Whether North Korea’s nuclear and missile test pause is a signal or just the standard lull before the winter training cycle remains to be seen. But one thing does seem to be constant: the steady drumbeat of news about North Korean cyber activity (Adam Meyers at 38North recently undertook a parallel inventory). Cyber appears to be the near-perfect North Korean response to mounting outside pressure. Chris Inglis, former deputy of the National Security Agency (NSA) nicely summarizes both opportunity and motive in a high-quality overview of the issue at the New York Times: “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.” It is not our comparative advantage to parse the technical issues at stake. But the scope of recent action raises a number of vexing issues for policy, including how to deter such activity. How forcefully should the United States and South Korea respond to attacks that are clearly seeking to fly beneath the threshold of escalation? And how far into offensive operations does the United States need to wander and with what effect?
If sanctions are about to bite, we can count on Inglis’ last motive—making money—rising to the fore. In the most recent example of efforts at outright theft, BAE researchers disclosed technical details of a breach of a Taiwanese bank that initially managed to transfer as much $60 million from accounts of the Far Eastern International Bank. The forensic analysis yielded evidence of the Lazarus group, presumed to be a North Korean state-sponsored hacking collective (WSJ coverage here) held responsible for the Sony Pictures hack of 2014 and the 2016 Bangladesh bank theft that we covered here. As in the latter, Lazarus exploited the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. Taiwan authorities claim that the transactions were reversed, most of the money was recovered, and Sri Lanka even managed to nab two individuals associated with the transfers (see Security Week here and here). More recently, the group appears to have developed an interest in bitcoin and other cybercurrencies, hacking into a South Korean exchange (Bitcoin coverage here, FireEye here). Moreover, the group has invested in figuring out how to move cryptocurrencies into more readily-usable forms of foreign exchange. Back in February, Symantec reported on a complex “watering hole” attack on a Polish financial regulator’s website. When bank employees from banking firms across the world access the infected site in the normal course of their business, the site injected malware into the machines accessing it, allowing North Korean cyber criminals to use the infected machines from various worldwide banks to move their ill-gotten gains to cleaner bank accounts and subsequently liquidate the assets.
In the New York Times overview, former British Director of Government Communications Robert Hannigan is quoted as saying that these efforts could net the Kim regime as much as $1 billion a year; we doubt it, as this would amount to close to a third of the Kim regime’s annual trade. Moreover, if the Taiwan authorities are correct, these efforts hardly have a 100 percent success rate, and some of them are small bore: Apparently, the South Korean hack only managed to net less than $100,000. Nonetheless, the effort is there, and we can only expect more of it.
Advanced Persistent Threat against the South
Money is not the only objective of North Korean efforts; more traditional espionage, theft of intellectual property, and simply malicious behavior vis-à-vis the South also are in play. In the last two weeks, it has come to light that North Korean hackers were able to breach ROK military computer networks last year and make off with some 235 megabytes of documents. ROK lawmaker Rhee Cheol-hee disclosed the breach, and it subsequently came to light that the hacked material included a version of the joint ROK-US Operations Plan 5015 (excellent Times coverage here); given that the plan includes contingencies for decapitating the regime, the theft also constituted a kind of propaganda coup for the North, confirming the perennial charge of “hostile intent.” The ROK military computers are presumably air-gapped, or separated from the Internet at large, but were rendered accessible during a maintenance operation when the system was connected to the Internet in order to update the network. Later in October, another ROK lawmaker, Kyeong Dae-Soo, revealed that North Korean hackers also stole blueprints from Daewoo Shipbuilding and Marine Engineering Company, including information on construction technology, blueprints, weapons systems, and evaluations of ships and submarines. All this in addition to the usual malware efforts, including Maniber analyzed by Trend Micro.
Is Critical Infrastructure in the United States at Risk?
Needless to say, South Korea is not the only target. Last month, NBC secured access to a proprietary FireEye report on attacks against a number of American companies that rely—as many do—on industrial control systems that could be vulnerable. Cyberscoop reported the breach of a US energy firm’s networks, even though no damage was done and the attack appeared exploratory; indeed, this could be a virtual non-story given the volume of attacks such companies face on a regular basis. Nonetheless, it raised the question once again of how vulnerable critical infrastructure might be to growing North Korean capabilities.
How to Respond?
The United States is clearly taking notice. In an interesting development, the Computer Emergency Readiness Team (US-CERT) has not only given malicious North Korean cyber activity a handle (Hidden Cobra) but has set up a webpage that promises to track it, with four alerts posted to date and two coming in the last week alone (on FALLCHILL, in use since 2013, and Volgmer malware, in use since 2016). The problems of deterring such activity are complicated precisely by the networked nature of the challenges. According to US-CERT, countries suspected to be used as bases of operations for these two threats alone include Armenia, Azerbaijan, Bahrain, Bangladesh, China, Egypt, Georgia, Indonesia, Iran, the Maldives, Nepal, Pakistan, Saudi Arabia, Singapore, Sri Lanka, Taiwan, Thailand, and the United Kingdom. And the density of activities does not entirely match the “usual suspects” list: India is estimated to hold the vast majority of IP addresses associated with Hidden Cobra, roughly a quarter (25.4 percent), with Iran and Pakistan runners-up, with 12.3 percent and 11.3 percent respectively. China, often thought to be a primary base location for DPRK cyber-ops, only accounts for 2.7 percent of the suspected Hidden Cobra IPs.
But the response is not necessarily limited to playing defense. In late September, the Washington Post broke an extremely important story on the fact that President Trump had ordered a pressure campaign against North Korea that was not limited to the standard sanctions instruments that we cover here, but to offensive cyber actions as well. According to the Post story, “as part of the campaign, U.S. Cyber Command targeted hackers in North Korea’s military spy agency, the Reconnaissance General Bureau, by barraging their computer servers with traffic that choked off Internet access.” Recently, news reports have surfaced of an evolving remote access trojan (RAT) dubbed KONNI that has been targeting North Korean officials abroad via email spear-phishing (Cylance offers up a technical analysis). The malware seems to be focused on information gathering but has been evolving in capabilities and could well emanate from an official source.
Thinking about how sanctions, diplomacy, military signaling, and cyber all fit together into a coherent picture is incipient to say the least. At the Diplomat, Ankit Panda reflected on the fact that the cyber campaign might explain Defense Secretary James Mattis’ cryptic comment about having options that do not put Seoul at risk. This is clearly a game that two can play: It is not just the United States that may be hamstrung by the ability to respond effectively if pressure of this sort is ratched up. It is hard to escape the conclusion, though, that asymmetry in this instance favors the North Koreans. The problems for the United States run far deeper than is fully appreciated, as Russian hacks of the NSA itself—under the Shadow Brokers moniker—have released crucial tools into the wild where they are likely to be picked up precisely by North Korean groups like Lazarus among others. This front in the US–South Korea–North Korea conundrum is just opening.
Witness to Transformation Posts on Cyber
Is the Test of Wills Going Cyber?, October 6, 2017
Cyber Update: Cashing Bitcoin, Other Mischief and Just Surfing the Web, August 9, 2017
The Malware Affair, on Wannacry, May 23, 2017
Slave to the Blog: The Willie Horton Edition, April 6, 2017
North Korean Cyber Heists: They're Back!, March 29, 2017
The Bank Heist Cases, June 1, 2016
The Korean Stuxnet Story, June 2, 2015
The Korea Hydro and Nuclear Power Company Hacks, February 13, 2015
Coverage of the Sony Hack:
Haggard and Lindsay on the Sony Hack, May 28, 2015
Snowden and the Sony Hack, February 9, 2015
The Hack Part II: Public and Private Responses, December 21, 2015
The Hack Part 1: The Hollywood Dimension, December 18, 2014
Hack Attack Early Roundup, December 12, 2014