Regional Cyberwar: North Korea vs South Korea
Steve Burgess
2012-01-26 00:00:00
URL

North Korea is thought to have targeted cyberattacks against the United States and South Korea since at least 2009, including successful attacks against Korean sites and the public websites of the Federal Trade Commission, Department of the Treasury and (somewhat ineffectively) against the White House.



While the US military has created a beefy military cyberforce in United States Cyber Command (USCYBERCOM), to answer such aggression, South Korea appears to be starting its cyberdefense less assertively. Korea University has teamed up with the South Korean military to create a cyber-defense course of study in its Center for Information Security Technologies (CIST) intending to graduate 30 students per year after a 4-year curriculum. Seems like a timid response to threats from the North. While it's anyone's guess what changes North Korea's new leader, Kim Jong Un, will make in the makeup of military efforts for that country, conventional wisdom suggests that the military will stay largely in control of its own moves. Kim Il Political University, formerly Mirim College, is purported to graduate some 100 trained hackers per year and has hacking units in its Reconnaisance Bureau containing 1,000-3,000 cybertroops ready to be led by the new grads.

The massive DDoS (distributed denial of service) attacks against South Korea in July 2011 were some of North Korea's opening salvos - crude, but effective in shutting down some 40 websites in the South. 30 million customers of Nonghyup Agricultural Bank lost access to their accounts and much data was purported to have been lost permanently. The attack was considered to be the first attack on a financial institution by a state actor.

But was it crude, really? DDoS tends to be more sledgehammer than surgical incision. Preparation for the attack included establishing a broad-based botnet of compromised computers, through the distribution of Trojan horses or other malware to prepare an army of slaved computers listening for orders. Typically then, these millions of slaved computers receive an order to communicate with the victim server. The millions of requests overwhelm the target server or its incoming bandwidth and it is unable to respond to normal, legitimate requests, and may shut down.



The Korean DDoS attacks may have been crude in nature but McAfee Labs researchers say that there were sophisticated attributes in the operation. The malware infecting the botnetted computers was designed to operate for ten days, and then to crash the infected computer such that a full rebuild was likely to be necessary. Such a rebuild would overwrite the operating system, applications and user data making forensic backtracking difficult. Most modern malware preserves the host for future use in the botnet. The Korean attack's malware used a variety of differing and difficult encryptions, further foiling analysis. The attack also used a multitier architecture to make the network more resilient to takedown. These characteristics point to the project being a more sophisticated learning exercise than the fact of the attacks being basic DDoS would suggest. There may have be ulterior motives hidden behind the apparent primitive facade - probing the defense, seeing what barriers pop up in response.

Kim Jong Il died December 17, 2011 - about a month before the writing of this article. Cyber attacks attributed to North Korea had been increasingly reported from 2009 until mid-2011. But, now what? A review of news on the subject for the past six months typically shows articles referencing only the mid-2011 attacks and earlier. Why the hiatus?

Perhaps there has been disruption in the program due to the changing of the "Dear Leader" guard. Perhaps projects have been put on hold until the new tyrant settles in. Kim Jong Un has had educational opportunities in the West and therefore much easier access to computers and the Internet than his fellow countrymen. Some believe he would be more likley to use cyberwarfare rather than, or in addition to, conventional saber-rattling and warfare. Or perhaps the new leader is not in charge and policy direction needs to settle out. Perhaps analysis of results from the July attacks is still being carried out in North Korea, with preparation for a new set.

South Korea has one of the world's most integrated and developed telecommunications networks and as a result may be particularly susceptible to cyberattack. It is no doubt also quite susceptible to EMP. The North's national communications infrastructure is purportedly not very advanced or high-tech. The Internet is inaccessible to the masses, as are cell phones. North Korea is therefore relatively impervious to the kinds of attacks - such as an "accidental" EMP during a weapons "test" - that could cripple more advanced countries, especially ones as close as the South.

Our spy networks do not operate very well with respect to North Korea, "a virtual black hole for most intelligence agencies." The country has a very high level of secrecy and official paranoia. Not much leaks out. Therefore the question arises: is a massive, crippling cyberattack against South Korea's tech infrastructure imminent. Or is this just buying to the paranoia endemic to the North? It's anybody's guess.