■ Response Timeline of INCA Internet to the DDoS Attacks
Chong Hyun Mun, manager of the Security Response Team had just gotten home on July 7th, 2009 and had spent some time with the barely year old child, and decided to use the PC one last time before going to bed.
While reviewing the corporate monitoring situation, Mr. Mun found found connection error occurring on several websites.
While at first he thought it to be just usual maintenance issues, as the situation continued he suspected a complication and went to the office in the break of dawn.
After reviewing the situation at the office, he determined it to be an emergency and sent a summon message to the Emergency Response Team.
Dong Hyuk Lee, general manager of the Security Response Center, had to call members of the center to come to the office despite his knowledge of their late return home the previous day.
This is how the so called “7.7 DDoS Catastrophe”, unknown of its causes and origins, started which would last 3 whole days and 2 long nights.
INCA Internet (http://www.inca.co.kr, http://www.nprotect.com CEO Young Heum Joo), which provides nProtect Netzien and nProtect KeyCrypt, PC security programs that protects those who connect to websites of Financial Institutions and Governent Instituations, is a small but powerfull “hidden champion” company which makes sales of around 10 millions USD yearly and received the Prime Minister awards, Jang Yeoung-Sil awards.
INCA Internet gave contributions to this attack by providing an Emergency Treamt Tool specialized for this attack free of charge in response to the cyber attacks, and detecting malware that destroys the PC and sends mass spam mails.
INCA Internet CEO, Young Heum Joo, said he was “on a business trip in the China branch of INCA when the situation first occurred, but after realizing the seriousness of the situation, hurried back to Korea.
Trusting that the Emergency Treatment Tool specialized for the situation could be provided by other security companies promptly, I decided that the best thing we could do was to order an update to nProtect Netizen so that it could repair the PCs of infected malware of the visitors to the Financial and Public Institution websites.” He also added that “In a situation like this, we had to fix as many zombie PCs as fast as possible, and the best way we could do that was by updating nProtect Netizen, which is used by millions of people daily , to include the latest protection.”
INCA Internet’s Vice President, Wha Cheol Jang, said “the employees had to take turns in getting 2~3 hours of sleep and continue responding to and analyzing the situation.”
He explained his feeling by adding “although I felt sorry for our employees, being that the situation was a national security issue and our company being part of the nation’s security of infrastructure and data, I felt it was necessary that our organization did all we could to respond to the situation ."
Being the largest security company in Korea, Ahn Lab might not have such a hard time collecting the needed malware samples, but for INCA Internet, even that was not an easy task.
Maybe the 7.7 DDoS Catastrophe was already forecasted. More cyber terrors lay ahead of us, and the next attacks may not be just a simple internet connection loss, but a mass leakage of personal information or a theft of huge sums of money from banks.
But such attacks will always be countered by security technology from companies such as INCA that strive to provide a safer PC environment.
CEO, Young Heum Joo, concluded by saying "the problem is that while many people know our prduct, security is still thought to be an accessory, not a necessity, which leads to the fall in price and the lack of sales.
While in part, the interest in security companies are waning, we believe in and stick to our corporate goal to be an innovational value creating company that provides a safer and more enjoyable IT environment, and believe that through providing product corresponding to our goal, our company will have a bright future.
By Zakk Kim, Manager of Marketing and Planning Team
<INCA Internet Time Log of 7.7 DDoS Catastrophe >
|
Time
|
Content
|
|
Jul-7-09 11:00 PM
|
Security Response Center, Chong Hyun Mun finds out about abnormal connection status
|
|
09- Jul -8 5:47 AM
|
Security Response Center emergency summons
|
|
09- Jul -8 8:17 AM
|
Emergency Response System Level 2 put in place for INCA Internet
|
|
09- Jul -8 8:21 AM
|
Korean DDoS attack 1st sample collection complete
|
|
09- Jul -8 8:49 AM
|
Korean DDoS attack 1st sample analysis initiation
|
|
09- Jul -8 8:50 AM
|
Response Team researchers emergency summon complete
|
|
09- Jul -8 8:56 AM
|
Korean DDoS attack 2nd sample collection complete
|
|
09- Jul -8 9:08 AM
|
Emergency Security Report registration
|
|
09- Jul -8 9:11 AM
|
Korean DDoS attack 2nd sample analysis initiation
|
|
09- Jul -8 9:47 AM
|
Emergency situation notification – Verification of website connection failure in 26 sites including Blue House (Korean President) site
|
|
09- Jul -8 9:48 AM
|
1st Emergency update
|
|
09- Jul -8 10:30 AM
|
1st Emergency update complete
|
|
09- Jul -8 10:34 AM
|
Mail reception of remot PC support for DDoS attach from company L
|
|
09- Jul -8 12:12 AM
|
Preparation of 1st press release data for the situation of the Korean DDoS attack damage
|
|
09- Jul -8 12:21 AM
|
Remote PC support service regarding DDoS attack for client company L
|
|
09- Jul -8 2:46 PM
|
Collection of mutation sample related to DDoS attack from client company L
|
|
09- Jul -8 3:54 PM
|
3rd Emergency update
|
|
09- Jul -8 4:20 PM
|
3rd Emergency update complete
|
|
09- Jul -8 5:50 PM
|
Response Team emergency work system maintained
|
|
09- Jul -8 6:23 PM
|
Specialized emergency DDoS tool developed and registered
|
|
09- Jul -8 6:34 PM
|
Emergency Response System for INCA Internet put to Level 1
|
|
09- Jul -8 6:43 PM
|
1st DDoS attack related Analysis Report registered
|
|
09- Jul -8 8:07 PM
|
Press release distributed – Damage to major Korean and overseas sites due to DDoS attack (INCA Internet)_2.doc
|
|
09- Jul -8 8:24 PM
|
Connection problems found for certain banks
|
|
09- Jul -8 8:48 PM
|
2nd DDoS attack related Analysis Report registration complete
|
|
09- Jul -8 10:14 PM
|
Continuous connections problems found for certain banks
|
|
09- Jul -9 12:12 AM
|
Collection and analysis of additional mutation samples
|
|
09- Jul -9 1:06 AM
|
Distribution of press release – 2nd attack on 16 sites inclucing National Information Service
|
|
09- Jul -9 1:25 AM
|
[1st additional symptom found on mutation sample] Independence day message found on DDoS related malware sample
|
|
09- Jul -9 1:32 AM
|
[2nd additional symptom found on mutation sample] Physical drive damage found on DDoS related malware sample
|
|
09- Jul -9 2:18 AM
|
Emergency update
|
|
09- Jul -9 2:26 AM
|
Emergency update complete
|
|
09- Jul -9 2:41 AM
|
Development and data registration of specialized DDoS treatment tool
|
|
09- Jul -9 4:36 AM
|
Distribution of press release - DDoS attack including damage function (INCA Internet)_2.doc
|
|
09- Jul -9 6:54 AM
|
Additional reception of mail related to DDoS
|
|
09- Jul -9 9:02 AM
|
DDoS malware massive e-mail attack
|
|
09- Jul -9 11:55 AM
|
Cyber terror 3rd attack planned for 6PM
|
|
09- Jul -9 12:03 AM
|
Development and registration of specialized DDoS mutation treatment tool
|
|
09- Jul -9 1:56 PM
|
Request from Japan regarding currently occurring DDoS attacks
|
|
09- Jul -9 2:51 PM
|
3rd DDoS attack related Analysis Report registration complete (first draft of MBR damaging sample analysis report)
|
|
09- Jul -9 4:00 PM
|
Emergency update / Emergency update complete
|
|
09- Jul -10 12:44 AM
|
Re-registration of first draft of 3rd DDoS analysis report
|
|
09- Jul -10 3:20 AM
|
[Emergency sample collection] Collection of DDoS related sample (KISA)
|
|
09- Jul -10 4:00 AM
|
[1st emergency update] 1st emergency update complete
|
|
09- Jul -10 7:17 AM
|
[Emergency sample collection] Collection of DDoS related sample (National Cyber Security Center)
|
|
09- Jul -10 7:30 AM
|
[Emergency sample detection analysis] Analysis of DDoS attack related sample (National Cyber Security Center) finds two undected malware
|
|
09- Jul -10 8:31 AM
|
Notice of DDoS attack related emergency response instructions
|
|
09- Jul -10 9:47 AM
|
Mutated DDoS specialized treatment tool development and registration
|
|
Jul-10-09 10:10 AM
|
2nd emergency update complete
|
|
Jul-10-09 11:23 AM
|
Mutated DDoS specialited treatment tool modification and registration
|
|
Jul-10-09 6:33 PM
|
Emergency Response System for INCA Internet lowered to Level 3
|
|
Jul-11-09 9:01 AM
|
5th DDoS attack related Analysis Report registration
|
|
> Inca News
