Inside Cyber Warfare - Jeffrey Carr [54]
The master server was owned by a legitimate British company, Global Digital Broadcast. When it was contacted by its Internet provider, CRI, as well as the UK’s Serious Organized Crime Agency, it investigated further and discovered that the master server was not in the UK after all. It was in Miami, Florida, on a server that belonged to Global Digital’s partner, Digital Latin America (DLA).
The DLA Miami office connects with Global Digital’s Brighton office by way of a virtual private network (VPN), which made it appear as though the master server was in Britain instead of in the United States. An official statement from DLA said that viruses were found on the Miami server, but details on what kind of viruses were not forthcoming.
So once again, as was seen in the case of the StopGeorgia.ru forum, a key component of a malicious attack was hosted not inside the borders of a known adversary but within the United States itself.
This phenomenon has not been adequately addressed or even considered in any of the legal arguments that I have read that make the case for a preemptive first strike or even a nuclear deterrent against the initiators of a cyber attack.
As you’ll learn more about in Chapter 8, in 2008, 75% of the C&C servers controlling the world’s largest botnets were hosted by a company in Northern California, which was formed by members of Russian organized crime. This is just one example of how cyberspace is radically changing the threat environment into one never before seen by senior military leadership in any nation.
BKIS concluded its report with an assessment of the size of the botnet, which was far larger than any other estimate issued since the attack began. Symantec estimated 50,000 bots, and the ROK government estimated 20,000. However, BKIS used its own formula and determined that this botnet consisted of 166,908 bots scattered across 74 different countries. The top 10 countries involved were, in order, the ROK, the United States, China, Japan, Canada, Australia, Phillipines, New Zealand, the United Kingdom, and Vietnam.
The Botnet Versus the Malware
Whereas the botnet showed a relatively high degree of sophistication, the malware was amateurish in comparison:
It was based on the code base of a very old virus—MyDoom.
It appeared to be a patchwork of scripts rather than any custom coding, so it was most likey done by someone who is not a coder.
There was no attempt made to avoid AV signatures.
There is some evidence that either it was written to target Korean-language systems or the author used a Korean-language email template.
There was a lot of discussion within the PGG network about possible culprits, but a consensus was never reached. One thing that most investigators agreed on, however, was that the person who created the botnet was not the same person who cobbled together the virus.
Another hypothesis was the possible involvement of organized crime, at least on the botnet side. That theory fell out of favor once it was revealed that the botnet contained a self-destruct feature, suggesting it might have been specifically set up to perform only this task or modified after it was acquired.
PGG investigators also explored the possibility that the botnet was acquired by a state from members of organized crime in an exchange for favors. This would protect the state by maintaining plausible deniability and misdirection.
In this scenario, the state brings in its own technologists to make some modifications and deliver the payload, which was purposefully cobbled together from a five-year-old virus to propel the misdirection strategy