3 November 2017

NORTH KOREA – DAVID OF THE CYBER WORLD?

In 2004 I went to deliver a talk and chair a session on Cyber War at College of Defence Management, Secunderabad. After the session one of the participant officers of Higher Defence Management Course who was doing his dissertation on a relevant topic engaged me in a discussion that North Korea has no internet connection and how do they do business. My answer that in today’s world no country can afford to have complete disconnect seemed not to satisfy him. Of course Sony happened later. Now Russia is providing them with internet connectivity when others have blocked. 

Here is a take on North Korea’s Cyber capabilities. 




NORTH KOREA – DAVID OF THE CYBER WORLD? 

                                                                    - Maj Gen P K Mallick,VSM (Retd) 

Frequently, senior political leaders, cyber security professionals, and diplomats describe North Korean leaders or their respective actions as “crazy,” “erratic,” or “not rational.” This is not the case. When examined through the lens of North Korean military strategy, national goals, and security perceptions, cyber activities correspond to their larger approach. North Korean cyber actors are not crazy or irrational: they just have a wider operational scope than most other intelligence services. 

And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyber potential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose. The country’s primitive infrastructure is far less vulnerable to cyber retaliation. North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are already imposed. And Mr. Kim’s advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.


North Korea is emerging as a significant actor in cyberspace with both its clandestine and military organizations gaining the ability to conduct cyber operations. Cyber attacks in South Korea and the United States have recently been associated with North Korea. The U.S. and Republic of Korea (ROK) governments attribute recent incidents, including the November 2014 attack against Sony Pictures Entertainment and the March 2013 attacks against South Korean banks and media agencies, respectively, to North Korea. These attacks have shown that the country is capable of conducting damaging and disruptive cyber attacks during peacetime. North Korea seems heavily invested in growing and developing its cyber capabilities for both political and military purposes. 

Aa per the 2016 University of Washington study succinctly summarizes North Korea’s asymmetric military strategy: Since the end of the Korean War, North Korea has developed an asymmetric military strategy, weapons, and strength because its conventional military power is far weaker than that of the U.S. and South Korea. Thus, North Korea has developed three military strategic pillars: surprise attack; quick decisive war; mixed tactics. First, its surprise attack strategy refers to attacking the enemy at an unexpected time and place. Second, its quick decisive war strategy is to defeat the South Korean military before the U.S. military or international community could intervene. Lastly, its mixed tactics strategy is to use multiple tactics at the same time to achieve its strategic goal. 

Despite their near constant tirade of bellicose rhetoric and professions of strength, North Korea fundamentally views the world from a position of weakness and has developed a national strategy that utilizes its comparative strengths — complete control over a population of 25 million people and unflinching devotion to the Kim hereditary dynasty. 

In this context, criminality, terrorism, and destructive cyber attacks all fit within the North Korean asymmetric military strategy which emphasizes surprise attacks and mixed tactics. The criminality and cyber attacks also have the added bonus of enabling North Korea to undermine the very international economic and political systems that constrain and punish it. 

North Korea has relied on various asymmetric and irregular means to sidestep the conventional military deadlock on the peninsula while also preparing these means for use should a war break out. Cyber capabilities provide another means of exploiting U.S. and ROK vulnerabilities at relatively low intensity  while minimizing risk of retaliation or escalation. In this context, cyber capabilities are logical extensions of both North Korea’s peacetime and wartime operations 

Cyber Capabilities and Asymmetric Strategy. North Korea sees cyber operations as a relatively low-cost and low risk means of targeting the vulnerabilities of a state that relies heavily on cyberspace for national and military activity. Disruptive or destructive cyber attacks allow for direct power projection against a distant adversary without physical infiltration or attack. Cyber capabilities are also an effective means to severely disrupt or neutralize the benefits of having a networked military. Issues of attribution and the lack of firmly established norms make it hard for the defender to communicate red lines and threats. 

North Korea’s Cyber Strategy. Cyber operations should be thought of as an extension of North Korea’s broader national strategy. During peacetime, cyber capabilities allow the DPRK to upset the status quo with little risk of retaliation or immediate operational risk. During wartime, the DPRK would target U.S. and ROK command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) in support of the DPRK’s “quick war, quick end” strategy. North Korean cyber doctrine, if one exists, may be premised on the idea that an extensively networked military is vulnerable to cyber capabilities. 

North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. In the late 1990s, the Federal Bureau of Investigation’s counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York. 

“Cyber is a tailor-made instrument of power for them,” said Chris Inglis, a former deputy director of the National Security Agency, who now teaches about security at the United States Naval Academy. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.” Mr. Inglis, speaking at the Cambridge Cyber Summit added: “You could argue that they have one of the most successful cyber programs on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost.” 

From Minor Leaguers to Serious Hackers 

Kim Jong-il, the father of the current dictator and the initiator of North Korea’s cyber operations, was a movie lover who became an internet enthusiast, a luxury reserved for the country’s elite. When Mr. Kim died in 2011, the country was estimated to have 1,024 IP addresses, fewer than on most New York City blocks. Mr. Kim, like the Chinese, initially saw the internet as a threat to his regime’s ironclad control over information. But his attitude began to change in the early 1990s, after a group of North Korean computer scientists returned from travel abroad proposing to use the web to spy on and attack enemies like the United States and South Korea, according to defectors. 

North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. “The North’s cyberwarfare unit gained priority after the 2003 invasion of Iraq by the United States. After watching the American “shock and awe” campaign on CNN, Kim Jong-il issued a warning to his military: “If warfare was about bullets and oil until now,” he told top commanders, warfare in the 21st century is about information.” 

When Kim Jong-un succeeded his father, in 2011, he expanded the cyber mission beyond serving as just a weapon of war, focusing also on theft, harassment and political-score settling. “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly,” Kim Jong-un reportedly declared 

“We’re already sanctioning anything and everything we can,” said Robert P. Silvers, the former assistant secretary for cyberpolicy at the Department of Homeland Security during the Obama administration. “They’re already the most isolated nation in the world.” By 2012, government officials and private researchers say North Korea had dispersed its hacking teams abroad, relying principally on China’s internet infrastructure. This allowed the North to exploit largely nonsecure internet connections and maintain a degree of plausible deniability. 

The Organization of DPRK’s Cyber Operations 

North Korea’s cyber operations are not ad hoc, isolated incidents. They are the result of deliberate and organized efforts under the direction of preexisting organizations with established goals and missions that directly support the country’s national strategy. Knowing which North Korean organizations plan and execute cyber operations is important because North Korea does not publish its own cyber strategy or doctrine. Examining an organization’s historic goals and missions as well as analyzing their known patterns of behavior are the next best option for predicting how North Korea will operationalize cyber capabilities. A top-down perspective on North Korea’s cyber operations shows which organizations conduct cyber operations and how strongly they influence operational purposes. The Reconnaissance General Bureau and the General Staff Department of the KPA generally control most of North Korea’s known cyber capabilities. These two organizations are responsible for peacetime provocations and wartime disruptive operations, respectively. 

1. The Reconnaissance General Bureau: The RGB is the primary intelligence and clandestine operations organ known within the North Korean government and is historically associated with peacetime commando raids, infiltrations, disruptions and other clandestine operations, including the 2014 Sony Pictures Entertainment attack. The RGB controls the bulk of known DPRK cyber capabilities, mainly under Bureau 121 or its potential successor, the Cyber Warfare Guidance Bureau. There may be a recent or ongoing reorganization within the RGB that promoted Bureau 121 to a higher rank or even established it as the centralized entity for cyber operations. RGB cyber capabilities are likely to be in direct support of the RGB’s aforementioned missions. In peacetime, it is also likely to be the more important or active of the two main organizations with cyber capabilities in the DPRK. 

2. The General Staff Department (GSD): The General Staff Department of the KPA oversees military operations and units, including the DPRK’s growing conventional military cyber capabilities. It is tasked with operational planning and ensuring the readiness of the KPA should war break out on the Korean peninsula. It is not currently associated with direct cyber provocations in the same way that the RGB is, but its cyber units may be tasked with preparing disruptive attacks and cyber operations in support of conventional military operations. North Korea’s emphasis on combined arms and mixed operations suggests that cyber units will coordinate with or be incorporated as elements within larger conventional military formations. 

3. North Korea’s Technology Base: The DPRK maintains an information technology base that can serve as a general research and development foundation for computer technology and programming. The existence of a software and computer industry means the DPRK’s technical industries are not as primitive as many think. 

The Reconnaissance General Bureau (RGB), also known as “Unit 586,” was formed in 2009 after a large restructure of several state, military, and party intelligence elements. It has since emerged as not just the dominant North Korean foreign intelligence service, but also the center for clandestine operations. 

As North Korea’s lead for clandestine operations, the RGB is also likely the primary cyber operations organization as well. As described by the Center for Strategic and International Studies in 2015 report
For the RGB to be in control of cyber assets indicates that the DPRK intends to use these assets for provocative purposes. The RGB probably consists of seven bureaus; six original bureaus and a new seventh (Bureau 121) that was likely added sometime after 2013. 

RGB organizational chart, compiled with information from The Korea Herald, 38 North, and CSIS. 
Bureau 121 is probably North Korea’s primary cyber operations unit, but there are other units within the KPA and KWP that may also conduct cyber operations. 

Lazarus Group, now known to be North Korean state-sponsored actors, have been conducting operations since at least 2009, with a DDoS attack on U.S. and South Korean websites using the MYDOOM worm. Until late 2015, Lazarus Group cyber activities primarily focused on South Korean and U.S. government and financial organizations, including destructive attacks on South Korean banking and media sectors in 2013 and highly publicized attack on Sony Pictures Entertainment in 2014. 

North Korean Cyber Activities 

Sony Cyber Attack. North Korea’s most famous cyberattack came in 2014, against Sony Pictures Entertainment, in a largely successful effort to block the release of a movie that satirized Mr. Kim. In August 2014, North Korean hackers went after a British broadcaster, Channel Four, which had announced plans for a television series about a British nuclear scientist kidnapped in Pyongyang. 

First, the North Koreans protested to the British government. “A scandalous farce,” North Korea called the series. When that was ignored, British authorities found that the North had hacked into the television network’s computer system. The attack was stopped before inflicting any damage, and David Abraham, the chief executive of Channel Four, initially vowed to continue the production. 

That attack, however, was just a prelude. When Sony Pictures Entertainment released a trailer for “The Interview,” Pyongyang wrote a letter of complaint to the secretary general of the United Nations to stop the production. Then came threats to Sony. In September 2014, while still attempting to crack Channel 4, North Korean hackers buried deep into Sony’s networks, lurking patiently for the next three months, as both Sony and American intelligence completely missed their presence. On Nov. 24, the attack on Sony began: Employees arriving at work that day found their computer screens taken over by a picture of a red skeleton with a message signed “GOP,” for “Guardians of Peace.” 

“We’ve obtained all your internal data including your secrets and top secrets,” the message said. “If you don’t obey us, we’ll release data shown below to the world.” That was actually a diversion: The code destroyed 70 percent of Sony Pictures’ laptops and computers. Sony employees were reduced to communicating via pen, paper and phone. 

Sony struggled to distribute the film as theaters were intimidated. In London, outside investors in Channel Four’s North Korea project suddenly dried up, and the project effectively died. The Obama White House responded to the Sony hack with sanctions that the North barely noticed, but with no other retaliation. 

Stealing of Operational Plan of South Korea. 

North Korean hackers stole a huge trove of classified U.S. and South Korean military documents last year, including a plan to “decapitate” the leadership in Pyongyang in the event of war. North Korean hackers broke into the Defense Integrated Data Center in September last year to steal secret files, including American and South Korean “operational plans” for wartime action. The data center is the main headquarters of South Korea’s defense network. The stolen documents included OPLAN 5015, a plan drafted two years ago for dealing with full-blown war with North Korea and said to include procedures to “decapitate” the North Korean leadership. The cache also included OPLAN 3100, outlining the military response to infiltration by North Korean commandos or another local provocation, as well as a contingency plan in case of a sudden change in North Korea. Yonhap News Agency reported that the hackers took 235 gigabytes of military documents and that almost 80 percent of the stolen documents have not yet been identified. The documents also included reports on key South Korean and U.S. military personnel, the minutes of meetings about South Korean-U.S. military drills, and data on military installations and power plants in South Korea, reported the Chosun Ilbo, South Korea’s largest newspaper. In May, the Defense Ministry disclosed that the South Korean military’s intranet had been hacked by people “presumed to be North Koreans.” But the military said that only 53 gigabytes of information were stolen, and it did not reveal what was included. The previous month, reports emerged that North Korean hackers had broken into the Defense Ministry network and infected more than 3,000 computers, including the defense minister’s, with malware. At the time, South Korean newspapers, quoting unnamed government officials, reported that parts of one operational plan, OPLAN 5027, which outlines troop deployment plans and key North Korean targets, were stolen. 

Information War 

North Korea was potentially behind phony evacuation messages sent via cellphones and social media to military families and defense personnel in South Korea last month. That incident opens the possibility that last year’s breach may have led to the harvest of personal information used for the notifications. 

This is hardly the first time that Kim’s regime has been accused of cyberattacks. The country’s spy agency, the Reconnaissance General Bureau, is thought to have assembled a large cyber army, assumed to be based in China, to launch such hacks.

To be continued....

No comments: