This is the second part of a two-part series on North Korea’s cyber crime and cyber warfare capabilities. Part 1 can be read here.
North Korea, home to a population of 25.6 million and an army of over 1.2 million, may be the world’s most militarized nation, per capita.
Its conventional threats are largely aimed at South Korea and Japan, while its nuclear-tipped intercontinental ballistic missiles are believed to have the capability to traverse the Pacific and strike the mainland US. But despite its obvious punch, this formidable force faces odds-against risks.
South Korea and Japan both boast larger populations and vastly larger economies. Both are home to high-tech militaries themselves. And both are allied, separately, to the United States, which wields an armory even North Korea cannot match.
These realities force Pyongyang to keep its physical assets on a tight leash – but that is not the case for its virtual assets. Veiled by a deep-cover cloak of deniability, constantly operational and untrammeled by geographical limits, North Korean cyber commandos have hit targets across the web and across the globe.
Choi Sang-myeon, or Simon Choi, a Seoul-based cyber security expert who monitors North Korea hacking activity as the head of not-for-profit Issues Makers Lab says the North’s online operations have a range of aims.
One, Choi maintains, is to demonstrate its fearsome capabilities by unleashing deniable-but-fingerprinted chaos, such as 2017’s Wannacry attack. A similarly abstract aim is to defend the dignity of the Kims.
But Pyongyang’s hackers also have more concrete goals: Stealing digital money for a cash-strapped regime and accessing military – even nuclear – information from overseas.
Given that North Korea’s leadership – the subject of a vast, nationwide personality cult – is treated as sacred in the state, overseas organizations which mock the Kims face the risk of cyber assault, Choi said. In 2014 Sony Pictures, which had produced a satirical comedy in which Kim Jong Un was a central character, faced exactly that.
The attack dumped confidential and embarrassing Sony information and damaged systems after infiltration of hard drives. Sony reportedly set aside $15 million to repair the damage and halted the film’s screening. Though some experts considered the hack the work of a Sony insider others disagreed. Washington, too, blamed it on North Korea, which denied it, via state media.
Subsequently, a British TV production company, planning a series that was part-set in North Korean also reportedly came under attack. It shelved the series.
Other incidents do not make international news as they are focused on targets in North Korea’s backyard competitor – South Korea.
Choi cites Thae Yong-ho, the former deputy North Korean ambassador to London. A prominent defector, Thae is currently a National Assemblyman with the conservative opposition. Since his arrival in South Korea in 2016 has been a relentless critic of Pyongyang.
“Thae was working with a media outlet writing about North Korea, so they tried to hack that media company,” Choi said.
South Korea is home to a defectors community of over 33,000. This community, which not only shares information within and about itself, also maintains clandestine contact with family members and other sources inside North Korea, so is of obvious interest to Pyongyang’s state security apparatus.
“They target the online communications of North Korean defectors when they connect to websites, they hack emails and KakaoTalk messages and acquire information like that,” he said.
In a high-profile incident in 2018, the personal data of almost 1,000 defectors, who had attended a South Korean resettlement center, was publicly released after a computer in the center was infiltrated with malicious code. It is still not clear whether North Korea was behind that; Choi believes it was.
A more concrete aim for the heavily sanctioned, impoverished nation is to secure hard cash through online theft. Choi has tracked these financial crimes back to 2012. Several patterns have emerged.
From 2014 onward, North Korean hackers went after banks. They have broken into the online system of South Korean banks and attacked banks in less developed countries, notably the central bank of Bangladesh and an undisclosed Vietnamese Bank, both in 2016.
The raid on the Bangladesh Bank, conducted using fake messages sent via the Swift international transaction system, is believed to have netted the hackers over $80 million. It also raised questions over the vulnerabilities of the Swift system itself.
Moreover, in 2014 or 2015, North Korea started mining Bitcoin, Choi said. Last year they attacked Bitcoin wallets and managed to extract some coins, though he does not have a number of the amount stolen.
And it is not just money North Korea is stealing.
The impoverished country has sacrificed its civil economy on the altar of a nuclear deterrent – a stark contrast to the manufacturing, export superpowers of China, South Korea and Japan. This means it lacks the resources to generate or apply such next-generation technologies as 5G, AI and supercomputing – but this does not mean it is not up-to-date on the latest developments.
“When I was monitoring the movements of North Korean hackers, I found they had gone into the servers of online lectures related to the latest tech,” Choi said.
And they are not afraid to target the best in the business.
“In their hacking attempts on Google security experts, they got info from Linkedin and Twitter,” he said. “These North Korean hackers tried to create rapport with other experts and then hacked into projects they were working on – this went on for about a year.”
Intelligence, arms technology and atomic infiltration
A golden target for this Asian neo-Prussia is classified information on matters military.
“In our country the war is not yet over,” Choi said, referencing the 1950-53 Korean War, which ended with an armistice. “Obviously, the more information you have, the better, as we don’t know when the truce will end.”
Calling North Korean hackers a “massive threat,” he noted that they broke into the Ministry of National Defense’s system in 2016. Their gains remain classified to the public and unknown to Choi. “I don’t know how much information was taken,” he admitted.
They have also gone after military technologies. After first attempting to hack South Korean weapons firms, they infiltrated arms manufacturers in countries including Turkey and Ukraine. According to Choi’s information, target companies manufactured armored vehicles, artillery and rockets.
The method used was classic spycraft.
