11 February 2016

Latest on North Korean Cyberwar Strategy and Tactics

February 9, 2016

North Korea Smishes To Succeed

South Korea believes that North Korea was behind a recent Cyber War campaign seeking to get into South Korean nuclear plants. Currently 22 percent of electricity in South Korea comes from nuclear plants (compared to 20 percent of the American electricity and 74 percent in France.) This attacks was traced back to servers in northeast China, which is a technique North Korea has used before. South Korea is trying to persuade China to crack down on North Korean hackers using servers in China. South Korea is a major supplier of nuclear power plant components to China and recently sold China a complete nuclear power plant. So far China has refused to crack down on the North Korean hackers even though China is mad at North Korea for defying China (about nuclear weapons and ballistic missiles).

The recent North Korean attack also used a relatively new method of getting past security. This is called smishing because it is a two-step process similar to phishing. What both of these methods have in common is the exploitation of human error. This is frequently used for attacks via Internet against specific civilian, military, and government individuals using psychology, rather than just technology. Phishing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren’t expecting but from someone they recognize. This is known in the trade as “spear fishing” (or “phishing”). The attachment, if opened, secretly installs a program that sends files and information from the email recipient’s PC to the spear fisher’s computer. In the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with attachments and asking for prompt attention.


Smishing is the expected response to more defenses against phishing attacks. Several new attack methods have been developed and one of these is smishing. This involves a spear fishing campaign that does not try to deliver malware but simply get the recipient to reply to the message. The hackers then respond with a message that does contain the malware. This sort of cleverness is seen as the sort of thing the North Korean would develop. North Korean hackers have been increasingly successful at launching Internet based attacks in South Korea.

For example in 2014 North Korea managed to distribute to over 20,000 South Korean smart phone users games containing spy software. The North Korean “spyware” was seeking information from banks as well as documents relating to reunification plans and defense matters. The spyware allowed the North Koreans to transfer data from the infected smart phone and secretly turn on the camera. The government quickly found a way to block this sort of thing. North Korea denied any involvement, as it usually does. But since 2000 the evidence has been piling up of increasing North Korean Internet based espionage via the Internet.

Long believed to be nonexistent, North Korean cyberwarriors do exist. North Korea has had personnel working on Internet issues since the early 1990s. Their Mirim College program has trained several thousand Internet engineers and hackers so far. North Korea has a unit devoted to Internet based warfare and this unit is increasingly active.

Since the late 1980s, Mirim College in North Korea has been known as a facility that specialized in training electronic warfare specialists. But by the late 1990s, the school was found to be teaching students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People’s Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained 5 departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There’s also a graduate school, with a 3 year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But now there is the growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea’s extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn’t until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.

No comments: