Prior to the cyber attack on Sony, widely though not entirely thought to be the work of North Korea, the North has been blamed for successful cyber attacks on South Korean media companies, military and government networks, banks, and universities. Some of the first attacks blamed on the North occurred in 2009 and the South has regularly blamed the North for cyber attacks since, with Korean and international analysts noting both similar tactics and the attacks’ growing technical sophistication.
While North Korean decision-making may appear opaque and often outlandish to outside observers, this does not mean the country lacks technical skill, as evidenced by its successful nuclear and ballistic missile programs. The North’s technology has even attracted an international following, most notably from Iran.
In 2012, Iran and North Korea signed a framework agreement on technology sharing that formalized ongoing IT, nuclear, and other tech-related cooperative development efforts. This cooperation has increased Iran’s cyber capabilities, exhibited most clearly by an October 2012 cyber attack on Saudi Arabia’s Aramco Oil. By 2013, experts had begun to note technical and tactical similarities in attacks separately attributed to Iran and North Korea, including a series of disruptive attacks that led major U.S. banks to request help from the NSA. Related writings on Iranian attacks can be found here.
A brief history of cyber attacks blamed on North Korea At 2pm on a Wednesday, the 20th of March 2013, a cyber attack on South Korea targeted the country’s banks and major broadcasters, knocking ATMs offline throughout the country and disabling over 30,000 computers at the country’s three largest broadcasters. The ATM outages ended up lasting for days, affecting millions of people. Within weeks, South Korea officially blamed the North for the attack, outlining evidence that hackers had spent months penetrating systems in preparation for the simultaneous assaults.
In March 2011, a distributed denial-of-service (DDoS) attack, “Ten Days of Rain,” was launched against South Korean government websites and the network of U.S. Forces Korea (USFK). Interestingly, the attack was designed to last only 10 days, after which it stopped, self-destructing itself and the systems it had infected. This attack was similar to one from 2009, though it demonstrated greater capabilities and, according to McAfee, appeared aimed at testing and benchmarking the cyber defense capabilities of South Korean government and USFK networks. Within weeks, international analysts attributed this attack to North Korea.
On 12 April 2011, South Korea’s main agricultural cooperative, Nonghyup, had its electronic banking systems shut down in a cyberattack. The attack prevented 30 million people from accessing their bank accounts for days. As in other cases, the attackers lurked in the system for months, copying data and exploring the systems before launching an attack focused on creating max destruction. South Korean prosecutors officially accused the North of conducting the attack, via the laptop of a system administrator at IBM Korea, the following month. International analysts called the attack the world’s first by one country on a financial institution in another country.
Other, older cyber attacks in South Korea blamed on the North include a 2009 attack on a military network in Seoul that obtained sensitive information on toxic chemical manufacturers and another 2009 DDoS attack, on the 4th of July, that blocked access to U.S. and South Korean government websites. This second attack was also designed to wipe out data on computers infected by the attackers. Separate attacks in 2011 targeted the email accounts of officers at the Korean Military Academy and students at Korea University’s Graduate School of Information Security, one of the South’s top schools.
The same unit of the North’s military often blamed for the cyberattacks is also thought responsible for GPS jamming attacks launched from the North into the South – where the main airport (Incheon) and related flight paths are in range of the North’s jamming equipment. The jamming attempts first occurred in 2010, with a four-day attack, and reached their most damaging level in 2012, with a 16-day attack that resulted in the reported navigational disruption of 1,016 aircraft and 254 ships. The jamming signals were traced to locations in North Korea along the border with the South.
The North reportedly established its cyber operations unit back in September 2007, combining separate teams previously operated by the labor party and military. Some reports claim Kim Jong-Eun ordered the creation of the combined unit as a way of strengthening the North’s cyber capabilities in preparation for future attacks. Now the current ruler of North Korea, at the time Kim was still being groomed as his father’s heir, likely in competition with his uncle and at least one older brother.
Lessons Learned Tradecraft practiced during many of these attacks, especially the major, later ones, includes months-long campaigns designed for maximum network infiltration, followed by efforts to render systems inoperable, not just steal data. This effort to destroy systems rather than simply acquire trade or R&D data is a common indicator of an actor motivated by politics more than by profit. This distinguishes North Korean cyber attacks from those commonly attributed to the Russians or Chinese. The latter countries often focus more on espionage involving trade secrets, technological developments, and the defense industry, with Beijing also interested in Western media companies reporting on China. The North, as we have seen, is less about espionage than it is about destroying data and disrupting banking, government, media, and other networks, primarily, but not always (hello Sony) in South Korea.
Going forward, few expect the North to reduce or eliminate cyber attacks from its asymmetric arsenal. With a society and economy far removed from reliance on the Internet, the North has far less to lose in a cyber confrontation than the U.S. or South Korea. Any nation or organization contemplating a response to a North Korean cyber attack is forced into a situation where the responder has far more to lose than Pyongyang in the cyber realm. This necessitates a choice between a risky, largely impotent cyber-only response, or responding in another domain – as the U.S. did with additional economic sanctions on the North as punishment for the attack on Sony. This latter response, while possible for a nation-state, is hardly appropriate for a bank, media company, or other non-state organization – raising the multi-million dollar question of how these groups can begin to deter or successfully respond to such attacks.