Tag cyber

Brief History of North Korean Cyber Attacks

Is North Korea, widely viewed in the outside world as equal parts backward and crazy, even capable of conducting a cyber attack?

Yes.

Prior to the cyber attack on Sony, widely though not entirely thought to be the work of North Korea, the North has been blamed for successful cyber attacks on South Korean media companies, military and government networks, banks, and universities. Some of the first attacks blamed on the North occurred in 2009 and the South has regularly blamed the North for cyber attacks since, with Korean and international analysts noting both similar tactics and the attacks’ growing technical sophistication.

While North Korean decision-making may appear opaque and often outlandish to outside observers, this does not mean the country lacks technical skill, as evidenced by its successful nuclear and ballistic missile programs. The North’s technology has even attracted an international following, most notably from Iran.

In 2012, Iran and North Korea signed a framework agreement on technology sharing that formalized ongoing IT, nuclear, and other tech-related cooperative development efforts. This cooperation has increased Iran’s cyber capabilities, exhibited most clearly by an October 2012 cyber attack on Saudi Arabia’s Aramco Oil. By 2013, experts had begun to note technical and tactical similarities in attacks separately attributed to Iran and North Korea, including a series of disruptive attacks that led major U.S. banks to request help from the NSA. Related writings on Iranian attacks can be found here.

Share

2009-2013 Internet attacks on South Korea part of ongoing cyber espionage campaign – McAfee Labs

McAfee, the Internet security company owned by Intel, has a research lab that just put out a report covering four years of hacking attacks aimed at South Korea. What previously appeared to be isolated attacks on media, banks, and government websites, many of them detailed here and in the report, are instead part of an ongoing 2009-2013 espionage campaign targeting military forces in South Korea in order to extract classified information. Targets included information on U.S. military forces and their operations in the South.

McAfee Labs

McAfee Labs

Through examining the evolving code used in the attacks, McAfee Labs found the attacks on South Korean banks, media, universities, elections, government, and other websites shared common source code, one encryption password, similar use of IRC botnets, consistent terminology, and a target set of military keywords. The report, on page 22, even lists the (somewhat poorly translated) Korean keywords used to target military operations in South Korea, including by U.S. forces.

Rather than a separate group of incidents targeting South Korea, which the South’s government, after conducting investigations, has attributed to the North, McAfee Labs is arguing that the incidents are all part of one, “secret, long-term campaign.” A campaign that reveals an adversary, “attempting to spy on and disrupt South Korea’s military and government activities.”

The McAfee report does not explicitly blame any particular country for the attacks, but makes the case that the attacks have been conducted by the same organization, taking the same measures against the same sites in an ongoing, state-level espionage operation. Investigating the same incidents separately, the South has laid official blame for the attacks on the North. If the South’s researchers haven’t already figured out what’s in the McAfee report, its findings will likely play a role in relations between the two Koreas very shortly.

Share

South Korea hit with cyber attacks on major banks, media outlets … again; North Korea blamed … again

UPDATE (10 April): The South made its preliminary case today that a North Korean espionage agency was behind the 20 March cyber attacks. According to the South’s report, the North began preparing for the attack last June, with systems testing beginning in late February. Of the 76 types of malicious code used in the attack, 30 were similar to previous attacks by the North, and 22 of 49 IP addresses overlapped with previous addresses used during cyber attacks traced to the North since 2009.

20MAR_cyberattack_graph

UPDATE (22 March): The South’s communications commission issued an update today declaring the cyber attack started from an IP address at a domestic bank (Nonghyup), not a Chinese address, as they reported yesterday. Meaning, aside from an irritated China and embarrassed Korean bureaucrats, that the attack erupted from a domestic source. How the code was placed on that server, by whom, and how it spread is still under investigation – an investigation likely to be much more circumspect in placing blame during future announcements.

On another note, perhaps the biggest news from the peninsula this week, submerged under the flood of reporting on the cyber attack, was a report that China’s oil exports to North Korea fell to zero in February. Perhaps a sign that the Chinese are getting fed up with the North’s missile and nuke testing – China normally sends 30-50,000 tons of oil to the North per month, an official figure that hasn’t gone to zero since 2007. If this continues through March, we may see a sudden change in the North’s tone, at least long enough for the Chinese to restart the spigots. Frankly, China shutting down its supply of oil to the North for two straight months would surprise me more than a semi-crazy member of the Bad Boys getting invited to Pyongyang to drink with the head Kim, but hey, stranger things have happened.

Share

North-South tensions on the Korean peninsula – indicators for the future

UPDATE (3 April): The North closed entry to Kaesong today for South Koreans, but allowed those present in the complex to either remain in the North or head home to the South. Citing business and production concerns, only 33 of 446 South Korean workers in the complex actually came South, with the rest remaining behind to tend to their work or business interests. Posing the somewhat interesting question – given a choice, would you elect to stay in North Korea right now for your employer or business?

Previous closures have been short-lived, with few repercussions for those remaining behind, those who left, or the businesses located in the zone. Time will tell if this closure ends the same. Either way however, today’s closure signals a further heightening of tensions and worsening of inter-Korean relations.

UPDATE (1 April): The North actually threatened to close the Kaesong complex over the weekend, but most doubt they will follow through on the threat. If the North’s leadership is under the illusion that shutting the facility will hurt the South worse than the North they might be tempted, but short of that level of cluelessness, the North is unlikely to close such a prime hard currency source.

UPDATE (28 March): Reuters catching on to the idea of Kaesong as an indicator of the true level of tension on the Korean peninsula: Despite threats, North Korea keeps border factories open.

Every time tensions rise on the Korean peninsula, people start asking what’s going to happen next. Is there going to be a war? Will tensions cool? Will the North conduct an additional rocket or nuke test? Will there be another cyberattack or similar provocation? While no one outside of the North’s inner circle (now including Dennis Rodman?) can say for sure, there are a few indicators.

One I’ve discussed before is the status of the joint North-South economic development zone in Kaesong, just north of the DMZ. If the North suddenly closes the zone, or takes as hostages any South Koreans remaining in the zone, then that’s obviously not a good sign. Similarly, if the South orders its people out of Kaesong and forbids more to enter, that’s an indicator the South is expecting the situation to worsen, or is planning a response to a Northern provocation. South Korea’s president mentioned her concern about the North taking hostages at a meeting just this morning, indicating high-level concern over the issue in the South, but no plans to recall its citizens.

Other indicators, aside from updated imagery showing North Korean troop movements, include the North shutting down or greatly restricting access to its relatively new domestic cellphone service. I also detailed this indictor previously, calling any curtailment in service a sign the North was cracking down on or attempting to prevent internal dissent, or was suddenly concerned about a new threat.

More stories about South Korean military and defense officials spending their time playing golf instead of monitoring developments indicate the South’s level of concern over a possible provocation. While reports of more North Korean deserters, especially among frontline troops near the DMZ, show both military weariness and loss of capability for a conventional strike in the North.

Finally, the South raised its ‘cyber alert level’ on 12 February in response to North Korea’s most recent nuclear test. A further increase, or reduction, in this level is also a sign of where the South believes the situation is heading.

Hopefully, amid all of the fuss, bluff, and thunder on the peninsula, these indicators prove useful for predicting the course of future events in Korea, whether war, nothing more than talk, a conventional Northern provocation, or another Northern cyberattack on the South.

Share

South accuses North of cyberattacks; Pyongyang relying less on spies, more on cyber?

The South officially accused the North today of launching a cyberattack against the JoongAng Ilbo, a conservative daily in the South. More interesting is what the South’s investigation also discovered – since 2009, the North’s cyber attacks on the South (targeting banks, elections, universities, and other organizations) have used the same China-based IP address owned by North Korea’s Ministry of Post and Telecommunications.

Share

North Korea Entering Information Age with Cellphones, Domestic-only ‘Intranet’

Interesting article on cellphone and ‘Internet’ usage in North Korea – yes, there are both cellphones (now up to a million 3G subscribers, if the numbers are to be believed) and ‘Internet’ users in the North, though access to the outside Internet is limited to a very select few. Instead, North Korea has established a nationwide (mostly Pyongyang, but some connections in outlying areas), domestic-only, intranet for universities, research centers, and a few private homes/apartments.

The article, from The Diplomat, a leading provider of news and commentary on the Asia-Pacific, attributes the North’s acceptance of information age technology to a desire to attract and please international investors. While the concerns of international investors may play a role, I hardly agree that this is the driving force. Rather, the North, like any other country or group of people, wants to use the technology to communicate and share information, though, in the North’s case, with a heavy dollop of state control (none of the cellphones on the domestic network can access numbers outside the country) and propaganda messages from state authorities (taking spam texts to a whole new level).

Share

North Korea’s Air Koryo adds online flight booking system

Just in time for your holiday travel planning, Air Koryo, the official airline of North Korea, has launched an online booking system! According to the massive timetable, the new system allows international travelers to book one of eight weekly flights between Pyongyang and Beijing, Pyongyang and Shenyang, or Pyongyang and Vladivostok.

Perhaps in an effort to raise its status as the world’s only one-star airline, the new online booking system also allows customers to purchase extra seats for a “blackbox” (Iranian nuclear scientists and cyberwar experts will be delighted), or for their “fat” (hello, Kim clan).



Air Koryo, the official airline of overweight smugglers?

Share

Iran and North Korea cooperating on cyber-defense, ‘domestic Internets’?

UPDATE (28 Mar): Article today from the Times on how hackers from both North Korea and Iran have launched cyber attacks over the past week. No information on a connection between the two, other than their “erratic decision making,” but their skills appear to be growing, with Iran taking down American Express for two hours today.

UPDATE (24 Mar): Good article in PC World today about the threats posed by Iranian and North Korean hackers. The article covers some of what’s been discussed here, but also highlights testimony in the House last week about the unpredictability of Iran and North Korea making them harder to deter than China and Russia. The article points out that while the Iranians and North Koreans lack the cyber skills of the Chinese and Russians, their greater sense of “intent” may make them the more dangerous threats.

UPDATE (18 Jan): U.S. banks have officially sought help from the National Security Agency in dealing with the months-long cyberattacks, according to the Washington Post.

UPDATE (8 Jan): The Times has a story today with U.S. officials blaming Iran for attacks the past few months on “Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.” The attacks are on a scale available to nation-states, not kids in a basement, “transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.” According to the story, the attacks are expected to continue.

UPDATE (3 Dec): Reuters carried a story from Kyodo yesterday about Iran stationing defense staff at a North Korean military facility, “apparently to strengthen cooperation in missile and nuclear development.” The “staff” reportedly consists of four people from Iran’s Ministry of Defense and “firms close to it.” The group may be in country for longterm collaboration, or to observe North Korea’s upcoming rocket launch.

UPDATE (24 Oct): The Times has an article today on an Iranian cyberattack on Saudi Arabia’s Aramco oil firm in August that is now believed to be, “among the most destructive acts of computer sabotage on a company to date.” The attack is thought to be retaliation for previous cyberattacks on Iranian oil facilities – and may have even used some of the same code. This is shaping up to be an interesting battle, clearly visible even in the open source world.

UPDATE (18 Oct): The cyberattacks on U.S. banks are continuing into their fifth week, with the Wall Street Journal now publicly blaming Iran as the source of the attacks.

UPDATE (1 Oct): The Times has a story this morning about the effects the bank attacks are having on U.S. customers, plus additional speculation on who is behind them, with Iran and the general ‘Middle East’ as the most mentioned sources.

UPDATE (28 Sep): Bloomberg (among others), is reporting an escalating, ongoing cyberattack on U.S. banks that some, including Senator Lieberman (head of the Senate Homeland Security and Governmental Affairs Committee), are blaming on Iran. It may or may not be Iran, part of the ‘beauty’ of cyberattacks is being able to disguise their origin, but the attack points to the growing sophistication of state-level actors (the North Koreans took down a major South Korean bank last year) and the dangers posed to the U.S. private sector by cooperation of the type highlighted below.

A couple of interesting stories on Iran and North Korea so far this week: the Washington Post reports Iran is preparing an internal version of the Internet designed to limit Iranian’s access to the outside Net, plus block foreign cyberattacks. The article stresses the difficulties the mullahs will have establishing the system, while acknowledging the security advantages afforded by such a project.

Nowhere however, does the article mention a connection with North Korea, which has long had a ‘domestic Internet’ of the type described in the article. NK’s internal network offers the exact advantages – security and training for cyber-operatives, mentioned in the Post article.

The second article, from The Christian Science Monitor, on a new Iran-NK pact designed to enhance research cooperation in the fields of “information technology, engineering, [etc.],” makes a connection between the two countries on ‘domestic Internet’ development seem both possible and natural. The focus of the article, and other media attention to the pact, is on shared nuclear weapon and missile development efforts. However, the juxtaposition of the two events highlighted in the stories, the shared interest in walled-off internal networks, and the recent pact formalizing ongoing joint research and development efforts begs the question of whether the North Koreans are also aiding the Iranians in establishing a more cyberattack-resistant internal network – thereby removing a tool outsiders use to influence and track Iranian nuclear weapons development.

While this development would be good for the Iranians, it would not be a positive for security and stability in the region. If Israel and the U.S. lose their cyber option for derailing and delaying Iran’s nuclear efforts, kinetic options become more likely – to no one’s benefit. Stay tuned.

Share

South Korea’s Ministry of Defense to double size of cyber command in face of cyber attacks from North; effort unlikely to succeed

I’ve been following North Korean cyberattacks on the South for several years, so it was interesting to see the South’s Ministry of Defense announce (English, Korean) yesterday that it was already doubling the size of its Cyber Command, to 1000 people. Given it just launched the command in January 2010, deciding to increase the size already indicates the seriousness with which it views the threat of North Korean cyber attacks, plus the easy availability of funding for this new arena of conflict.

North Korean cyber attacks on the South include jamming GPS signals (forcing planes at Inchon international airport to use alternate systems when landing and taking off), locking up to 30 million account holders (a number which seems awfully high, but I’m quoting the article) out of Nonghyup, the South’s main agriculture and cooperative bank, and hacking the email accounts of Korea University’s Graduate School of Information Security (one of the South’s top schools). With public, embarrassing attacks such as these, the North has certainly caught the attention of the South’s defense and cyber establishments, helping drive the expansion in funding and personnel resources.

The added capabilities are to include both defensive and offensive programs, with the second being the more interesting of the two. Given North Korea’s much more limited use of the Internet – essentially a few elites conducting research and military/intel groups looking for information and opportunities – the well-wired South has far more to lose in an online confrontation than the hardscrabble North. Combine Southern reliance on the Internet with the difficulty of definitively tracing the origin of a cyber attack, and, expanded capabilities or not, the South looks to lose a few more rounds of this battle.

Share

Living in the past: South Korean Defense Ministry steps up radio broadcasts into DPRK

The South Korean Defense Ministry reportedly (North Korea Tech) stepped up shortwave radio broadcasts into North Korea from 9 August.

Why?

The North jams most, if not all, of the signals, few North Koreans own shortwave radios, and decades of similar expense and effort have resulted in … well, nothing.

Instead of spending money on radio programs no one can listen to, using signals the North will jam, it’s time for a new tool. The South should be investing in cellphone towers along the DMZ and in supporting efforts by defectors to infiltrate phones into the North (read more on those efforts from The Asahi Shimbun or The Atlantic).

Share