Information Warfare: The Usual Suspects

Archives

July 16, 2013: Over the past four years South Korea has been subjected to a growing number of Cyber War attacks, some of them quite damaging. In the last few months several teams of security researchers have concluded that nearly all these attacks were the work of one group of 10-50 people called DarkSeoul. Given the extent of the attacks, the amount of work required to carry them out, and the lack of an economic component (no money was being stolen) it appears to be the work of a national government. That coincides with earlier conclusions that North Korean, not Chinese, hackers were definitely responsible for several recent attacks on South Korean networks. The most compelling bit of evidence came from a March 20th incident where a North Korean hacker’s error briefly made it possible to trace back to where he was operating from. The location was in the North Korean capital at an IP address belonging to the North Korean government. Actually, very few North Korean IP addresses belong to private individuals and fewer still have access to anything outside North Korea.

Details of DarkSeoul were uncovered using pattern analysis of the hacker code left behind in damaged networks. There were patterns indicating the work of individual programmers and indications that there was only one organization involved in nearly all the attacks conducted since 2009. There was a lot of work involved in building all the software and assembling the resources (hacked South Korean PCs as well as hardware and network time required by the DarkSeoul team), and all this had to be paid for by someone. The likely culprit was North Korea, which has threatened Cyber War attacks but not taken credit for them. This is typical of most North Korean attacks, both conventional and now over the Internet.  

Long believed to be nonexistent, North Korean cyberwarriors apparently do exist and are not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues for over 20 years, and their Mirim College program trained over a thousand Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit is increasingly active.

Since the late 1980s, Mirim College in North Korea has been known as a facility that specialized in training electronic warfare specialists. But by the late 1990s the school was found to be teaching students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always Military Camp 144 of the Korean People's Army. Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for five years. The school contained five departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a three year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, North Korea has been providing programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But now there is the growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began about seven years ago, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009 the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

The recently deceased North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects.