The South officially accused the North today of launching a cyberattack against the JoongAng Ilbo, a conservative daily in the South. More interesting is what the South’s investigation also discovered – since 2009, the North’s cyber attacks on the South (targeting banks, elections, universities, and other organizations) have used the same China-based IP address owned by North Korea’s Ministry of Post and Telecommunications.
South Korean dailies report the attacks have come through a block of IP addresses owned by the ministry – the main (only?) IP addresses the North uses to access the outside Internet. According to the press reports, the ministry itself doesn’t do any of the hacking, instead, technicians working for the North’s military and intel services (see graph, below) use the ministry’s system to access the outside Internet and launch their attacks. One wonders why the North continues to use the same IP addresses, though given the limited consequences (i.e. none), perhaps they haven’t been sufficiently motivated to change.
While connection is not causation, it appears the North has increased the number, scale, and technological sophistication of its cyberattacks, at least on the South, at the same time its spies in the South were increasingly getting discovered and arrested. It wouldn’t be the first time a country has abandoned human intelligence collectors and saboteurs for cheaper and more deniable electronic and technical options. While no one outside the North knows whether there is a connection between the increased arrests of North Korean spies and the North’s growing use of electronic means to infiltrate and attack the South, these are certainly trends worth tracking.
The graphic below, courtesy Yonhap, reportedly shows the North’s military hierarchy, with the agency controlling the hacker teams reporting directly and solely to the top (and in my mind begging the question of whether the North’s intel folks are also stuck viewing endless chain-of-command Powerpoint graphs of who reports to whom).