EN|FR|RU
Follow us on:

Non-DPRK Hackers, or Another Scandal in the Korean Intelligence Service

Konstantin Asmolov, August 15

564562222Some time ago, the author of this article and some of his colleagues, including foreign ones, began receiving strange letters, with attachments representing rather clumsy attempts to hack mailboxes or to access computer files. Some of these colleagues, who had no particular sympathy for North Korea, assumed Pyongyang had a hand in this, but a big scandal unfolding today in Seoul indicates that these hacking attempts most likely came from a completely different side of the 38th parallel. The Korean intelligence service was again at the center of the scandal, and again we are talking about its Internet activities. Only this time, its staff did not take part in political battles under false names but tried to gain access to the personal data of thousands of citizens using spyware.

It all started with the fact that back on March 4, 2014, correspondence with clients had appeared on the Web, which was headed by the Italian company “Hacking Team”, specializing in developing and selling software that allows access to the content of correspondence on the Internet, text-messages and to other exchanges of data between electronic devices.

Among the spyware buyers, wanting to obtain personal information of computer and smartphone users, there appeared a certain “5163 division of South Korea ground troops”, which purchased from Hacking Team programs worth in total of about $800 thousand. This included Remote Control System software, which, according to its developers’ description, “allows you to control the content of messages and information flow throughout the territory of Korea.” So, suddenly it turned out that in South Korea, which supposedly is known for its Internet industry, there were no in-house experts, and viruses had to be ordered from abroad.

The suspicions arose immediately, and on July 14, 2015 at the Parliamentary plenary session the National Intelligence Service director Lee Byung Ho acknowledged this purchase, but he denied that these programs were used against civilians. According to him and other representatives of the intelligence, they were only used to collect data on the DPRK to break the 87 IP-addresses belonging to foreigners who, according to the intelligence, have been linked to North Korean agents operating in China and other parts of the world. As for the Remote Control System, it was purchased to identify the vulnerabilities existing in the country’s programs for smartphones and messaging. For example, access to the content of messages transmitted in the country’s most popular messenger Kakao Talk. At the same time, representatives of the Republic of Korea stated: really, you don’t know that North Korean spies also actively use this messenger, and sometimes break into the smartphones of South Korean citizens, after which the latter write on social networks something that is not quite right?

Curiously, in Korea right at this time, there was a rumor that Kakao Talk had been hacked by the secret services, so Koreans began to use other services, including Telegram, developed by Russian programmer Pavel Durov.

Later, however, it became clear that the intelligence had sent out “more than 200” emails with hacker program attachments that could be installed automatically if you opened the letter. Most attempts were unsuccessful, because the recipients did not open the letter, and therefore, the program was not active. It also became known that Hacking Team’s log files contained many South Korean IP-addresses, 138 of which belonged to the South Korean telecommunications companies and government institutions, and furthermore, the correspondence between the intelligence agents and Hacking Team showed interest in the program’s ability to break into the latest models of smartphones, tablets and computers.

It also turned out that this equipment was purchased by military intelligence – in October 2012 “Unit 1363 of the Armed Forces of the Republic of Korea” bought, from those same Italians 6 systems for listening devices and 15 systems for information processing. Officially, the purchase was made in the course of the planned equipment renewal of existing and legally used systems, but the opposition noticed that the military spy equipment was purchased two months before the presidential election, in which they had tried to interfere together with civilian intelligence agencies.

In view of this, on July 18 in the mountains, in the town of Yenine, province of Gyeonggi, was found the body of an employee of the National Intelligence Service by the name of Yim, who had committed suicide in a car after inhaling carbon monoxide. He had worked for 20 years in the intelligence service, dealing with cyber security, and was personally involved in the acquisition and use of hacking tools. Before his death, he had written a note in which he completely denied both surveillance of ordinary citizens and improper activities during the presidential elections (which actually has been proven; see early materials about “trolls in uniform”).

It does not matter if he killed himself, feeling responsible for the scandal (this happens in Korea), or someone helped him. In any case, the suicide of an intelligence officer, who is directly responsible for the delivery of the software, is very important indirect evidence. On the one hand, he can tell nothing now, especially at the parliamentary hearings, on the other hand, suicide is often thought of as an admission of guilt, confirming that the National Intelligence Service really did engage in large-scale espionage. And then again, and this caused a particular stir, in the suicide letter it is pointed out that “considering the utmost importance of the intelligence service’s authority, he had destroyed that part of the information about the operational activities in North Korea, which could be misunderstood.”

The oppositional Democratic Coalition for a New Policy insists on the need to continue the investigation, doubting the objectivity of intelligence agencies, and has created a commission to ascertain the circumstances of the case, for which deputy Ahn Cheol-soo was appointed as chairman – a known specialist in computer technologies, the ‘Korean Kaspersky’, who cannot be easily hood winked. Opposition leader, Moon Jae Ying, called the hacking of internet-users’ personal data an anti-state crime, and accused the intelligence of conducting hidden surveillance of Korean citizens.

The ruling Saenuri Party has expressed concern – full disclosure threatens national security – and for this reason has demanded to stop fanning the scandal, saying that the attacks of the opposition were political in nature.

Against this background, there are three more events indirectly related to the topic of this article. The first one is the abolition of the sentence against the former director of the National Intelligence Service of Korea, Won Se Hoon. The reasons cited were: the misinterpretation of the Criminal Code and the lack of evidence.

In 2014, the Seoul Central District Court found Won guilty and sentenced him to a prison term of 2.5 years and banned him from holding office as a civil servant for three years with the sentence execution suspended for 4 years. On February 9, 2015 the Seoul High Court increased the term of his detention up to three years and cancelled the suspension of the sentence, having found the defendant guilty of all charges. But the Supreme Court overturned the verdict. This is despite the overwhelming evidence against Won on corruption charges, and in connection with the last big scandal in the intelligence services, when, ignoring the law of neutrality of intelligence agencies, their employees had tried to influence the course of the last presidential election.

Of course, any statements about the guilt or innocence of the defendant did not make it into the headlines, and technically the case was returned to the Seoul Trial Court for further investigation. However, curiously, the Supreme Court has demanded re-establishment of the criteria for intelligence activities in the field of cyber security.

Second declassified evidence that (unlike the never proven North Korean hacker attacks on America) five years ago, the US tried to carry out a computer attack on a nuclear weapons program of the DPRK with the help of Stuxnet spyware virus, used, if you will recall, against Iran’s nuclear facilities. According to Reuters, citing sources familiar with the operation, the developers of Stuxnet created a version that was activated when released into a computer with settings in the Korean language, but limited access and distribution of the local network proved to be an obstacle in the way of computer sabotage. US intelligence services did not manage to get to the key North Korean equipment, with which the republic’s authorities control of their nuclear weapons.

Third – it is that amidst the aforementioned scandal, the “intelligence agents were so busy with theoretical threats, they failed to protect against the real danger.” While South Korean counterintelligence spent hundreds of thousands of dollars “to identify potential vulnerabilities”, representatives of the “Group of opponents of nuclear reactors”, about whom we have already written once before, broke into the database of the Defense Ministry and the presidential administration. As evidence, they posted on Twitter a certain amount of, if not secret but closed, information such as seating arrangement diagrams of high-ranking officials at various sessions.

So, what do we have in summary? Another scandal affecting the interests of ordinary citizens, the undermined credibility of the one of the most popular national instant messengers and indirect confirmation of the fact that South Korean intelligence agencies have a limited competence in ensuring Internet security. Especially when you cannot write off the problem as the work of Pyongyang hackers who for some reason operate from China and can penetrate even into systems that are not connected to the Internet.

Konstantin Asmolov, PhD (History), senior researcher at the Institute of Oriental Studies of the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook”.