Cyberattack Was Fine-Tuned to Attract Attention

The cyberattacks that hit government Web sites in the U.S. and South Korea over the past several days were modified to attract the most attention, a security expert noted.

Joe Stewart, director of malware research for the counterthreat unit of SecureWorks Inc., told the Associated Press that the attacks on U.S. government sites appeared to expand after the initial assaults over the holiday weekend failed to generate any publicity.

Rod Beckstrom, former chief of the National Cyber Security Center, a branch of the Department of Homeland Security, called the attacks "annoying behavior" meant to "send a political message."

• Click here to learn how a brute-force cyber attack works.

• Click here to visit's Cybersecurity Center.

• Got tech questions? Ask our experts at's Tech Q&A.

Stewart said the "target list" contained in the program's code only had five U.S. government sites on it on July 5, but were broadened the next day to include non-government sites inside the U.S.

The following day, the South Korean Web sites were added.

"It seems to me they thought the first round wasn't successful ... they felt they weren't getting enough attention because nobody was talking about their attacks," Stewart said.

Beckstrom told Fox News that the attacks were a "nuisance."

"This is more in the graffiti school of cyberattacks," he said. "You know, someone trying to paint nasty messages, break through some windows, and kind of make a mess. It is more of a political statement."

That didn't stop U.S. authorities on Wednesday from strongly suggesting that North Korea was the origin of the attack, although they warned it would be difficult to definitively identify the attackers quickly.

"[It's] a little bit like launching some Scud missiles towards the U.S.," noted Beckstrom. "These are cyber-scuds, very low-tech, but a lot of them, and kind of annoying."

The North Korea link, described by three officials, more firmly connected the U.S. attacks to another wave of cyberassaults that hit government agencies Tuesday in South Korea.

The officials, who spoke on condition of anonymity, said that while Internet addresses have been traced to North Korea, that does not necessarily mean the attack involved the Pyongyang government.

The attack, which targeted dozens of government and private sites, underscored how unevenly prepared the U.S. government is to block such multipronged assaults.

While Treasury Department and Federal Trade Commission Web sites were shut down entirely, others such as the Pentagon and the White House were able to fend it off with little disruption.

South Korean intelligence officials have identified North Korea as a suspect in those attacks and said that the sophistication of the assault suggested it was carried out at a higher level that just rogue or individual hackers.

U.S. officials would not go that far and declined to discuss publicly who may have instigated the intrusion or how it was done.

In an Associated Press interview, Philip Reitinger, deputy under secretary at the Homeland Security Department, said the far-reaching attacks demonstrate the importance of cybersecurity as a critical national-security issue.

The fact that a series of computers were involved in an attack, Reitinger said, "doesn't say anything about the ultimate source of the attack."

"What it says is that those computers were as much a target of the attack as the eventual Web sites that are targets," said Reitinger, who heads DHS cybersecurity operations. "They're just zombies that are being used by some unseen third party to launch attacks against government and nongovernment Web sites."

Targets of the most widespread cyber offensive of recent years also included the National Security Agency, Homeland Security Department and State Department, the Nasdaq stock market and The Washington Post, according to an early analysis of the software used in the attacks.

The Associated Press obtained the target list from security experts analyzing the attacks. They provided the list on condition of anonymity because they were not authorized to discuss the investigation.

Other experts in cyberassaults said the incident shined a harsh light on the U.S. government's efforts to protect all of its agencies against Web-based attacks.

James Lewis, a senior fellow at the Center for Strategic and International Studies, said that the fact that both the White House and Defense Department were attacked but didn't go down points to the need for coordinated government network defenses.

"It says that they were ready and the other guys weren't ready," he said. "We are disorganized. In the event of an attack, some places aren't going to be able to defend themselves."

The wave of cyberassaults are known as "denial of service" attacks. Such attacks against Web sites are not uncommon and are caused when sites are so deluged with Internet traffic that they are effectively taken off-line.

Mounting such an attack can be relatively easy and inexpensive, using widely available hacking programs, and they become far more serious if hackers infect and tie thousands of computers together into "botnets."

The cyberassault on the White House site had "absolutely no effect on the White House's day-to-day operations," said spokesman Nick Shapiro. He said that preventive measures kept stable and available to the general public but that Internet visitors from Asia may have experienced problems.

All federal Web sites were back up and running, Shapiro said. A State Department spokesman said the agency's site was up but still experiencing problems. A Web site for the U.S. Secret Service had experienced access problems but did not crash, the agency's spokesman said.

The cyberattack did not appear, at least at the outset, to target internal or classified files or systems, but instead aimed at agencies' public sites, creating a nuisance both for officials and the Web consumers who use them.

Ben Rushlo, director of Internet technologies at Keynote Systems, said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.

Keynote Systems is a mobile and Web site monitoring company based in San Mateo, Calif. The company publishes data detailing outages on Web sites, including 40 government sites it watches.

According to Rushlo, the Transportation Web site was "100 percent down" for two days, so that no Internet users could get through. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70 percent of the time.

Dale Meyerrose, former chief information officer for the U.S. intelligence community, said that at least one of the federal agency Web sites got saturated with as many as 1 million hits per second per attack — amounting to 4 billion Internet hits at once.

He would not identify the agency, but he said the Web site is generally capable of handling a level of about 25,000 users.

Meyerrose, who is now vice president at Harris Corp., said the characteristics of the attack suggest the involvement of between 30,000 to 60,000 computers.

The widespread attack was "loud and clumsy," which suggests it was carried out by an unsophisticated organization, said Amit Yoran, chief executive at NetWitness Corp. and the former U.S. government cybersecurity chief. "This is not the elegance we would expect from sophisticated adversaries."

Officials agreed, however, that the incident brings to the forefront a key 21st century threat.

"It tells you that cyber attacks are real. It's a very serious problem and one of the more serious facing us, along with terrorism, and China and Russia are the main threats," said Rep. Dutch Ruppersburger, D-Md., who was briefed on the incident.

Fox News' Greta Van Susteren and the Associated Press contributed to this report.