Travels with Scott

McAfee, the Internet security company owned by Intel, has a research lab that just put out a report covering four years of hacking attacks aimed at South Korea. What previously appeared to be isolated attacks on media, banks, and government websites, many of them detailed here and in the report, are instead part of an ongoing 2009-2013 espionage campaign targeting military forces in South Korea in order to extract classified information. Targets included information on U.S. military forces and their operations in the South.

McAfee Labs

Through examining the evolving code used in the attacks, McAfee Labs found the attacks on South Korean banks, media, universities, elections, government, and other websites shared common source code, one encryption password, similar use of IRC botnets, consistent terminology, and a target set of military keywords. The report, on page 22, even lists the (somewhat poorly translated) Korean keywords used to target military operations in South Korea, including by U.S. forces.

Rather than a separate group of incidents targeting South Korea, which the South’s government, after conducting investigations, has attributed to the North, McAfee Labs is arguing that the incidents are all part of one, “secret, long-term campaign.” A campaign that reveals an adversary, “attempting to spy on and disrupt South Korea’s military and government activities.”

The McAfee report does not explicitly blame any particular country for the attacks, but makes the case that the attacks have been conducted by the same organization, taking the same measures against the same sites in an ongoing, state-level espionage operation. Investigating the same incidents separately, the South has laid official blame for the attacks on the North. If the South’s researchers haven’t already figured out what’s in the McAfee report, its findings will likely play a role in relations between the two Koreas very shortly.

UPDATE (10 April): The South made its preliminary case today that a North Korean espionage agency was behind the 20 March cyber attacks. According to the South’s report, the North began preparing for the attack last June, with systems testing beginning in late February. Of the 76 types of malicious code used in the attack, 30 were similar to previous attacks by the North, and 22 of 49 IP addresses overlapped with previous addresses used during cyber attacks traced to the North since 2009.

UPDATE (22 March): The South’s communications commission issued an update today declaring the cyber attack started from an IP address at a domestic bank (Nonghyup), not a Chinese address, as they reported yesterday. Meaning, aside from an irritated China and embarrassed Korean bureaucrats, that the attack erupted from a domestic source. How the code was placed on that server, by whom, and how it spread is still under investigation – an investigation likely to be much more circumspect in placing blame during future announcements.

On another note, perhaps the biggest news from the peninsula this week, submerged under the flood of reporting on the cyber attack, was a report that China’s oil exports to North Korea fell to zero in February. Perhaps a sign that the Chinese are getting fed up with the North’s missile and nuke testing – China normally sends 30-50,000 tons of oil to the North per month, an official figure that hasn’t gone to zero since 2007. If this continues through March, we may see a sudden change in the North’s tone, at least long enough for the Chinese to restart the spigots. Frankly, China shutting down its supply of oil to the North for two straight months would surprise me more than a semi-crazy member of the Bad Boys getting invited to Pyongyang to drink with the head Kim, but hey, stranger things have happened.

I’ve been following North Korean cyberattacks on the South for several years, so it was interesting to see the South’s Ministry of Defense announce (English, Korean) yesterday that it was already doubling the size of its Cyber Command, to 1000 people. Given it just launched the command in January 2010, deciding to increase the size already indicates the seriousness with which it views the threat of North Korean cyber attacks, plus the easy availability of funding for this new arena of conflict.

North Korean cyber attacks on the South include jamming GPS signals (forcing planes at Inchon international airport to use alternate systems when landing and taking off), locking up to 30 million account holders (a number which seems awfully high, but I’m quoting the article) out of Nonghyup, the South’s main agriculture and cooperative bank, and hacking the email accounts of Korea University’s Graduate School of Information Security (one of the South’s top schools). With public, embarrassing attacks such as these, the North has certainly caught the attention of the South’s defense and cyber establishments, helping drive the expansion in funding and personnel resources.

The added capabilities are to include both defensive and offensive programs, with the second being the more interesting of the two. Given North Korea’s much more limited use of the Internet – essentially a few elites conducting research and military/intel groups looking for information and opportunities – the well-wired South has far more to lose in an online confrontation than the hardscrabble North. Combine Southern reliance on the Internet with the difficulty of definitively tracing the origin of a cyber attack, and, expanded capabilities or not, the South looks to lose a few more rounds of this battle.