Wake up to North Korea’s cyber-threats
Frequently discussed in South Korea, Pyongyang's cyber attacks only started to get attention elsewhere after Sony
It’s clear from the Sony attack’s fallout, and the responses from world leaders and the cyber-experts community, that far a greater impact was achieved than the regime, or its cyber command & control (C2), could have imagined. It was also notable that its denials of state involvement and sponsorship of the Sony attack seemed to quiet down quite quickly once the impact reverberated through first-world nation-states.
If the regime is savvy, it has seen that the credibility of its cyber capability afforded it a status on a par with leading technologically advanced nations. North Korea has pressed hard for the world to recognize its brilliance in high-end technology. It has made public Kim Jong Un’s visits to technology parks and its intent, in line with Juche, to be fully self-sufficient in all technology.
Cyber operations would certainly fall under that category.
North Korea has pressed hard for the world to recognize its brilliance in high-end technology
The command & control for the North’s cyber program remains ambiguous, again due to the paucity of evidence. If a holistic, planned approach is taken in which cyber operations can be used tactically as a means of warfare or expressing political messaging, they could be a powerful means to influence and blackmail, whereas missiles and rockets might fall short.
NORTH KOREAN CYBER UNITS
North Korea’s cyber operations since the Sony attack have since been analyzed in a vast amount of academic and INFOSEC (information security) publications, both free and paid for by clients or subscribers. But much of the analysis, as noted in article 1, rests on both limited-source evidence and partially on a base of circular reasoning.
Unlike traditional warfighting units, the Korean People’s Army (KPA)’s cyber units increasingly hire talented civilians from the North’s best technology universities – places with no shortage of well-informed technical education in the latest cyber techniques. What’s more, under the “computer sciences” umbrella, ensuring that a limited number of students are sponsored to study both in the West and elsewhere in Asia, the study of computing – which cyber operations are naturally a significant part of – is likely to continue apace. Computing equipment is not subject to UN sanctions. Chinese imports of hardware and software go in unhindered. Operating systems like Linux are modified for domestic use. While their computer network may be limited in its connection to global cyberspace, the network is nonetheless growing.
Of most interest is that North Korea’s offensive cyber units – of which the infamous Unit 121 (or Bureau 121) seems to attract the most blame for foreign attacks – will increasingly be tasked with carrying out increasingly damaging cyber-operations. It is also the most identified in the open domain and falls under the Reconnaissance General Bureau (RGB). Bright graduates, often with a good level of English, learned all-embracing computer techniques in university which they honed overseas (with the Chinese People’s Liberation Army and at Western universities) will include how to develop malware, spyware and ransomware as well as run covert operations, info or propaganda operations both domestically and overseas, and this skillset will align with the regime’s missions and messaging to keep it in power.
The type of attack, its target and the techniques North Korean cyber-actors rely on are most likely increasingly politically driven from the top. The Sony command & control may have been ambiguous, as reflected in the uncoordinated denials. But it is likely Kim Jong Un, as supreme commander of the KPA, would be afforded the future glory for attacks on par with the impact that the Sony incident elicited.
SONY AND THE PRESENT DAY
Unlike conventional warfare, however, cyber-attacks can be carried out from the safety of not just one’s own nation
Let’s briefly look at North Korea’s history of cyber capability development and how it quietly built up expertise to where it potentially lies now. The world has scarcely been drawn to ongoing minor cyber-attacks which generally border on cyber-harassment, or spats between the North and South. South Korea’s government and press, on the other hand, provide media coverage to annoying, sometimes damaging attacks. Yet suspected attacks on its media, banking, transportation and even a civil nuclear facility rarely make out of Asia-Pacific media coverage.
It should be stated that attacks on government and military-owned interests could be framed as fair game espionage, of which cyber operations are merely a tool. Unlike conventional warfare, however, cyber-attacks can be carried out from the safety of not just one’s own nation but even via a second country’s infrastructure (without that country’s complicity or even knowledge). Cyber-forensics and signatures from attacks carried out on overseas targets are easier to collect than missiles fired into the sea, or detecting underground shockwaves.
SOUTH KOREA’S VULNERABILITY
South Korea is widely acknowledged as one of the most wired nations in world. A significant proportion of its population are connected by some of the fastest broadband in the world and has some of the best high-end electronics and consumable goods. That said, the moderation and placement of basic cyber-security measures has not kept pace.
South Korea, like many of its Western allies, has a government promoting the benefits of having its own infrastructure and critical national infrastructure (CNI) – such as transportation, telecommunications, food supplies, power and gas – also connected to cyber-space. Its SCADA (supervisory control and data acquisition) systems (industrial control systems, that is) also tend not to be stand-alone, meaning unconnected from the internet. Even SCADA systems run as stand-alone are vulnerable to employee ignorance or oversight, e.g. inserting a USB and introducing malicious or infected software – from computers that were internet connected. This is not about cyber capability, but poor cyber-hygiene practices and a huge vulnerability to hostile actors, both state and non-state.
PAST AND PRESENT
Sustained attacks on South Korea’s media occurred in 2013. In late 2014 South Korea’s Hydro and Nuclear Power Corporation found that employee information and blueprints for civil nuclear equipment had been leaked online. Seoul’s transport metro was hit in 2015. Increasingly, cyber-attacks became destructive and cyber-analysts assessed this as a worrying trend with North Korea. While South Korea’s NIS (National Intelligence Services) has frequently made these cyber-attacks public, the rest of the world appeared to treat such news with indifference. Escalation of any kind, irrespective of the cyber attack’s sophistication, should not be treated indifferently. The cyber-threat community should work hand-in-hand with the political/analytical community to bring forward balanced judgments about North Korean intent where cyberwar is a tool of expressing that destructive intent.
Yet to North Korean specialists, analysts, political observers and those with a broader cyber remit in watching the growing technical capabilities of both state and non-state actors – the latter includes cyber criminals, for-profit actors, terrorists, loan hackers, even shady teenagers in bedrooms – the Sony attack was no surprise.
Many had quietly noted North Korea’s cyber capability was on an upward trend, and a dangerous trend when combined with an opaque political intent to employ it. Its cyber capability simply had yet to grab political attention as Pyongyang’s missile and nuclear proliferation had.
FALLOUT FOR JAPAN
The key question goes beyond South Korea: Should its immediate neighbors be concerned. As raised in article 1, Japan’s government was rightly concerned and caught completely unawares by the Sony attack. Notwithstanding, Sony is very much a Japanese company, and this incident woke Japan to the fact that if a nation-state was prepared to attack a private company, it could attack other Japanese corporate interests.
Unlike the U.S. and its Western allies, Japan appears unprepared in its defensive cyber-threat capabilities to defend either itself as a nation-state and corporate Japan from persistent, sustained state-sponsored cyber- attacks. Developing a SIGINT (signals intelligence) capability on a par with the resources invested by key allies like the U.S., UK and other leading European countries to withstand a politically motivated state-sponsored cyber-attack remains a significant undertaking for Japan. Such change and delivery will require a huge change in government mentality and support; as well as a monumental shift in corporate Japan’s mindset to comprehend the cyberspace landscape and the global threat cyberwar brings. Corporate Japan needs to work with its government in addressing the global borderless nature of the cyber-threat.
It has long been suspected (not proven) that North Korean cyber actors are using China’s infrastructure
North Korea’s offensive cyber-capability and the Sony attack was the kick Japan needed. To date, Japan has mostly focused on China as its key cyber-adversary in escalating cyber-wars.
WILL CHINA HANDLE NORTH KOREA?
This series cannot cover China’s vast cyber machinery – military and civilian – in any justifiably meaningful depth. What is evident is that the U.S. and its allies have little of the political influence or leverage with China’s political or military leaders required to bring North Korea to heel on a range of issues that irritate the West, and cyber would therefore not be unique.
It has long been suspected (not proven) that North Korean cyber actors are using China’s infrastructure (including hop-points, in which cyber-attacks are bounced through a second or third country) and that China’s military is training or allows training to take place between PLA and North Korean KPA cyber units.
Even if China overcame its well-known lack of desire to intervene in other countries’ defensive and offensive warfare capability, for it to intervene in North Korean cyber affairs would potentially expose more of Beijing’s own offensive cyber capabilities and its intent to the West. The first point is especially important, as China believes it and other states have the right to a defensive cyber capability. Sometimes that defensive capability does mean offense is incorporated as part of that capability, and Western nation-states are no different in having both offensive and defensive capabilities so that they may provide security and peace.
WHAT THIS MEANS
The cyber landscape and trends are changing rapidly. Political dynamics based on historic disputes in Asia continue apace. Asian countries are rightly raising alarm over China and North Korea’s cyber capabilities. This needs to run tangential to developing defensive capabilities for the purpose of responding to the two nations with both offensive cyber-capability and, more importantly, the political intent to use it when either feels justified or in any way slighted.
- 01What to make of Kim Jong Un’s impromptu visit to Mount Paektu this week
- 02On party founding anniversary, North Korea bolsters Kim Jong Un’s leadership
- 03Fueling the country: tracking North Korea’s growing number of gas stations
- 04North Korea reinforces ideological education against “bourgeois” values
- 05“New ways of calculation”: Kim Myong Gil’s Stockholm press conference, in full
- 06The DPRK foreign ministry’s readout of Stockholm talks: key takeaways
- 07Why U.S.-North Korea talks in Sweden fell apart — and what might happen next
- 08N. Korea’s new submarine-launched ballistic missile: unpacking the Pukguksong-3