Following North Korea’s fifth nuclear test on September 9, concern is mounting in anticipation of the North’s next provocation. Some analysts believe that a launch of long range ballistic missiles and large-scale cyber attacks may be carried out on October 10, the anniversary of the inauguration of the Workers’ Party. In the past, the regime has launched crippling cyber attacks soon after nuclear tests conducted in defiance of UN resolutions. North Korean hacking units are possibly already on high alert and ready to engage in cyber warfare once the order is given.
Soon after its second round of nuclear tests on May 25, 2009, North Korea was responsible for the infamous 7.7 DDOS attacks two months later against South Korea’s Blue House (residence of the head of state), government agencies, financial institutions and several portal sites. Following the third round of nuclear tests in February 2013, North Korean hackers followed up with online assaults in March and June (on the anniversary of the start of the Korean War) of the same year, paralyzing infrastructure used by South Korean media and financial institutions, as well as the Blue House and government agencies. The hackers succeeded in stealing personal data in relation to key government and industry officials.
Similarly, North Korea again launched a barrage of cyber warfare on South Korean infrastructure shortly after its fourth round of nuclear tests in January this year. Employees of the Korean Railway Research Institute were subjected to sophisticated phishing attacks, while more than 40,000 documents concerning military defense systems were stolen from conglomerates including Hanjin and the SK Group. The more recent of these attacks are showing a clear trend toward escalation and more potent capabilities.
North Korean hacking units exhibit strengths in long term planning and characteristically wait for a specific time to launch attacks, even after successfully gaining access to their targeted systems. This became evident in their attacks against Hanjin and the SK Group, when it was later discovered that they had successfully hacked into the systems at least 20 months earlier.
Moreover, even after seizing control of the administrative servers and networks of some institutions, attacks have not been forthcoming and the breach of security has been carefully concealed. It must be concluded that North Korean hacking units have been engaging in cyber warfare for a considerable length of time, leading to concerns for the magnitude of future assaults.
In an interview with Mr. Sang Myung Choi, (pictured left) director of HAURI CERT (Computer Emergency Response Team), it was revealed that “the North Korean government is preparing cyber warfare on an international scale” aimed at “causing significant economic damage and safety issues, and to instigate social disorder”.He further added that North Korean hackers were “concentrating their efforts on inflicting widespread damage upon military and defense industries” and it is expected that “an even greater magnitude of attack will be executed, dwarfing previous DDOS approaches and the targeting of financial institutions”. He further warned that upon “close analysis of recent NK malware, it can only be concluded that NK hackers are aiming to cause significant damage to human life”.
Director Choi is considered a leading expert in the field of computer security and is the head of Issue Makers Lab, a leading group in cyber malware research. He stressed that North Korean hacking units have targeted the South since early 2008 and that the “danger of cyber attacks is rising to a new scale in terms of the damage that will occur”.
He added that ever since Kim Jong Un came to power, these sophisticated attacks have increased dramatically in terms of their frequency, audacity, and scale. Furthermore, Director Choi feels that “Kim Jong Un has strengthened what Kim Jong Il started”. While the extent of the Kim Jong Il’s regime’s cyber attacks can be summed up as two major attacks (the 2009 DDOS attack and the freezing of Nong Hyup’s banking systems in March 2011), “there have been numerous major attacks carried out continuously under the Kim Jong Un regime”.
Furthermore, he stressed that “during the Kim Jong Il era, cyber attacks acted more as threats, with DDOS attacks causing the primary damage via login problems and the shutdown of portal sites”. However, under Kim Jong Un’s regime, “these threats have escalated and a number of serious attacks were inflicted upon important institutions such as the Korea Hydro & Nuclear Power Corporation (KHNP) aimed at causing social disorder and unrest, and even upon international markets in order to profit from currency exchanges”.
He further added that changes within the North Korean hacking units under the Kim Jong Un regime were brought about by “stimulating competition between its hacking organizations, whereby each hacking unit strives to execute audacious cyber attacks, where once their primary concern was focused on information gathering”. These hacking organizations were comparatively independent in the past, while in recent times they have shown an alarming level of cohesion in the concentration and coordination of their efforts.
Kim Jong-un considers cyber warfare as an “all-powerful sword” that shall be used to cause “as much damage and disorder as possible without culpability” and also to “garner valuable information concerning nuclear and missile technology”. As such, he is expected to continue to concentrate and further develop the North’s cyber attack capabilities as a form of asymmetrical warfare.
As the North’s cyber attacks become more widespread, Director Choi feels that ransomware is emerging as one of the most dangerous form of attacks.
Ransomware is defined as a type of malicious cryptovirology attack that blocks access to documents, spreadsheets and other files until a ransom payment is made, hence the term. The user’s files are held “hostage” until the “ransom” is paid.
Chief Choi revealed that “there is a very high probability that North Korean hackers will use ransomware in their next attacks and have the sufficient skills and preparation to execute such threats”.
The ransom payments are often demanded in the digital currency known as Bitcoin. Recent cyber attacks on the internet portal site Interpark show that North Korea understands the significance of Bitcoin, while online infrastructure supporting the use of Bitcoin is already widespread throughout North Korean internet sites such as the Chosun-Expo portal site. It is a real concern that North Korea is planning to use ransomware and Bitcoin as a major new source of foreign currency.
There are likely to be many victims left with no choice but to adhere to the demands of North Korea’s hacking units for payment, as ransomware will completely deny access to essential files. One striking example is for hospitals, for which all patient data could be rendered inaccessible.
When asked to comment on the issue of whether civilians could become the targets of North Korean ransomware, director Choi mentioned that “as evident in the attacks against the SK Group and Korea Airlines, even large multi-national corporations are susceptible to these attacks and there are limits as to how much corporations can protect themselves.
He stressed that “we must widen the scope of the expected sphere of attacks and seek out as much opportunity as possible to form cooperative security defenses and create public-private integrated systems to strengthen the chain of information sharing”.
