Category South Korea

2009-2013 Internet attacks on South Korea part of ongoing cyber espionage campaign – McAfee Labs

McAfee, the Internet security company owned by Intel, has a research lab that just put out a report covering four years of hacking attacks aimed at South Korea. What previously appeared to be isolated attacks on media, banks, and government websites, many of them detailed here and in the report, are instead part of an ongoing 2009-2013 espionage campaign targeting military forces in South Korea in order to extract classified information. Targets included information on U.S. military forces and their operations in the South.

McAfee Labs

McAfee Labs

Through examining the evolving code used in the attacks, McAfee Labs found the attacks on South Korean banks, media, universities, elections, government, and other websites shared common source code, one encryption password, similar use of IRC botnets, consistent terminology, and a target set of military keywords. The report, on page 22, even lists the (somewhat poorly translated) Korean keywords used to target military operations in South Korea, including by U.S. forces.

Rather than a separate group of incidents targeting South Korea, which the South’s government, after conducting investigations, has attributed to the North, McAfee Labs is arguing that the incidents are all part of one, “secret, long-term campaign.” A campaign that reveals an adversary, “attempting to spy on and disrupt South Korea’s military and government activities.”

The McAfee report does not explicitly blame any particular country for the attacks, but makes the case that the attacks have been conducted by the same organization, taking the same measures against the same sites in an ongoing, state-level espionage operation. Investigating the same incidents separately, the South has laid official blame for the attacks on the North. If the South’s researchers haven’t already figured out what’s in the McAfee report, its findings will likely play a role in relations between the two Koreas very shortly.

Share

South Korea hit with cyber attacks on major banks, media outlets … again; North Korea blamed … again

UPDATE (10 April): The South made its preliminary case today that a North Korean espionage agency was behind the 20 March cyber attacks. According to the South’s report, the North began preparing for the attack last June, with systems testing beginning in late February. Of the 76 types of malicious code used in the attack, 30 were similar to previous attacks by the North, and 22 of 49 IP addresses overlapped with previous addresses used during cyber attacks traced to the North since 2009.

20MAR_cyberattack_graph

UPDATE (22 March): The South’s communications commission issued an update today declaring the cyber attack started from an IP address at a domestic bank (Nonghyup), not a Chinese address, as they reported yesterday. Meaning, aside from an irritated China and embarrassed Korean bureaucrats, that the attack erupted from a domestic source. How the code was placed on that server, by whom, and how it spread is still under investigation – an investigation likely to be much more circumspect in placing blame during future announcements.

On another note, perhaps the biggest news from the peninsula this week, submerged under the flood of reporting on the cyber attack, was a report that China’s oil exports to North Korea fell to zero in February. Perhaps a sign that the Chinese are getting fed up with the North’s missile and nuke testing – China normally sends 30-50,000 tons of oil to the North per month, an official figure that hasn’t gone to zero since 2007. If this continues through March, we may see a sudden change in the North’s tone, at least long enough for the Chinese to restart the spigots. Frankly, China shutting down its supply of oil to the North for two straight months would surprise me more than a semi-crazy member of the Bad Boys getting invited to Pyongyang to drink with the head Kim, but hey, stranger things have happened.

Share

North-South tensions on the Korean peninsula – indicators for the future

UPDATE (3 April): The North closed entry to Kaesong today for South Koreans, but allowed those present in the complex to either remain in the North or head home to the South. Citing business and production concerns, only 33 of 446 South Korean workers in the complex actually came South, with the rest remaining behind to tend to their work or business interests. Posing the somewhat interesting question – given a choice, would you elect to stay in North Korea right now for your employer or business?

Previous closures have been short-lived, with few repercussions for those remaining behind, those who left, or the businesses located in the zone. Time will tell if this closure ends the same. Either way however, today’s closure signals a further heightening of tensions and worsening of inter-Korean relations.

UPDATE (1 April): The North actually threatened to close the Kaesong complex over the weekend, but most doubt they will follow through on the threat. If the North’s leadership is under the illusion that shutting the facility will hurt the South worse than the North they might be tempted, but short of that level of cluelessness, the North is unlikely to close such a prime hard currency source.

UPDATE (28 March): Reuters catching on to the idea of Kaesong as an indicator of the true level of tension on the Korean peninsula: Despite threats, North Korea keeps border factories open.

Every time tensions rise on the Korean peninsula, people start asking what’s going to happen next. Is there going to be a war? Will tensions cool? Will the North conduct an additional rocket or nuke test? Will there be another cyberattack or similar provocation? While no one outside of the North’s inner circle (now including Dennis Rodman?) can say for sure, there are a few indicators.

One I’ve discussed before is the status of the joint North-South economic development zone in Kaesong, just north of the DMZ. If the North suddenly closes the zone, or takes as hostages any South Koreans remaining in the zone, then that’s obviously not a good sign. Similarly, if the South orders its people out of Kaesong and forbids more to enter, that’s an indicator the South is expecting the situation to worsen, or is planning a response to a Northern provocation. South Korea’s president mentioned her concern about the North taking hostages at a meeting just this morning, indicating high-level concern over the issue in the South, but no plans to recall its citizens.

Other indicators, aside from updated imagery showing North Korean troop movements, include the North shutting down or greatly restricting access to its relatively new domestic cellphone service. I also detailed this indictor previously, calling any curtailment in service a sign the North was cracking down on or attempting to prevent internal dissent, or was suddenly concerned about a new threat.

More stories about South Korean military and defense officials spending their time playing golf instead of monitoring developments indicate the South’s level of concern over a possible provocation. While reports of more North Korean deserters, especially among frontline troops near the DMZ, show both military weariness and loss of capability for a conventional strike in the North.

Finally, the South raised its ‘cyber alert level’ on 12 February in response to North Korea’s most recent nuclear test. A further increase, or reduction, in this level is also a sign of where the South believes the situation is heading.

Hopefully, amid all of the fuss, bluff, and thunder on the peninsula, these indicators prove useful for predicting the course of future events in Korea, whether war, nothing more than talk, a conventional Northern provocation, or another Northern cyberattack on the South.

Share

North Korea conducts third nuclear test: two alternate response proposals

It appears the North is doing exactly what it said it was going to do – become a nuclear state, then, like every other nuclear state before it, develop a weapon small enough to fit atop a missile. This should be no surprise, the North’s takeaway from the war in Iraq was that it needed nukes to ensure its security; it literally mocked Qaddafi for being tricked into giving up his pursuit of nukes:

“The present Libyan crisis teaches the international community a serious lesson. It was fully exposed before the world that ‘Libya’s nuclear dismantlement’ much touted by the U.S. in the past turned out to be a mode of aggression whereby the latter coaxed the former […] to disarm itself and then swallowed it up by force. It proved once again the truth of history that peace can be preserved only when one builds up one’s own strength.” [KCNA website, 24 March 2011].

The idea that additional UN sanctions, much discussed in today’s reporting, will push North Korea from this path is delusory. This is a country that is already one of the most sanctioned on earth and operates under an ideology of self-reliance so stringent it views international trade as a weakness. Expecting anything different from additional sanctions brings to mind the old saw about doing the same thing over and over again and expecting a different result.

Share

Escape from North Korea: The Untold Story of Asia’s Underground Railroad

[Book Review] I’m glad someone finally went to the trouble of researching and writing a book on the network, for obvious reasons quite secretive, which works to get North Korean defectors through China and into safety in South Korea or elsewhere.


You might ask why North Korean refugees aren’t safe once they reach China, given that China is obliged to protect the refugees by virtue of agreeing to international treaties including the 1951 Convention Relating to the Status of Refugees and the International Covenant on Civil and Political Rights (which includes The Universal Declaration of Human Rights). Unfortunately, at least in this case, China’s government pays about as much heed to international treaties as America’s Tea Party. Instead of upholding its treaty obligations, it actively tracks, arrests, and returns the refugees to the North, where they and their families face sentencing to one of the North’s infamous gulags. Those caught helping North Korean refugees in China face, at best, expulsion from the country, at worst, years in a Chinese prison.

Given these conditions, Kirkpatrick’s choice of subtitles, “The untold story of Asia’s underground railroad,” becomes more apt. Though the book’s comparisons to the slave-era American underground railroad are occasionally jarring, suddenly transporting the reader from modern Asia to 1800s America, they serve to highlight the similar dangers faced by everyone involved.

Share

South accuses North of cyberattacks; Pyongyang relying less on spies, more on cyber?

The South officially accused the North today of launching a cyberattack against the JoongAng Ilbo, a conservative daily in the South. More interesting is what the South’s investigation also discovered – since 2009, the North’s cyber attacks on the South (targeting banks, elections, universities, and other organizations) have used the same China-based IP address owned by North Korea’s Ministry of Post and Telecommunications.

Share

Kaesong and the North’s cellphone network – two indicators of conditions on the peninsula

UPDATE (8 Feb.) – Earlier this week, South Korea announced a possible increase in inspections of goods headed into Kaesong based on tightened UN sanctions of North Korea (due to the December rocket test). North Korea, in it’s typical calm, understated fashion, threatened to return the entire industrial complex to a military zone due to the provocations from the South’s “puppet Ministry” in charge of the inspections. By Friday, South Korea had backed down, announcing that the “government does not consider the Gaeseong Industrial Complex as a means of sanctions against North Korea.” The North’s reaction and the South’s move to calm the issue, all in less than a week, show both the importance and sensitivity to Kaesong in both countries.

In a previous column on heightened tensions between North and South Korea over the sinking of the Cheonan, a South Korean naval ship, and the North’s shelling of the South’s Yeonpyeong Island, I highlighted Kaesong as a key indicator. If the joint North-South industrial complex at Kaesong remained open, tensions were not that serious and would soon ease. If the South withdrew its people from the complex however, that would indicate relations were about to get much worse, including a possible retaliatory strike by the South on the North.

As we now know, conditions in the complex remained largely the same and tensions on the peninsula soon cooled.

With the upcoming rocket launch by the North, Kaesong remains a good indicator of actual relations between the two countries. Post-launch, if operations in the complex remain normal, then relations will soon return to an even keel. However, any withdrawal by the South, or expulsion by the North, indicate a much greater risk of instability and/or provocative actions.

Share

The Impossible State: North Korea, Past and Future

[Book Review] Surprisingly readable – I’d half-expected dense academia or right-wing politicizing (the author is a former Bush administration official), but instead found The Impossible State: North Korea, Past and Future engrossing, with a great overview of North Korea, new insights into the diplomatic make-work program 6-party talks, and solid policy takeaways on the importance of increasing outside information flow into the North.

The author pushes a theory, neojuche revivalism (“juche,” itself commonly translated as “self-reliance,” is North Korea’s governing ideology, pg. 410), which seems to have lost some saliency with the death of Kim Jong-il and the changes in personnel and governing structure taking place under his son. According to Cha, the new/updated ideology is a “return to a conservative and hard-line juche ideology of the 1950s and 1960s,” when the North was ahead of the South technologically and economically (pg. 410).

Though the theory sounds mildly interesting, North Korea’s opaqueness means it can’t really be tested, nor does it provide much policy-level utility, especially given the ongoing leadership changes.

Share

North Korea Entering Information Age with Cellphones, Domestic-only ‘Intranet’

Interesting article on cellphone and ‘Internet’ usage in North Korea – yes, there are both cellphones (now up to a million 3G subscribers, if the numbers are to be believed) and ‘Internet’ users in the North, though access to the outside Internet is limited to a very select few. Instead, North Korea has established a nationwide (mostly Pyongyang, but some connections in outlying areas), domestic-only, intranet for universities, research centers, and a few private homes/apartments.

The article, from The Diplomat, a leading provider of news and commentary on the Asia-Pacific, attributes the North’s acceptance of information age technology to a desire to attract and please international investors. While the concerns of international investors may play a role, I hardly agree that this is the driving force. Rather, the North, like any other country or group of people, wants to use the technology to communicate and share information, though, in the North’s case, with a heavy dollop of state control (none of the cellphones on the domestic network can access numbers outside the country) and propaganda messages from state authorities (taking spam texts to a whole new level).

Share

North Korea suddenly hikes taxes for businesses in Kaesong, threatens to make hike retroactive for up to 8 years

UPDATE (21 OCT): The Times had an article today on rising tensions between North Korea and China due to similar issues – North Korea’s mistreatment of outside firms doing business within the country. Hardly a surprise, and gets to the point people constantly make about getting China to “do something about North Korea.” In the end, the North doesn’t listen to the Chinese much either, and for the Chinese to bring them to heel would require Beijing to utilize the type of extreme measures (e.g. halt in oil shipments) they’ve rarely proven willing to employ.

I get it that the South’s government wants to reduce the eventual, astronomical costs of reunifying with the North by amortizing those costs over the longest period possible, but as a business owner, why on earth would you risk investing in the North?

Yesterday’s JoongAng Daily, a South Korean English language paper, carried a story on the North suddenly upping tax rates on South Korean businesses in Kaesong, the joint North-South industrial zone located just over the border inside North Korea. The North told the SK businesses and the South’s government it was unilaterally changing 117 out of the 120 clauses in the zone’s regulations on 2 Aug. – a move that violates the agreement governing the zone, which stipulates a bilateral agreement is required before any changes can be made. Anyone surprised by this sudden, unilateral change by the North, please begin holding your breath.

Not only did the North change the rules, it reserved the right to decide the tax rate on a product-by-product basis, as well as charge up to eight years of back taxes on the new rate (the zone opened in 2004). So the taxes are not just going up now and into the future, businesses may suddenly owe the new rate on all of their previous years’ taxes as well. Fun.

So, having started and helped run two businesses in the South, I know my answer if the South’s government ever comes calling, urging me to invest in the North – NO. While I can understand the South’s government, that the more businesses, jobs, infrastructure, etc. that is created now, the less they’ll have to create in the eventual post-reunification future, the North’s investment climate just isn’t good enough.

Share

Security issues knocking on South Korea’s door

A North Korean soldier slipped across the DMZ the night of 2 October, getting through a fence on the North’s side, followed by an electrified fence, then a barbed-wire-topped South Korean fence, before finally … walking up to a South Korean army barracks door and knocking, telling the soldiers inside he wanted to defect.

Until he literally knocked on the front door, no one in the South had detected his presence – a problem that is getting a great deal of attention in the South Korean press (a brief story in English here, a longer summary in Korean here, an editorial complaining of the situation here).

Coming so soon after another man swam across the border undetected, only to be discovered drunk and half-naked after breaking into someone’s home and stealing their soju, serious questions are being raised in the SK media about the security of the South’s border with the North.

Coming only a year after the South installed a pricey new electronic monitoring and information collection system along the border, the two lapses in security raise questions about the ease with which the North can infiltrate the South. As the editorial said, it was lucky the North Korean soldier came to defect, had he been armed and bent on creating trouble, the outcome for the soldiers in that barracks would have been far worse.

Share

Want to make millions from North Korea? Become a luxury goods exporter in China during the next succession

An interesting story has been making the rounds of South Korean media the past couple of days (in English, in Korean) about a sudden, large jump in luxury goods imported into North Korea.

Using trade stats from Chinese customs (the North’s main trading partner), a parliamentary committee in the South found North Korean imports of vehicles (Northern elites tend to prefer German iron, especially Mercedes); TVs, computers, and other electronics; liquor; and luxury watches (gifting expensive watches on important occasions is a cultural trait the North actually shares with the South) went from roughly 300,000,000 U.S. dollars in 2008 and $322,530,000 in 2009, to $446,170,000 in 2010 and then $584,820,000 in 2011.

The large jumps in 2010 and 2011 (and presumably this year as well) overlap with the sudden appointment and rushed power transition from Kim Jong-il to his son, Kim Jong-eun. In essence, the North’s 0.001% has been throwing around a few hundred million dollars worth of hard-to-obtain luxury items to keep Pyongyang’s 1% satisfied, or at least mildly mollified, during the latest dynastic succession. An effort that, to date, appears to be working, plus furnishing a nice bump to Northeast Asian sales of Hennessy, Rolex, and the rest of the dictator chic product line.

Share

Tried Reading ‘Current History’?

I’m not sure how many people actually read Current History (a dozen?), which, while still quite wonky, is normally more readable and less arduous than Foreign Affairs, though their website offers next to nothing for non-subscribers.

I bring up the magazine here because the September issue is on East Asia and includes worthwhile articles on South Korea, China, and the rest of the region. As a bonus, there’s also an article on North Korea by curmudgeonly old Bruce Cumings – anyone wishing to relive the 60s/70s is urged to pop in a good 8-track, spark up their grooviest bong, and read the Cumings piece. You won’t learn much about North Korea (apparently, they bow less than the South Koreans), but you will get a jarring blast of old-school leftism.

Check it out if you have a chance, though again, the Current History website is nearly useless.

Share

South Korea’s Ministry of Defense to double size of cyber command in face of cyber attacks from North; effort unlikely to succeed

I’ve been following North Korean cyberattacks on the South for several years, so it was interesting to see the South’s Ministry of Defense announce (English, Korean) yesterday that it was already doubling the size of its Cyber Command, to 1000 people. Given it just launched the command in January 2010, deciding to increase the size already indicates the seriousness with which it views the threat of North Korean cyber attacks, plus the easy availability of funding for this new arena of conflict.

North Korean cyber attacks on the South include jamming GPS signals (forcing planes at Inchon international airport to use alternate systems when landing and taking off), locking up to 30 million account holders (a number which seems awfully high, but I’m quoting the article) out of Nonghyup, the South’s main agriculture and cooperative bank, and hacking the email accounts of Korea University’s Graduate School of Information Security (one of the South’s top schools). With public, embarrassing attacks such as these, the North has certainly caught the attention of the South’s defense and cyber establishments, helping drive the expansion in funding and personnel resources.

The added capabilities are to include both defensive and offensive programs, with the second being the more interesting of the two. Given North Korea’s much more limited use of the Internet – essentially a few elites conducting research and military/intel groups looking for information and opportunities – the well-wired South has far more to lose in an online confrontation than the hardscrabble North. Combine Southern reliance on the Internet with the difficulty of definitively tracing the origin of a cyber attack, and, expanded capabilities or not, the South looks to lose a few more rounds of this battle.

Share