15.04.2016 Author: Konstantin Asmolov

Once Again on the Mysterious North Korean Hackers

6546456555A statement delivered by President of the Republic of Korea (ROK) Park Geun-hye in April, confirming that ROK is getting ready to launch an anti-cyberterrorism program, compels to turn to the topic of “the North Korean hackers” once again. (For the record, “the North Korean hackers” is a mythical phenomenon ROK traditionally resorts to whenever it falls a victim to a cyberattack or whenever there is a trivial safety violation). Most probably, the first thing that would come to mind whenever one hears about cyberattacks is a recent scandal involving Hillary Clinton where she used her private email for service duties. Or it might also be Fred Kaplan’s Dark Territory: The Secret History of Cyber War where this American journalist provides an insight into the 2014 cyberattack on Sony Pictures Entertainment. (It turns out that users of the company’s intranet had to key in something as simple as 12345, ABCDE or just ‘password’ to gain access). This article, however, will be dedicated to other “cybercrimes” allegedly committed by the hackers from the Democratic People’s Republic of Korea (DPRK).

We witnessed the first phase of the “hacker hysteria” back in the fall. At that time intelligence officers shared a story about an alleged cyberattack the North Korean hackers inflicted upon the computer network of 30-40 South Korean parliamentarians, their assistants, staff of the president’s administration, the Department of Defense, Foreign Ministry and Ministry of Unification in October 2015. According to the statement released by the ROK’s special services, they managed to curb the October cyberattack, but emails sent by some lawmakers from their private servers were unprotected. Among the functionaries-victims of the cyberattack is Chairman of the Foreign Affairs, Trade and Unification Committee of the Republic of Korea’s National Assembly. Hackers gained access to the data related to regular parliamentary audits of state institutions and to the ROK’s Chinese policy. Hackers launched the attack from the territory of China (this is usually the case), and again South Korean intelligence agents managed (using their gut feeling and logic) to identify the hackers as North Koreans. Indeed, why on earth would Chinese hackers be interested in ROK’s Chinese policy?

However, this incident “blue the lid off” North Koreans and the public learned that DPRK allegedly employees some 58,000 hackers and trolls; 1,100 of them are professional hackers stationed in China and Malaysia; that they earn up to $3,000 per month, but have to give $2,000 back to the state and spend the rest of the money to pay for living and put money in savings accounts.

According to a lawmaker representing Saenuri Party, a parliamentary investigation revealed a North Korean trace in the cyberattack targeting computer network of Seoul Metro Corporation in July 2015. In the course of investigation, it was discovered that 213 computers had evidence of unauthorized access; the corporate network was infected with a virus; information had been leaking for several months. After it was discovered that the computer system was compromised, additional security software was installed on all Corporation’s PCs, amounting to 4,000. Somehow, only recently it became clear that the hackers who attacked the servers of Seoul Metro and hackers involved in earlier attacks used similar methods. Another head-spinning revelation: the DDOS attack is not a widely used hacker maneuver, but a method designed and used exclusively by DPRK’s military intelligence.

Meanwhile, malicious viruses were also detected in the computer networks of the major ROK’s defense companies, including ten computers used by the PR department of LIG Nex 1, ROK’s leading defense company. LIG Nex 1 is engaged in the development of military equipment and weapons of different category and class, including advanced missiles and fighters. ROK’s military counterintelligence has initiated an investigation of the incident. So far, they discovered that viruses were spread through the email messages related to the ADEX defense trade show. ADEX was recently held in one of the Seoul’s suburbs, and South Korean manufacturers, including LIG Nex 1, took the most active part in it. “We do not know yet where these letters were coming from. We urged employees of companies to not open any suspicious letters received via email,” emphasized military department.

On February 19, 2016, the leader of the South Korea’s parliamentary intelligence committee Lee Cheol Woo predicted another cyberattack in March or April. How does he know? Well, he based his prediction on the “fact” that hackers commit attacks some time after a nuclear test, and if this is so, then it is not difficult to deduce who organizes them. Earlier that week police forces reported that a huge part of the massive bulk of spam received by ROK’s public organizations is sent by North Korean hackers.

On March 8, 2016, representatives of defense and law enforcement agencies held an emergency meeting following an alleged attack of North Korean hackers targeting smartphones of high-ranking South Korean state security officials. According to the National Intelligence Service, the North has allegedly launched approximately 50 attacks at the end of February, beginning of March of this year. In ten cases, the hackers managed to successfully deliver malicious code via text messages. As representatives of the National Intelligence Service reported, the code allowed to record voice messages, steal files and gain access to text messages, call rosters and lists of contacts. A South Korean software company involved in the development and supply of security programs for online banking was also hit by hackers.

Some defectors immediately jumped at an opportunity to show their “profound knowledge” of the situation. Two men claiming they used to serve in the DPRK cyber command (and it does not matter that for some reason they decided to talk about their “career path” only now) said that North Korean hackers are recruited mainly from graduates of Pyongyang University of Science and Technology opened in 2009 as part of the inter-Korean cooperation program. They also said that North Korean national defense and public safety educational institutions send their students for internship to this university. What conclusion can be drawn from this revelation? That cooperation in this field must be immediately halted.

Pyongyang rejects accusations of its involvement in the hacker attacks. In the article published in Rodong Sinmun (the official newspaper of the Central Committee of the Workers’ Party) last Sunday, North Korea perceives Seoul’s accusations as part of a sweeping propaganda campaign “launched for political reasons with an objective to aggravate the inter-Korean relations.”

Meanwhile, the ROK’s financial control committee began a security testing of the computer networks of 16 banks and insurance. A number of South Korean financial companies have reinforced their cybersecurity. Banks Woori and Shinhan beefed up their security testing systems and set up emergency task groups charged with monitoring the networks for possible cyberattacks. Other banks as well as companies operating on the securities market are also revamping their security systems.

Meanwhile, opposition expresses its concerns over illegal monitoring of phone calls of its members. The operator of a popular mobile messenger system KakaoTalk had to give the Public Prosecutor’s Office an access to the messages exchanged by its users as well as to their databases. KakaoTalk took this decision a year after it initially rejected a request of the Public Prosecutor’s Office asking the company to provide access to the messages of a crime suspect. KakaoTalk reasoned its refusal by pointing out that it would violate its privacy policy. Executives of KakaoTalk Corporation were concerned that by providing an access to the group chat of a suspect, confidentiality of other participants of the group talk would be compromised. The reason the company finally decided to transfer records of the suspect’s chats to the Public Prosecutor’s Office is because the latter agreed to keep the identities of other participants of the chat confidential. If users are worried about security of their personal information, they can choose the “private mode” (based on the encryption technology) when surfing the Internet. If this mode is selected, only the addressee will see the text message sent to his/her smartphone.

Please note that this was the second attempt to gain access to the private messaging systems. The first one ended in a scandal after it was discovered that ROK tried to procure software allowing to read text messages and monitor conversations exchanged via KakaoTalk. Rumor has it that DPRK’s authorities banned South Korean smartphones after this incident.

Konstantin Asmolov, Ph.D, Leading research fellow of the Center for Korean Studies, Institute of Far Eastern Studies, Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook.