Decoding North Korea’s Cyber Warriors
Governments are combating the threat by scrutinizing the nation’s cyber operations and sharing information on attacks
Monday, November 24, 2014. Employees at Sony Pictures Entertainment headquarters receive a flashing image on their computer screens of a skull, long skeletal fingers and a message: “This is just a beginning. We’ve obtained all your internal data.” Then comes a warning to obey demands or risk having “top secrets” exposed. A week later — amid prerelease publicity for a Sony film called The Interview that mocks North Korean leader Kim Jong Un in a plot calling for his assassination — hackers leak the salaries of studio executives and other proprietary company information.
Wednesday, March 20, 2013. Malware known as “DarkSeoul” spreads across South Korea, crippling computers, news broadcasting servers and financial institutions. The affected broadcasters had previously been identified by North Korea as targets when Kim threatened to destroy government installations in the South.
In March 2011, hackers launched a distributed denial of service (DDoS) attack — dubbed “Ten Days of Rain” by computer security firm McAfee — against South Korean government websites and the United States Forces Korea network. The attack lasted 10 days, after which it stopped, self-destructing itself and the systems it had infected.
North Korea maintains it had zero involvement with the attacks. Digital forensic investigators suggest otherwise.
U.S. Federal Bureau of Investigation Director James B. Comey said that in the Sony case, the hackers unwittingly helped reveal themselves when they got “sloppy.”
“Several times, either because they forgot or they had a technical problem, they connected directly and we could see them. And we could see that the IP [Internet protocol] addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans,” Comey said about threatening emails sent by hackers to Sony employees, according to a January 2015 report by the Financial Times newspaper.
Despite this hacker blunder in the Sony attack, experts say North Korea’s cyber operations have advanced — though detailing to what extent remains a challenge.
“It is difficult to pinpoint exactly how advanced North Korea’s technical capabilities are, given the paucity of available open source analysis,” according to a research report titled “What Do We Know About Past North Korean Cyber Attacks and Their Capabilities?” by independent consultants Jenny Jun, Scott LaFoy and Ethan Sohn. “Certainly, they have evolved beyond rudimentary DDoS attacks against websites they have often resorted to in the past decade, into more targeted, complex and well-organized operations involving several stages of exploitation of a target system or network. They are capable of social engineering, extended advanced persistent threat campaigns and employment of less sophisticated but sufficiently effective malware,” said the December 2014 report, published by the Washington, D.C.-based Center for Strategic and International Studies (CSIS). “Given the rapid rate of improvement in their operational capability, in the future, we may see them trying to work on the types of attacks more destructive and permanent in effect, such as attacks through compromise of supply chains or compromising supervisory control and data acquisition networks.”
At least one expert speculates that North Korea’s cyber operations could rank among the top 10 in the world. That doesn’t mean they have what it takes to execute a sophisticated computer virus, according to James Lewis, director and senior fellow for CSIS’ Strategic Technologies Program. “They’re not going to be able to do the most damaging kind of cyber attack,” Lewis told The Christian Science Monitor newspaper in February 2015.
Governments shouldn’t underestimate them, though. Lewis also noted that North Korea has created a network of state-sponsored black market operations in places such as Japan, Singapore and Malta.
“This gives North Korea another pipeline into the tech world,” Lewis told The Christian Science Monitor. “They have an ability to use Japan, China and this black market.”
The cyber army North Korea has amassed, along with its budding capabilities, can seem inconceivable, particularly when most North Koreans have never seen the Internet, according to experts. Several sources say professional hackers in the North number between 1,000 and 3,000.
“North Korea is emerging as a significant actor in cyberspace with both its military and clandestine organizations gaining the ability to conduct cyber operations,” Jun, LaFoy and Sohn wrote in a September 2015 executive summary published by CSIS and titled, “North Korea’s Cyber Operations: Strategy and Responses.”
The trio of researchers sought to create a comprehensive open source reference material because, in their analysis, little unclassified information existed on North Korea’s cyber operations. They also want to change the public’s perception about attacks linked to North Korea.
“Think about North Korea cyber attacks as not merely isolated incidents but a series of deliberate choices the North Korean government made as part of its larger strategies,” Jun said at CSIS during a discussion of her team’s research. “When we look at how cyber operations are organized, they’re unlikely to be abandoned by the regime in the near future.”
The cyber operations report describes North Korea’s Reconnaissance General Bureau and General Staff Department, the two organizations charged with planning and executing the North’s cyber strategy. Here’s what the report says about each:
Reconnaissance General Bureau (RGB): “The RGB is the primary intelligence and clandestine operations organ known within the North Korean government and is historically associated with peacetime commando raids, infiltrations, disruptions and other clandestine operations, including the 2014 Sony Pictures Entertainment attack. The RGB controls the bulk of known DPRK [Democratic People’s Republic of Korea] cyber capabilities, mainly under Bureau 121 or its potential successor, the Cyber Warfare Guidance Bureau. There may be a recent or ongoing reorganization within the RGB that promoted Bureau 121 to a higher rank or even established it as the centralized entity for cyber operations. RGB cyber capabilities are likely to be in direct support of the RGB’s aforementioned missions. In peacetime, it is also likely to be the more important or active of the two main organizations with cyber capabilities in the DPRK.”
General Staff Department (GSD): “The General Staff Department of the KPA [Korean People’s Army] oversees military operations and units, including the DPRK’s growing conventional military cyber capabilities. It is tasked with operational planning and ensuring the readiness of the KPA should war break out on the Korean Peninsula. It is not currently associated with direct cyber provocations in the same way that the RGB is, but its cyber units may be tasked with preparing disruptive attacks and cyber operations in support of conventional military operations. North Korea’s emphasis on combined arms and joint operations suggests that cyber units will be incorporated as elements within larger conventional military formations.”
LaFoy, one of the cyber operation report’s co-authors, said understanding the inner workings of the North’s organizations from what information has become publicly available proves a valuable resource.
“The North Koreans don’t publish their strategies, so we’re left to deduce what they’re planning or opting to do,” LaFoy said. “Looking at organizations like the RGB to see what they’ve been previously associated with, and what they’re associated with now.”
LaFoy said North Korea’s cyber attacks do just enough to upset the natural flow on the Korean Peninsula but stop short of anything that would cause an actual war: “A violent conflict that the North Koreans can neither control nor win,” he said. “Cyber gives them a low risk, low means of chipping away at the status quo without reaching an armed provocation or an armed attack.”
Han Hui, a professor at Seoul Media Institute of Technology, claimed in November 2015 that the North had a cyber attack strategy to paralyze as much as 50 percent of South Korea’s information technology infrastructure.
“North Korea’s goal is to destroy the South Korean leadership by physical, psychological attacks, tying it to cyberattacks, then bringing about wide-scale panic,” Han said, according to news agency United Press International (UPI).
Addressing the threat, Han said, means the South must go beyond creating new institutions or expanding existing ones. It must train South Korean cyber personnel in new skills, he told UPI.
Beyond equipping personnel with training to detect and deter cyber attacks, the CSIS cyber operations report listed four main policy objectives for managing the emerging North Korean cyber threat:
Prepare a graduated series of direct responses targeting North Korea’s cyber organizations.
Curb North Korea’s operational freedom in cyberspace.
Identify and leverage North Korea’s vulnerabilities to maintain strategic balance.
Adopt damage mitigation and resiliency measures to ensure that critical systems and networks maintain operational continuity despite suffering an attack.
Jun stressed that a critical recommendation for all governments calls for continuous cyber defense dialogues regarding North Korea’s cyber capabilities. Open information sharing also has an added benefit, according to Jun and her team. It forces North Korea to change its tactics, techniques and procedures, increasing the cost and risk of each cyber operation.
“Information sharing is real important here,” she said. “The more we share amongst each other what North Korea’s attack methods and tools are, that prepares each defender because it provides a more comprehensive view to the threat and that allows each [nation] to reduce [its] own vulnerabilities themselves.” ο