Was North Korea’s Bureau 121 Hacking Group Behind Internet Attacks?

DDOS Dyn cyber atomic bomb
Experts warn that massive cyberattacks that knocked websites like Twitter and Reddit offline in October may be a precursor to a "cyber atomic bomb." Creative Commons/ Composite

The massive cyberattacks that knocked websites including Twitter, Reddit and The New York Times offline Friday may be a precursor to a “cyber atomic bomb,” experts have warned.

The Department of Homeland Security is currently investigating the attacks on Domain Name System (DNS) provider Dyn, whose systems support major websites and online services, though the perpetrators remain a source of speculation. So far, suspects have ranged from state-backed attackers, to rogue hackers claiming allegiance to WikiLeaks founder Julian Assange.

The cyberattacks are the latest in a series of major distributed denial of service (DDoS) attacks, whereby the target is flooded with web traffic to the point the website overloads and crashes. Several security experts believe the attacks are part of tests designed to probe for vulnerabilities ahead of a much larger attack.

“The attacks are slowly escalating, similar to the way America developed the atomic bomb,” cybersecurity veteran John McAfee, who created the eponymous antivrus computer software, tells Newsweek. “They will analyze this attack and come back later with a more serious attack.

“I believe that this attack was the harbinger of near-future attacks that will be much more devastating. I believe the smaller prior attacks served to identify weaknesses in the internet’s infrastructure. Clearly there are weaknesses. Anticipate that these will be exploited in a big way.”

The latest DDoS attack utilized traffic from devices compromised by malware known as Mirai, which controls tens of millions of internet-connected devices—such as webcams, baby monitors and smart devices—without their owners’ knowledge.

Chinese electronics firm Hangzhou Xiongmai Technology has since recalled some of its devices that it believes were part of the attack, however many other manufacturers are believed to have produced products vulnerable to Mirai.

Security researcher Bruce Schneier speculates that the DDoS attacks are taking place because “someone is learning how to take down the internet,” though he is unable to point to a culprit.

The group New World Hackers, which has previously claimed responsibility for attacks that took down the BBC website in 2015, said that is is behind the attacks. A member of the collective said the group did it in support of WikiLeaks founder Assange, whose internet was cut by Ecuador last week.

“We used supercomputer botnets and IoT [Internet of Things] botnets,” the group tells Newsweek. “We are testing only, we do not wish to attract the attention of feds. We are doing this for a cause.

Such claims have been dismissed by several cybersecurity experts, with security researchers from Flashpoint calling the group “imposters.”

McAfee also questioned the group’s assertions, suggesting that a more sophisticated state-backed actor is responsible.

“Info on the dark web says the Bureau 121 is responsible,” McAfee tells Newsweek. “The U.S. and the FBI claim that North Korea’s cyber capabilities are unsophisticated. That’s incorrect, they are extraordinarily sophisticated and organized. As to why? Who knows why? They certainly have no love for America.”

homeland security A Department of Homeland Security worker listens to U.S. President Barack Obama talk at the National Cybersecurity and Communications Integration Center, Arlington, Virginia, January 13, 2015. REUTERS/Larry Downing

Little is known about the Bureau 121 hacking group, though a North Korean defector said the agency has around 1,800 members. Former high-profile attacks have included the 2014 hack on Sony Pictures ahead of the launch of its movie The Interview.

Considering the satirical nature of The Interview and its farcical portrayal of North Korean leader Kim Jong-un, the motive of the Sony attack was clear. With the target of the latest attacks being the U.S., the list of potential suspects is much broader.

“Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do,” Schneier wrote in a recent blogpost exploring attacks against the internet infrastructure.

“The size and scale of these probes—and especially their persistence—points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar.”