“They pose as employees of Boeing, General Dynamics and BAE – for example, they put up a post [claiming to be] from BAE, recruiting from other companies,” Choi said. Once in contact with persons from the target companies, “they can spear phish and conduct industrial espionage.”
“Spear phishing” is phishing – ie obtaining information such as passwords and PINs in order to gain access to computers and networks – that targets specific individuals, rather than a broad-based hack.
One Eastern European arms manufacturer did not know it was under attack until it monitored one of Choi’s tweets. The company contacted Seoul’s Ministry of Defense, which put the firm in touch with Choi, he recalled.
Perhaps the most alarming attack Choi has investigated was a 2019 cyber raid on India’s Kudankulam Nuclear Power Plant, which bestrides the country’s civilian and military atomic programs. Spear phishing enabled intrusion: According to Choi, malware was dispatched to the emails of two senior plant officers, one of whom was using the plant’s official email address. From there, the hackers were able to infiltrate the online operating systems.
The fingerprints that Issue Makers Lab discovered were Korean language in the malware code, which had previously been used against South Korean targets – including the MOND breach in 2016. Moreover, a North Korean-made computer provided the hack’s launch pad, and the D-track malware utilized has been linked to North Korea’s “Lazarus Group.”
That group purportedly operates under the aegis of the Reconnaissance General Bureau – Pyongyang’s espionage and special-operations arm. According to Russian cybersecurity firm Kaspersky Lab, D-track is able to retrieve browser history, gather IP addresses and information about available networks and connections, list all running processes and list all files on discs.
Choi reckons the instrusion could have disrupted the plant’s operations, but believes the aim was not sabotage, it was more likely an information seizure – possibly aimed at securing secret data on fissile yields.
Despite its widespread and arguably reckless online operations, North Korea has not yet – as far as Asia Times can ascertain – engaged in cyber-terrorism causing loss of life. But that capability is in place.
Cyber assets “can be utilized in a lot of fields – they can disrupt systems and can be directed at life-and-death situations,” Choi said. Fields include such mission-critical physical infrastructure as dams, power plants, hospital facilities, and traffic/traffic-control systems.
“In 2014, North Korean hackers started targeting railroad companies and airlines,” Choi said. “They specifically targeted an automated operating system that controls trains’ speed – that could lead to loss of life.”
Software infiltration could generate far greater mortalities than those which occurred in the deadliest-ever terrorist attack on the United States – without the need for physical terrorists.
“A cyber operations guy could adjust the synchronization of a plane’s controls,” said Chun In-bum, a retired South Korean major general. “Many land by auto pilot, but tweak that a little bit and planes could crash. This might not be 9/11 with four aircraft – it might be 400 aircraft all around the world.”
While North Korea’s cyber capabilities have been widely pinpointed in their offensive role, less is known about their defensive applications.
Home front vulnerabilities
North Korea’s physical commandoes – who, for example, stormed the South Korean presidential mansion in 1968, and also attempted to assassinate the South Korean cabinet during a state visit to Burma in 1983 – failed to cover their tracks. In both operations, survivors from the elite units were captured and confessed their identities and missions.
Likewise, Pyongyang’s cyber commandoes have also left fingerprints; three have even been named and indicted by the US Justice Department, which has also produced photographs of each of them.
But humans are imperfect. How about systems?
Only a tiny number of North Koreans have access to the World Wide Web – Choi estimates they only have 1,000 IP addresses (compared to billions in the US). Showing a chart of hacks that took place between 2012 and 2018, Choi said the IP addresses of hackers link back to China and/or North Korea’s capital, Pyongyang. Most hacks by North Korean hacking groups originate either in Pyongyang, on locations near the country’s China border, or from within China itself, he said.
North Korea’s web connections may well be targetable.
In a still shadowy episode that has never been confirmed by Washington, North Korea temporarily lost its Internet connection – routed through China – three days after then-US president Barack Obama had said that the United States would launch a “proportional response” to the Sony attack. Experts said the disconnection bore the hallmarks of a Distributed Denial of Service, or DDOS, attack.
Another possible US counter move appears to have met with less success.
It has been alleged in US media that Washington applied “left of launch” operations to halt or slow Pyongyang’s WOMD programs under the Obama administration. Such operations use cyber warfare to interdict components in the supply chain, but the country’s ongoing tests of highly capable missiles suggest the mission was unsuccessful – if, indeed, it was actually conducted.
‘Bright Light,’ steep challenge
Though virtually all North Koreans are firewalled from the web, Pyongyang runs its own Intranet, Kwangmyong (“Bright Light”). The service offers locals typical Internet functions – browsers, emails, chat groups, etc. But it is fully monitored and unconnected to foreign networks.
Cuba runs a similar operation, and Russia has announced the possibility of firewalling its own corner of the Internet from the web.
Bright Light’s vulnerabilities are difficult to assess. Global hackers collective Anonymous tried to break in in 2013, but although they hacked several North Korean websites hosted outside the country, no members produced any proof that they had accessed Bright Light. Two years later, another hacker claimed to have downloaded a local operating system.
Despite the glory that would accrue in the hacker community to whoever infiltrated North Korea’s net, the trail appears to have gone cold.
Choi reckons Bright Light is “incredibly difficult to get in” – but added, “Once you get in they are very vulnerable, I think.”
So has Choi – who has been tracking North Korean hackers since 2014, has directly interfaced with them in real time, and speaks and reads Korean – personally dived down that rabbit hole?
He declined to comment.