post a comment.