23 January 2015

North Korea’s Cyber Capability- A “Magic Weapon”

By Suparna Banerjee 

The paper attempts to highlight the depth of the North Korean cyber strategy in light of the recent attack on the SONY Entertainments. It also puts into perspective the manner in which the country has consistently used this instrument to torment its adversaries.


It all began with a movie named “The Interview” which revolves around a plot to assassinate the supreme leader of North Korea (officially known as Democratic People’s Republic of Korea or DPRK), Kim Jong Un. United States, more particularly the SONY Entertainment the distributor of the movie, found itself at the receiving end of one of the biggest hacking attempt allegedly committed by DPRK. While the war of words flung across the Pacific with allegations and its rebuttal by both sides. DPRK outrightly rejected its involvement but praised it as the righteous deed of its supporters and sympathisers. In retaliation North Korea went off the internet on 22nd December which was restored only nine and half hours later. While SONY overturned its earlier decision to postpone the release of the movie after severe criticisms from the US President, DPRK reacted stating that “Obama always goes reckless in words and deeds like a monkey in a tropical forest.” The allegation against North Korea, though, was based on circumstantial evidence linking the similarity in the attack by the North against South Korean companies and banks in 2013. The recent attack is claimed to have been done by a group called “Guardians of Peace” which is quite similar to taking unknown names like the Dark Seoul gang responsible for the Seoul cyber attack.

What is Bureau 121?

This small unit hogged the limelight after the recent cyber attack on SONY. It is alleged that the unit is the architect behind the cyber disruptions which leaked important documents and files pertaining to finances and personal details of the employees of the Media House. A small, impoverished ‘hermit kingdom’, known for its scathing attack on the west and presently capturing the world attention for its nuclear programme and human rights abuse, it is capable enough to paralyse the network of one of the most powerful business houses in one of the most secured place on earth. Thus the question that needs attention is how this is possible. This is made possible by the elite hacking cell called Bureau 121 which is just a tip of the ice-berg. The most talented computer experts are recruited for training and it forms part of the General Bureau of Reconnaissance. A North Korean defector stated that students are picked as young as 17. After five years of rigorous training they are to join Bureau 121. Access to internet in North Korea is very limited with internet traffic passing through a single connection provided by China Unicom. The country has a single Internet Protocol (IP) address making it a sitting duck of accidental or intentional internet shutdown. Thus in a country where internet is so sought after, its users form a privileged league. For every 2500 applicants only 100 are selected every year. It is reported that almost 1800 hackers are employed at the unit conducting campaigns under what is known as the “secret war”. It is thus widely speculated that the students selected from DPRK to be trained in a media course in UK organised by the Foreign and Commonwealth office will merely help to pedal propaganda for the North Korean leader. The project titled, ‘Inside out: Working in North Korea to connect its journalist to the outside world’ is to be delivered by the Thomson Foundation under the ‘critical engagement’ activities with the country, this year.

How lethal is the ‘weapon’?

In a testimony given to the House Armed Services Committee General Curtis M. Scaparrotti, stated that “North Korea remains a significant threat to United States’ interests, the security of South Korea, and the international community due to its willingness to use force, its continued development and proliferation of nuclear weapon and long range ballistic missile programs, and its abuse of its citizens’ human rights, as well as the legitimate interests of its neighbours and the international community. ”Scaparrotti stressed that “While North Korea’s massive conventional forces have been declining due to aging and lack of resources…North Korea is emphasizing the development of its asymmetric capabilities.”

North Korean Cyber and Intelligence organisational chart

The above chart clearly reveals how deep the infrastructure of cyber security runs as an unconventional and low cost weapon. According to the same report the regime picks up student who show rare mathematical talent and sends them for advanced training. Science and technology students are expected to learn foreign languages which may include Chinese, Japanese and English. Around age twelve or thirteen, chosen students are enrolled in accelerated computer courses at First and Second Geumseong Senior-Middle Schools. The successful students are then sent to Kim Il-sung University, Kim Chaek University of Technology or the Command Automation University, traditionally known as Mirim University. Some of the more prominent North Korean hacking actors apart from Dark Seoul are Whols team (responsible for “March 20” attacks targeting South Korea), IsOne (June 2012 attack on the South Korean newspaper JoongAng Ilbo, the Kimsuky malware (targeted the South Korean think tanks), and the new Romantic Cyber Army (also took credit for the March 20th attack).

A timeline of the major North Korean cyber activity

North Korea gains access to 33 South Korean military wireless communication networks 275 

The U.S. State Department is attacked by entities in the East Asia-Pacific region. The attacks coincided with State Department negotiations with North Korea regarding the regime’s nuclear missile tests. (June) 
A South Korean military official states North Korea’s Unit 121 has breached South Korean and U.S. military entities. (July) 

North Korea tests a logic bomb (October) 

North Korea states that it is “fully ready for any form of high-tech war.” (June) 
Dark Seoul DDoS and disk wiping malware targeting South Korean and U.S. government, media outlet, and financial websites. These attacks also coincided with U.S. Independence Day. (July) 
Malware for “Operation Troy” was likely planted 

Dark Seoul Backdoor. Prioxer detected (June) 
Korean Central News Agency website becomes North Korea’s first known direct connection to the Internet (October) 

“10 Days of Rain” Attack - Dark Seoul DDoS and disk wiping malware against South Korean media, financial, and critical infrastructure targets (March) 
North Korea disrupts South Korean GPS signals (March) 
North Korea reportedly attempts DDoS attack against Incheon Airport 
Nonghyup bank suffers DDoS attack (April) 

South Korean newspaper JoongAng Ilbo attacked (June) 
Dark Seoul Downloader.Castov detected (October) 
North Korea signs treaty with Iran, agreeing to combat “common enemies” in cyberspace 

“March 20” disk wiping attacks against South Korean media and financial institutions (March) 
Whols Team claims responsibility for attacking LG +U website with wiper malware and defacement, impacting South Korean media and financial institutions (March) 
The New Romantic Cyber Army Team claims responsibility for the same attacks 
North Korea experiences 36-hour Internet outage. The cause was never definitively determined 
Anonymous launches #OpNorthKorea and targets North Korean websites (March) 
Anonymous allegedly hacks Uriminzokkiri and takes over its Twitter and Flickr pages (April) 
Dark Seoul attack on South Korean financial institutions (May) 
Dark Seoul DDoS attacks against South Korean government’s DNS server (June) 
Details on Kimsuky malware, which targeted South Korean think tanks, first released (September) 

North Korean drones found near South Korean border (March and April) 


The weapon comes handy for the self-imposed isolated country in, if not anything, compromising the security of some of the-well protected places on earth. Questions like the viability of the cyber infrastructure, the strength of the cyber damage inflicted or the extent of the protection in the face of counter measures remain open to experts. What can be well concluded for the moment is that the country has crafted a niche strategy for itself to torment its adversaries.

The author is Junior Research Fellow at National Institute of Advanced Studies, Bangalore. Views expresesed are personal. 

No comments: