By Andrew Haggard
The casual observer may be perplexed by the recent headlines of supposed North Korean hackers effectively bringing Sony Pictures Entertainment’s computer systems to its knees. How does one reconcile NASA photos and satellite images showing the near-entirety of the northern part of the Korean peninsula in utter darkness with the picture of a savvy North Korean hacker able to bring down one of the world’s largest entertainment companies from behind a computer screen?
In recent years, as noted by Alexandre Mansourov in a paper for KEI, North Korea has “begun to develop its own doctrine of cyber operations, which reflects its growing appreciation of the uses and limits of power in cyberspace and application of cyber power in modern warfare.” In a 2009 essay for Naval War College Review Kim Duk-ki wrote, “The North perceives cyber- warfare tactics to be as important as WMDs and has concentrated on their development.” This is an assessment apparently shared by the ROK’s National Intelligence Service.
The growing emphasis by Pyongyang on developing its cyber war doctrine and capabilities is a rational choice for the regime. South Korea, Japan, and the United States possess superior military technology. And, in the event of a conventional war, North Korea would face a stiff battle to win despite its numerically superior military. For North Korea, cyber warfare, along with other asymmetrical forces, permits Pyongyang to inflict serious damage on South Korea, as well as the United States and its allies, while selectively upgrading and investing in its conventional weapons and forces.
Pyongyang is currently estimated to have employ in excess of 6,000 cyber warriors based in North Korea, China, Russia, Japan, and elsewhere. The 6,000 figure, marks a 100 percent increase from figures suggested by defectors to al Jazeera in 2011. In 2013, Seo Sang-ki, the chairman of the South Korean National Assembly’s intelligence committee reported that Pyongyang had 4,200 cyber warriors in China to support North Korean cyber warfare operations.
South Korea is particularly prone to cyber attacks by Pyongyang. The extent of country’s connectedness makes it susceptible to cyber attacks. According to the UN’s International Telecommunication Union, internet penetration in the ROK was at 84.77 percent in 2013, placing it in the top 25 of the most connected countries. Information technology research and development (R&D) in South Korea was valued at U.S. $37.9 billion in 2010, which translates to 3.74% of South Korea’s gross domestic product. By 2010, South Korea’s e-commerce market had grown nearly eight times its 2001 value, rising to U.S. $645.5 billion. A wave of attacks against computer systems beginning in March and continuing through June 2013 was estimated to have caused 800 billion won in economic damage to South Korea.
There are numerous reports that North Korean cyber warriors have taken advantage of the South Korean society’s extensive online connectedness and the popularity of internet gaming. South Korean authorities have repeatedly connected Pyongyang with distributing malware via games and smartphone apps that would allow its cyber warriors to take control of the systems and steal data or launch distributed denial of service, or DDoS, attacks against networks. Between May and mid-September 2014, some 20,000 smartphones were infected with malware contained within apps. Media reports stated the malware would enable the hackers to clandestinely eavesdrop and access the cameras on the smartphones.
According to U.S. Department of Defense reports on the threat North Korea poses, Pyongyang has been implicated in malicious cyber attacks and operations since 2009. Among these attacks, are a number of DDoS attacks on South Korean and American networks and websites. An attack against three major South Korean banks and the country’s three largest broadcasters in 2013 was also later attributed to North Korea by the ROK authorities. In that attack, the hackers used a malware dubbed “DarkSeoul.” The malware enable the attackers to effectively shutdown critical services and systems, including disabling ATM services and preventing access to client funds. Analysts at McAfee Labs studied the malware used in a number of attacks against South Korean systems and discovered that “that there was more to the incident than what was widely reported.” McAfee Labs was able to link the malware used in the March 2013 attacks to a “covert espionage operation.” McAfee Labs assert this is “all based on the same code.” Through analysis of malware deployed in previous attacks, the McAffee Labs discovered the malware allow the attackers to search files on a system for a number of English- and Korean-language military keywords in the title and exfiltrate those files.
Now, the U.S. Government has charged and sought to punish North Korea for the Sony Pictures hack in late 2014. Some commentators and IT security professionals (even linguists) have challenged the government’s assertion that Pyongyang was responsible for the attack.* Director of National Intelligence James R. Clapper has personally fingered Kim Yong Chol, the director of the North Korean Reconnaissance General Bureau, as authorizing the campaign against Sony.
In an interview with Fareed Zakaria, Michael Lynton, the CEO of Sony Pictures, claimed, “the FBI and Mandiant, the experts who we brought in, basically said that the malware was so sophisticated that 90 percent of American businesses would have fallen prey to what happened to us.” This would suggest, assuming the FBI’s assessment for responsibility of the attack is correct, that the DPRK has developed substantial cyber capabilities that could wreak havoc on American businesses, let alone businesses in the ROK.
Given the increasing frequency and sophistication of North Korean state-sponsored hacking attempts, the South Korean government has begun debating its cyber defense approach, including the establishment of a ‘cyber defense control tower.’
The South Korean Ministry of Education, Science, and Technology (MEST) has stepped up to coordinate a plan to recruit, train, and foster cyber security specialists in South Korea to help protect the ROK’s information technology infrastructure. MEST hopes to have trained 5,000 cyber security experts by over the next two years. The MEST plan is supposed to incorporate the needs of not only the ROK government, but also the private sphere in South Korea, which would provide a more meaningful boost to cyber defense in South Korea.
But, despite the moves to increase South Korean cyber security, the ROK faces a very significant cyber security deficit. Estimates by the ministry predicted a shortfall of 2,144 cyber security professionals in 2014. In 2013, the ROK Ministry of Defense had a mere 400 cyber security professionals. A spokesperson for the defense ministry downplayed the risk posed to military networks.
The United States, by contrast, employed 900 cyber warriors at the Defense Department’s Cyber Command, which is headed by Gen. Keith B. Alexander, who also serves as the NSA director. The Defense Department alone spends $3 billion on cyber security annually and plans to add 4,000 civilian and military staff to its Cyber Command in the coming years. But, the danger posed is not simply to strictly military networks, but also to the private sector, particularly financial institutions and defense firms that would be producing the technology, hardware, and munitions used in a possible conflict. A cyber attack mimicking the one experienced by South Korean firms and Sony could adversely affect communications and manufacturing.
Cyber warfare offers Pyongyang an asymmetrical path to usurp the technological and military superiority of its rivals and enemies, namely the United States, South Korea, and Japan. As such, the DPRK will very likely continued to develop its asymmetrical capabilities with a significant focus on its cyber warfare capabilities given the relative low costs of cyber operations and the deniability it offers given that attribution of cyber attacks is often difficult. Undoubtedly, cyber intrusions and attacks by the DPRK will increasingly become more sophisticated as the North Koreans learn effective cyber attack strategies from their experiences. The only option is for South Korea and the United States’ public and private sectors to truly get serious about cyber security by developing a multi-layered cyber defense plan, pursuing diplomatic channels to limit cyber espionage, and coordinating public-private approaches to cyber security in order to prevent and mitigate the effects of intrusions.
Andrew Haggard is a blogger and commentator on Korean defense issues. The views expressed here are the author’s alone.
Photo from Fragile Oasis’ photostream on flickr Creative Commons.
* The author is unsure of where blame should lay for the Sony hack, but notes that the FBI specifically noted the tools used in the attack bore resemblance to those used in March 2013 and specifically mentioned “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” between the malware used in the latest hack and other cyber attacks attributed to North Korean actors. This is interesting in light of McAfee Labs findings in 2013.