STTB: Cyber Thursday



The Interview has been out in theaters and VOD for almost three weeks. Although the Guardians of Peace have not struck back, there is still plenty of fallout from the hack; we offer a brief roundup here.

Sung Kim, special representative for North Korea policy, testified before House Foreign Relations this week. His testimony led with the Sony hack, noting how the sanctions response was consistent with the broader two-track approach of offering a resumption of talks, but simultaneously keeping up the pressure. On Tuesday, President Obama presented a legislative proposal to improve the country’s cyber defense and deterrent capabilities, and protect both companies and their customers from cyber threats.

Many in the cyber community have found the evidence presented by the US government connecting the attack to North Korea lacking. (On this score, we recommend an amazingly detailed blow-by-blow account from Risk Based Security of how the hack unfolded; it will rightly leave you far less confident in your assumptions about who the attackers were and how many different parties may have been involved.) But whether technophiles believe we caught the culprit or not, it has motivated some to root around in the DPRK’s systems and see how things tick:

  • Over at arstechnica, Sean Gallagher found malware droppers embedded in the KCNA website. Although how they are triggered is unclear, in principle they can “deliver a ‘watering hole’ attack against individuals who want to keep tabs on the activities of the DPRK’s dear leader.” That means us, guys. There is even a directory called "siteFiles/exploit" thought this may not be as brazen as it sounds: it could just be a translation of the Korean gaebalhada (개발하다) which can translate to “develop.” (For those wanting to poke around on North Korean websites, North Korea Tech also maintains a list with links, but caveat emptor.)
  • Robert Hansen at White Hat Security took a deep dive into North Korea’s Naenara Web Browser. The findings are pretty technical, but the main takeaway seems to be that North Korea treats its entire country “like a small to medium business would treat a corporate office”, with all of its 16,777,216 addresses in non-routable IP space. This is an obvious way to control activity, as all crash reports, queries for news articles, electronic mail, even calendar entries goes through a single mothership URL.

One source of doubt on the Sony hack was the question of whether North Korea had the cyber capabilities to launch it. In the wake of the attacks on South Korea in 2011, al-Jazeera did an interesting piece based on interviews with two defectors. Kim Heung-kwang (defected in 2004), a trainer of "cyberwarriors", and hacker Jang Se-yul (defected 2008) provided al-Jazeera information on the organization of North Korea’s cyber capabilities, and it is sobering. Students are selected from among the elite for special training. “The Reconnaissance General Bureau then dispatches the hackers - operating undercover - to China, Russia and even Europe, posing as "programmers" keen to learn about developing new commercial programmes that could be sold to earn much-needed foreign currency for the impoverished nation.” In fact, their job is to develop attack programs and to operate like sleeper cells. Drawing on the same sources, The Daily Mail updates the al-Jazeera story.

To date, though, the most comprehensive overview of the open-source information on North Korea’s cyber capabilities comes from HP and was released last August (.pdf here). We will provide more information from this lengthy overview in subsequent posts, but two major points emerge: North Korea is investing heavily in this capability, and as with its nuclear weapons program has demonstrated that overall underdevelopment does not rule out concentrated effort; and second, the Reconnaissance General Bureau is clearly placing agents abroad to work this space. For a more compact discussion of some of these issues, see the Korea Herald.

Finally, it is important to note public reactions to this incident beyond the United States. GWU’s Rising Powers Initiative has an excellent summary of responses to the Sony hack in China, Japan, South Korea, Russia, and India. Spoiler alert: Russia sides with North Korea, and The Interview appears to be a smash hit among Chinese netizens.

More From