Tag Archive | "cyber attack"

Should the Proposed New Cyber Norms Address North Korea?

By Troy Stangarone

Recent news reports have indicated that the United States and China hope to announce an initial code of conduct governing the use of cyber weapons in advance of President Xi Jinping’s summit meeting with President Barack Obama, while President Xi in Seattle stated that he was willing to work with the United States to address cybercrime. Although short of being a treaty, the agreement would represent the first attempt to develop an arms control agreement for cyberspace and could have longer-term implications, including for addressing cyber threats from North Korea.

Unlike nuclear, chemical, and biological weapons, there are no international norms or agreements governing the actions of state actors in cyberspace.  Instead, cyberspace in a sense is a modern version of the Wild West – an ungoverned land of promise. While the internet has changed the way people communicate and shop, it also holds the potential to be weaponized in the case of war between states. However, because damage from cyber attacks is difficult to attribute and disputes exist over what are legitimate forms of espionage through the internet and what crosses the line into belligerency, states have been unable to craft norms for the use of cyber weapons.

As the United States and China begin to shape an informal, and perhaps later formal, understanding of what is and not acceptable in cyberspace, North Korea should receive special attention in any discussions and ought to be a topic that President Obama raises in his meeting with President Xi. If President Xi is sincere about cooperating with the United States on cybercrime, North Korea is one area where China could play a unique role as North Korea’s access to the internet primarily runs through China with a satellite link to Germany sometimes used to boost the connection. It is also believed that Pyongyang’s cyber division, Bureau 121, operates out of China.

While last year’s attack on Sony Pictures and subsequent threats by North Korea to go after theaters that showed “The Interview” are well known, a study of cyber incidents between states from 2001-2011 indicates that after China most come from North Korea. Of the 111 cyber incidents initiated during that period 14 were initiated by North Korea. Ten were against South Korea, three against the United States, and one against Japan. In the case of South Korea, North Korea is believed to have previously attacked South Korea’s banking and media outlets in 2013.

In the cyber discussions between the United States and China, the talks are believed to focus on a code of conduct put forward earlier this year by the United Nations. While the two sides may not embrace all aspects of the UN recommendations, two could potentially apply to North Korea if adopted in the upcoming summit or in future talks. The first deals with the rules and norms of cyberspace and calls for states to “… not knowingly allow their territory to be used for internationally wrongful acts using ICTs.” The second, dealing with confidence building measures, calls on states to “Cooperate, in a manner consistent with domestic and international law, with requests from other States in investigating ICT-related crime or use of ICTs for terrorist purposes or to mitigate malicious ICT activity emanating from their territory.”

These norms and confidence building measures could apply to North Korea in two ways. In regards to norms, the United States and South Korea should encourage China to not allow its territory to be used for “wrongful acts” and to close down Bureau 121’s operations inside China. While from the perspective of confidence building measures, it would be a positive step in addressing potential cybercrime if China were to agree to cooperate in investigating suspected North Korean attacks and to shut off North Korea’s access to the internet if there is a strong evidence that an ongoing attack is emanating from North Korea.

Of course, even if China were to take these steps North Korea would have other options for conducting cyber warfare. North Korea also borders Russia which could provide potential internet access if China were to curtail Pyongyang’s access and other states, such as Iran, could potentially offer to host North Korean cyber units. However, despite these challenges, steps by the United States and China to develop international norms for conduct in cyberspace could in the long-run help to address the problem of North Korean cyber attacks.

Troy Stangarone is the Senior Director of Congressional Affairs and Trade at the Korea Economic Institute of America. The views expressed here are the author’s alone.

Photo from U.S. Embassy The Hague’s photostream on flickr Creative Commons.

Posted in North Korea, sliderComments (0)

North Korea’s Asymmetrical Cyber Threat

By Andrew Haggard

The casual observer may be perplexed by the recent headlines of supposed North Korean hackers effectively bringing Sony Pictures Entertainment’s computer systems to its knees.  How does one reconcile NASA photos and satellite images showing the near-entirety of the northern part of the Korean peninsula in utter darkness with the picture of a savvy North Korean hacker able to bring down one of the world’s largest entertainment companies from behind a computer screen?

In recent years, as noted by Alexandre Mansourov in a paper for KEI, North Korea has “begun to develop its own doctrine of cyber operations, which reflects its growing appreciation of the uses and limits of power in cyberspace and application of cyber power in modern warfare.”  In a 2009 essay for Naval War College Review Kim Duk-ki wrote, “The North perceives cyber- warfare tactics to be as important as WMDs and has concentrated on their development.”  This is an assessment apparently shared by the ROK’s National Intelligence Service.

