VietNamNet Bridge –The Vietnamese internet security firm BKIS has been accused by the Korea Internet Security Center (KrCERT) of breaching Vietnamese and international rules during its investigation of attacks on US and Korean servers. A BKIS team was the first to trace the attacks to master servers in the UK. BKIS denies it has broken any rules.

BKIS’ announcement on its blog.

As reported in Vietnamese newspapers, it is not clear whether the Korean agency’s complaint ‘of serious violations of international law’ relates to BKIS’s public claim that it located the rogue servers that controlled the attacks, or to the methods BKIS used to solve the mystery.  

BKIS claims success 

BKIS announced on its blog on July 12 that it had identified two servers located in the UK as the source of powerful ‘denial of service’ on websites of the US and South Korean governments.  The BKIS feat was reported by newspapers around the world.

 “After being requested by the Korean Computer Emergency Response Team (KrCERT), we used a method to trace back the source code of the virus and detected eight C&C servers,” BKIS’ director Nguyen Tu Quang told VietNamNet.

“We attacked them back and after we identified eight slave servers, we seized control of two of them. Through the counterattack, our experts collected useful information for analyzing and defining the master server that controlled the attacks on the websites of the South Korean and American governments. This master service has an IP address in the UK”.

BKIS is a unit of Hanoi Institute of Technology (Đại Học Bách Khóa). 

Korean agency charges BKIS acted wrongly 

On July 16, the Vietnam Computer Emergency Response Team (VNCERT) informed the Hanoi University of Technology that it had received an ‘offical complaint’ from its Korean counterpart, KrCERT. Reportedly, KrCERT’s Jinhyun Cho from the KrCERT said his agency had never requested BKIS to help investigate the attack as BIKS announced on its blog.

According to Cho, KrCERT only emailed VNCERT, with cc to BKIS, asking for suppression of some IP addresses in Vietnam, which, infected with virus, had joined the denial of service attack on websites in South Korea and the US. KrCERT was independently conducting its research activities and, said Cho, “only gave codes for the denial of service malware after BKIS ‘begged’ for it.”

The KrCERT complaint alleged that the BKIS announcement of attacking and controlling two servers in the UK for analysis is a “serious violation of Vietnamese and international laws,” compounded by the BKIS announcement, which caused the public to misunderstand that KrCERT and APCERT participated in this “illegal activity.”

VNCERT forwarded the KrCERT complaint to the Hanoi University of Technology, asking it to remind BKIS to report to VNCERT when it participates in international computer emergency response activities and to maintain secrecy. It should only provide information to related agencies based on rules agreed by the world network of computer emergency response agencies. 

Not guilty! says BKIS  

BKIS describes the "counter-attack" on its blog.

BKIS Director Nguyen Tu Quang told VietNamNet that an email from KrCERT dated July 10  urgently requested members of the Asia-Pacific network of computer security agencies (APCERT) to help discover the source of the DDoS attack. Thus it is inaccurate to say that KrCERT did not ask for BKIS assistance.

Quang said that Jinhyun Cho did not know how BKIS succeeded in gaining control two servers in the UK, so Cho’s statement that the BKIS attacks “violated Vietnamese and international rules” is not accurate. He said BKIS “will work with KrCERT about this”.

BKIS research and development director Vu Ngoc Son said that at the time BKIS made the analysis, hacking servers were sending malware to a botnet -- a group of ‘robot servers’ they controlled.  BKIS surveyed eight slave servers that participated in the attack and discovered two servers provided resource-sharing services in the form of a web service.

“This is a perfectly ordinary diagnostic service, which anyone can use,” Son affirmed. “Through it, BKIS acquired information that enabled us to analyze and locate a ninth, master server, that was the commander-in-chief of all the attacks on websites of the South Korean and American governments.  This process obeyed Vietnamese and international rules”.

Quang stated that seizing control of two servers used by hackers to launch DDoS attacks “doesn’t require anyone’s permission and anybody can do it”.

On its English language blog, BKIS described its attack to control two foreign servers as follows:

In order to locate the source of the attacks, we have fought against C&C servers and have gained control of 2 in 8 of them. After analyzing the logs of these 2 servers, we discovered the IP address of the master server, which is 195.90.118.xxx. This IP is located in UK. The master server is running on Windows 2003 Server Operating System.

Quang defended his decision to ‘go public’ by quoting Article 43 of the Vietnamese government’s Decree 64/2007: “In urgent cases which can cause serious incidents or network terrorism, competent agencies have the right to prevent attacks and report to the coordinating agency later” to explain for BKIS’ not reporting to VNCERT.

“The South Korean and American government websites were attacked and paralysed for nearly ten days but the source of attack was not detected. This was an urgent case, which could threaten the world, including Vietnam,” Quang said.

“BKIS was allowed to hunt the source of attacks and report to the coordinating agency. We are investigating the case so we haven’t time to report yet. We will perform this task after this job is accomplished”.

Hai Phuong – Huy Phong

Please send us your comments and feedback: