North Korea is ramping up its cyber spying efforts to the point where it is becoming a credible threat against Western enterprises and government, security researchers at HP warn.
North Korea’s cyber warfare capabilities are of particular interest to national security analysts and policy makers but the wider IT industry would be well advised to keep a close eye on its activities. The threat for now is principally faced by all kinds of companies in South Korea as well as US government and military systems, but this may extend more widely over time.
Although North Korea’s cyber infrastructure may not measure up to that of wealthier nations, the regime is making significant progress in developing capable and technically trained forces, according to a detailed analysis by security researchers at HP.
[D]ue to North Korea’s hostility toward other nations, its pursuit of nuclear weapons, and its human rights violations against its own citizens, the United Nations and many Western entities have placed sanctions and embargoes against North Korea. That said, the nation has continued its tradition of asymmetric warfare into the age of the internet, with a remarkable commitment to developing cyber warfare capabilities even as it copes with ageing infrastructure.
While the US views North Korea’s cyber warfare program as the regime’s foray into modern asymmetrical warfare, its neighbour to the south views those cyber capabilities as a terroristic threat - preparations for a multifaceted attack, one that will happen sooner rather than later. Over the past two years alone, South Korea estimates that the North has nearly doubled the number of personnel trained and tasked with carrying out cyberattacks.
It is of particular interest that much of North Korea’s cyber activity coincides with the annual US - South Korea joint military exercises. Attacks not following that pattern were typically in response to political events impacting the regime or correlated with significant dates, such as the anniversary of the start of the Korean War.
According to a 2009 report, North Korean hackers have successfully penetrated US defence networks more frequently than any other country that has targeted those assets. While one would expect the regime’s digital infrastructure to suffer from ageing or lack of resources, these factors do not take away from its technical abilities to wage cyber warfare, especially when the regime is able to use agents and resources in other countries, as HP explains.
The North Korean regime strictly controls all Internet infrastructure, meaning cyber activity by dissidents or autonomous hacker groups are very unlikely. In other words, any cyber attacks originating in North Korea can be assumed to be state sponsored. For this reason, according to defectors, the regime’s cyber operators do not typically launch attacks directly from within North Korea. Instead, many regime-sponsored attacks are launched from cells based in China, US, South Asia, Europe, and even South Korea.
A faction of ethnic North Koreans residing in Japan, known as the Chongryon, are critical to North Korea’s cyber and intelligence programmes and help generate hard currency for the regime. North Korea uses computer games for both illegal capital gain and orchestrating cyber attacks, according to HP's report.
In 2011, South Korean police arrested five individuals, including one Chinese national, for allegedly collaborating with North Korean hackers affiliated with the Korea Computer Center to steal money via online games. According to South Korean reports, the culprits used an auto-player to quickly progress in the massively multiplayer online role-playing game (MMORPG) Lineage and were able to use the game’s market to obtain real currency.
In 2013, South Korean officials released information stating they had found evidence that North Korea was using games as a medium for infecting machines and launching cyber attacks. North Korea had used game downloads to infect 100,000 South Korean machines for a botnet used to launch a distributed denial of service (DDoS) attack against Incheon Airport.
Sanctions over the North's controversial nuclear programme have impaired its ability to source electronic kit directly.
Sanctions against North Korea and export laws prohibit the sale of certain technologies to the regime. In other words, in order to obtain the technology needed for a cyber warfare program, the regime must improvise. North Korea must develop its own technology, manufacture technology using plans obtained via industrial espionage, or rely on third parties to procure it for them. However, the regime has historically failed in its attempts of large- scale production of electronic components.
Reports from July estimated North Korea’s hacker corps was 5,900 strong. Many of these form part of the Korean People’s Army. The most notable of these – according to South Korea's Cyber Terror Response Center – is Unit 121, which has a dual intelligence and attack role. One of Unit 121’s command posts is allegedly in a certain hotel in Shenyang, China. According to HP's report, another significant information warfare unit is the so-called "No. 91 Office" hacking group, and is based in Pyongyang.
Appetite for destruction
North Korea has been often suspected of being behind malware and DDoS attacks against the South. According to statements from the South Korean government, North Korea’s Lab 110 were the actors behind the DarkSeoul PC-wiping malware that affected banks and media organisations. South Korean intelligence reports stated that Lab 110, which is affiliated with the regime’s defence ministry, was ordered by the North Korean regime to destroy South Korean communications networks.
The North even maintains a battalion of internet trolls who are running psyops against the citizens of South Korea, as HP explains.
North Korea even uses “trolling” as a PSYOP tactic. On the Internet, “trolls” are users who post messages that are often crass, controversial, inflammatory, or offensive, in order to evoke a strong reaction or influence a reader’s opinion. Often, the motivation for trolling is simply for the troll’s enjoyment. The rude and offensive trolling tactics are in stark contrast to traditional forms of persuasive rhetoric. However, North Korea reportedly utilises over 200 military intelligence operatives to troll South Korean message boards and social media pages with pro-North Korean sentiments.
North Korea reportedly has the electronic warfare capabilities to jam GPS and to inject false GPS coordinates. The NORKS demonstrated these capabilities in March 2011 by jamming South Korea’s GPS signals during a joint US-South Korea military exercise.
HP Security Research's full 75-page report into the cyber threat landscape within North Korea can be found here (PDF). The study, which also looks at how North Korea attempts to maintain secrecy over its cyber warfare capabilities, is based on open source intelligence gathered and analysed by HP’s malware researchers. ®