The growing emphasis by Pyongyang on developing its cyber war doctrine and capabilities is a rational choice for the regime.  South Korea, Japan, and the United States possess superior military technology.  And, in the event of a conventional war, North Korea would face a stiff battle to win despite its numerically superior military.  For North Korea, cyber warfare, along with other asymmetrical forces, permits Pyongyang to inflict serious damage on South Korea, as well as the United States and its allies, while selectively upgrading and investing in its conventional weapons and forces.

Pyongyang is currently estimated to have employ in excess of 6,000 cyber warriors based in North Korea, China, Russia, Japan, and elsewhere.  The 6,000 figure, marks a 100 percent increase from figures suggested by defectors to al Jazeera in 2011.  In 2013, Seo Sang-ki, the chairman of the South Korean National Assembly’s intelligence committee reported that Pyongyang had 4,200 cyber warriors in China to support North Korean cyber warfare operations.

South Korea is particularly prone to cyber attacks by Pyongyang.  The extent of country’s connectedness makes it susceptible to cyber attacks.  According to the UN’s International Telecommunication Union, internet penetration in the ROK was at 84.77 percent in 2013, placing it in the top 25 of the most connected countries.  Information technology research and development (R&D) in South Korea was valued at U.S. $37.9 billion in 2010, which translates to 3.74% of South Korea’s gross domestic product.  By 2010, South Korea’s e-commerce market had grown nearly eight times its 2001 value, rising to U.S. $645.5 billion.  A wave of attacks against computer systems beginning in March and continuing through June 2013 was estimated to have caused 800 billion won in economic damage to South Korea.

There are numerous reports that North Korean cyber warriors have taken advantage of the South Korean society’s extensive online connectedness and the popularity of internet gaming.  South Korean authorities have repeatedly connected Pyongyang with distributing malware via games and smartphone apps that would allow its cyber warriors to take control of the systems and steal data or launch distributed denial of service, or DDoS, attacks against networks.  Between May and mid-September 2014, some 20,000 smartphones were infected with malware contained within apps.  Media reports stated the malware would enable the hackers to clandestinely eavesdrop and access the cameras on the smartphones.

According to U.S. Department of Defense reports on the threat North Korea poses, Pyongyang has been implicated in malicious cyber attacks and operations since 2009.  Among these attacks, are a number of DDoS attacks on South Korean and American networks and websites.  An attack against three major South Korean banks and the country’s three largest broadcasters in 2013 was also later attributed to North Korea by the ROK authorities.  In that attack, the hackers used a malware dubbed “DarkSeoul.”  The malware enable the attackers to effectively shutdown critical services and systems, including disabling ATM services and preventing access to client funds.  Analysts at McAfee Labs studied the malware used in a number of attacks against South Korean systems and discovered that “that there was more to the incident than what was widely reported.”  McAfee Labs was able to link the malware used in the March 2013 attacks to a “covert espionage operation.” McAfee Labs assert this is “all based on the same code.” Through analysis of malware deployed in previous attacks, the McAffee Labs discovered the malware allow the attackers to search files on a system for a number of English- and Korean-language military keywords in the title and exfiltrate those files.

Now, the U.S. Government has charged and sought to punish North Korea for the Sony Pictures hack in late 2014.  Some commentators and IT security professionals (even linguists) have challenged the government’s assertion that Pyongyang was responsible for the attack.*  Director of National Intelligence James R. Clapper has personally fingered Kim Yong Chol, the director of the North Korean Reconnaissance General Bureau, as authorizing the campaign against Sony.

In an interview with Fareed Zakaria, Michael Lynton, the CEO of Sony Pictures, claimed, “the FBI and Mandiant, the experts who we brought in, basically said that the malware was so sophisticated that 90 percent of American businesses would have fallen prey to what happened to us.”  This would suggest, assuming the FBI’s assessment for responsibility of the attack is correct, that the DPRK has developed substantial cyber capabilities that could wreak havoc on American businesses, let alone businesses in the ROK.

Given the increasing frequency and sophistication of North Korean state-sponsored hacking attempts, the South Korean government has begun debating its cyber defense approach, including the establishment of a ‘cyber defense control tower.’

The South Korean Ministry of Education, Science, and Technology (MEST) has stepped up to coordinate a plan to recruit, train, and foster cyber security specialists in South Korea to help protect the ROK’s information technology infrastructure.  MEST hopes to have trained 5,000 cyber security experts by over the next two years.  The MEST plan is supposed to incorporate the needs of not only the ROK government, but also the private sphere in South Korea, which would provide a more meaningful boost to cyber defense in South Korea.

But, despite the moves to increase South Korean cyber security, the ROK faces a very significant cyber security deficit.  Estimates by the ministry predicted a shortfall of 2,144 cyber security professionals in 2014.  In 2013, the ROK Ministry of Defense had a mere 400 cyber security professionals.  A spokesperson for the defense ministry downplayed the risk posed to military networks.

The United States, by contrast, employed 900 cyber warriors at the Defense Department’s Cyber Command, which is headed by Gen. Keith B. Alexander, who also serves as the NSA director.  The Defense Department alone spends $3 billion on cyber security annually and plans to add 4,000 civilian and military staff to its Cyber Command in the coming years.  But, the danger posed is not simply to strictly military networks, but also to the private sector, particularly financial institutions and defense firms that would be producing the technology, hardware, and munitions used in a possible conflict.  A cyber attack mimicking the one experienced by South Korean firms and Sony could adversely affect communications and manufacturing.

Cyber warfare offers Pyongyang an asymmetrical path to usurp the technological and military superiority of its rivals and enemies, namely the United States, South Korea, and Japan.  As such, the DPRK will very likely continued to develop its asymmetrical capabilities with a significant focus on its cyber warfare capabilities given the relative low costs of cyber operations and the deniability it offers given that attribution of cyber attacks is often difficult.  Undoubtedly, cyber intrusions and attacks by the DPRK will increasingly become more sophisticated as the North Koreans learn effective cyber attack strategies from their experiences.  The only option is for South Korea and the United States’ public and private sectors to truly get serious about cyber security by developing a multi-layered cyber defense plan, pursuing diplomatic channels to limit cyber espionage, and coordinating public-private approaches to cyber security in order to prevent and mitigate the effects of intrusions.

Andrew Haggard is a blogger and commentator on Korean defense issues. The views expressed here are the author’s alone.

Photo from Fragile Oasis’ photostream on flickr Creative Commons.


* The author is unsure of where blame should lay for the Sony hack, but notes that the FBI specifically noted the tools used in the attack bore resemblance to those used in March 2013 and specifically mentioned “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” between the malware used in the latest hack and other cyber attacks attributed to North Korean actors.  This is interesting in light of McAfee Labs findings in 2013.

Posted in North Korea, sliderComments (0)

Malware Attacks on Korean News Websites

By Chad 0’Carroll

Last week The Daily NK, an online newspaper dedicated to covering North Korea from a human rights perspective, suffered a malware attack.  It was by no means the first malware infection of the site (936 pages infected in the last 90 days alone, according to Google), but comes following a spate of infections on other Korea related news websites. It also occurred following growing reports of hacking attempts against specific members of the North Korea watcher community.  So what exactly is going on?  Are Korea watchers being specifically targeted, or should these attacks be seen in a broader context?

Malware is malicious code that is installed onto websites by a third party.  Without adequate protection, visitors to infected sites obliviously download the malicious code which can in turn give third parties unauthorized access to computer systems.  But it is important to note that “malware” is a catchall term, covering malicious code that includes Trojan horses, spyware, and computer viruses.  As a result, the effect of malware infections can vary significantly.  Sometimes malware is used to install a script which turns the infected computer into a “bot”, which can be used to take part in a distributed denial of service attack (DDS).  But oftentimes the malware’s purpose is a lot more dangerous.

IP Address Poster in Kim Il Sung University’s Computing Department

According to this Google report, the malware found recently on the Daily NK site took the form of a Trojan horse, a malicious script which unlike a virus, does not spread by itself. Once activated, Trojan scripts can create backdoor access on a computer that can give the creator access to confidential or personal information. Functions of these scripts can include stealing your passwords, viewing your screen as you are working, and even broadcasting all that one types to another location.  With the Daily NK frequented by many serious North Korea watchers and human rights activists, it is easy to understand why pro-North Korea actors or entities might be interested in obtaining back-door entry to the computer systems of the Daily NK audience profile.  After all, the type of information that could be sourced through any script installed on a U.S. government employee or NGO worker’s computer could be extremely useful for the North Korean state.

The Daily NK have reported that they are aware that the source of the malware infections is China, something also corroborated by Google’s own site report, which says the same scripts can be found on digtaobao.com and 10086chongzhi.com, two Chinese registered domains that presently contain no website content.  But just because a script is associated with China, we cannot assume that it was necessarily coded by Chinese hackers.  Martyn Williams of NK Tech explains…

“The “evidence” usually cited is an IP-address, but herein lies the problem. Malware and other hacking attempts are usually routed through multiple IP addresses to avoid detection and sometimes fake the address, so it’s possible the real culprits are elsewhere but savvy enough to make their attack look like it came from a North Korean address. After all, North Korea is a very convenient and believable culprit.”

Likewise, much of North Korea’s own internet infrastructure goes through China, and there are reports that there are batches of Chinese IP addresses owned specifically by North Korean entities.  And although Google has said that the Daily NK malware takes the form of a Trojan horse and we know that it is going through China, we don’t know what the scripts that have infected the site were actually designed to do.

Looking at the broader context, it is extremely important to point out that malware is extremely common in South Korea.  In summer 2010, South Korea had the highest infection rates of malware in the world.  While the government has done much to improve this situation, a quick glance of online news resources in South Korea shows the following sites to have encountered malware infections in the past 90 days:

Of a total of 22 major news websites in South Korea, a remarkable 36% are thus somehow infected with malware. In this light, it is quite possible that the Daily NK infection should just be seen as forming part of this trend, in which Korean websites, for whatever reason, continue to remain a hotbed for malware activity. But without having the actual malicious scripts to compare (and an IT security expert to analyze them), there is no way of knowing if the Daily NK code construes either a specific threat to the Korea watcher community or instead is something more akin to the code found on these other news sites.  However, when considering other factors, dismissing Daily NK malware as being merely reflective of the high level of infection in South Korea could be risky.

As Curtis Melvin has been chronicling over the past year (here, here, and here), there has been a strikingly determined campaign to infect the computers of specific individuals working on Korea policy.  In the course of writing this piece, one member of KEI staff even received another example of these emails.  Like the Daily NK malware, this approach has also involved the use of a Trojan horse mechanism, with individuals contracting infections after opening contaminated attachments in emails. These emails are often crafted specifically for the characteristics of seasoned North Korea watchers, inviting recipients to take part in North Korea related interviews, or to read North Korea related manuscripts and texts. Often, the senders portray themselves as being media representatives, fellow North Korea analysts, or even Kim Il-Sung apologists.  With the text of the emails being relatively convincing, it is quite likely that a number of infections may have already taken place, despite warnings posted on Mr. Melvin’s site.  But exactly what the code does when it has infected a user’s computer is yet unknown.  However, the personally tailored approach of the emails suggests that a) there is a list of specific people the senders are trying to compromise and b) that accessing the recipient’s computer and files is probably the priority.  But is this likely a lone individual or something more sinister? IT Security expert Alexander Sverdlov of Nopasara.com explained:

Grid Computing poster at Kim Il Sung University

“The only case when you could suspect an individual attacking you with no organization behind them is if you had a disgruntled system administrator / IT person who had to be fired, or if a highly trained individual is for some reason offended by what you do to them or someone else. In all other cases you can bet that an attack is funded / backed by a large organization / corporation / government. These attacks are very expensive; they are highly risky for their implementers and thus their high price. Not everyone can afford to hire a hacker to individually target you and / or your organization.”

If the aim is to get access to as many North Korea watcher’s computers as possible, it would be entirely consistent for the programmers of this malicious email code to want to infect sites like the Daily NK, too.  Receiving hundreds of visitors per day, infecting the Daily NK would easily increase the likelihood that the code’s programmers could obtain sensitive information related to defectors, human rights NGOs, and more.  What’s more, North Korea has already made its disdain for Daily NK clear, with a post in 2010 showing KCNA’s contempt of the South Korean based website.  But does all this suggest tacit North Korean involvement?

Despite all the circumstantial evidence, it is difficult to draw conclusions about who or what is responsible for the malware on Daily NK and the malicious emails that have been doing the rounds.  Given its paranoia and extensive spying networks, there is undoubtedly motivation for North Korea to want to bolster intelligence gathering capacities, and these approaches could definitely help to that end.  For this reason, North Korea is routinely blamed for masterminding cyber-attacks in South Korea, often though without much evidence.  But it is also important to remember that cyber attacks occur worldwide ordinarily, and Trojan horses are relatively easy to code. As such, there is always the potential that both the emails and malware form part of this wider pattern, or that they are the work of lone individuals, perhaps sympathetic to the North Korean government.  Nevertheless, neither of these explanations should give anyone much confidence, because even if it is not North Korea that is trying to hack your computer, then there is still cause for concern.  In short, be extremely careful when opening email attachments from strangers or visiting websites related to the Koreas.  If there is a sign of malware, steer clear.

Chad 0’Carroll is the Director of Communications for the Korea Economic Institute. The views represented here are his own.

Posted in North Korea, slider, South KoreaComments (2)


About The Peninsula

The Peninsula blog is a project of the Korea Economic Institute. It is designed to provide a wide ranging forum for discussion of the foreign policy, economic, and social issues that impact the Korean peninsula. The views expressed on The Peninsula are those of the authors alone, and should not be taken to represent the views of either the editors or the Korea Economic Institute. For questions, comments, or to submit a post to The Peninsula, please contact us at ts@keia.org.