Since the first large scale distributed denial-of-service (DDoS) attack in July 2009, the South Korean government has consistently accused North Korea of being the culprit behind other incidents. Specifically, it cites as responsible a hacking and cyber-warfare unit established in 2009 at the Reconnaissance General Bureau of the North Korean National Defense Commission.
In South Korea, the Korea Internet & Security Agency, the National Police Agency’s Cyber Terror Response Center and the National Intelligence Service blamed North Korea for five attacks:
· March 4, 2011: DDoS attacks target on eight bank and securities firm websites, six commercial web portals, and thirty-five government websites, including the president’s office, National Intelligence Service, Ministry of National Defense, National Police Agency, and United States Forces Korea.
· April 12, 2011: A malicious code is inserted into the internal network of the National Agricultural Cooperative Federation, which destroyed servers and disrupted online services for two weeks.
· June 9, 2012: JoongAng Daily News has its website defaced and malicious code uploaded to the typesetting system for newspaper production with a stolen ID, delaying publication of the newspaper for the day.
· March 30, 2013: Malicious code is inserted into the networks of three banks and three major media corporations by “WhoIs” hackers, destroying the hard disk drives of 32,000 computers. Four or five days are needed to achieve a full recovery.
· June 25, 2013: DDoS attacks are launched against the websites of the president’s office, National Intelligence Service, and ruling party. Personal information of website users is leaked, together with data on U.S. and Korean soldiers. Seven hours are needed to recover from the DDoS.
Yet there is evidence to suggest that the South Korean government has jumped to an early conclusion in some cases, given its routine “naming and shaming” of North Korea as part of the ongoing tensions. That leaves open the possibility that the real perpetrators are escaping undetected while the focus of attention remains on Kim Jong-un’s hacker unit. It is important to realize that politically motivated threats are not just external; South Korea has its own internal political dissidents.
Questionable Government Investigation
The South Korean government offers two main reasons why North Korea is behind the cyber attacks in recent years. First, domestic and foreign IP addresses known to be used by North Korea were discovered, along with malicious code from North Korea. The foreign IP address are located in China, which lent them to the North Korean government. Pyongyang borrows servers because of its lack of Internet infrastructure and strict controls over the domestic Internet environment. However, these are not definitive indicators of guilt. The average teenage hacker is capable of obfuscating or spoofing an IP address, or copying malicious code from other hackers who have shared it via hacking forums or from other sources. Moreover, hackers rarely use their own computers, but those of others they control by inserting malware to avoid detection.
Second, most targets have been government agencies. Even when financial institutions were attacked, the hackers did not attempt to steal cash, but rather sought sensitive information. This again prompted suspicion to fall on North Korea, which has a clear motive for this kind of espionage. Still, it is wrong to say that the North Korean government is not interested in cyber crime. Pyongyang has regularly been involved in money laundering, counterfeiting and drugs smuggling to earn foreign currency. Indeed, one of the main jobs of North Korean hackers belonging to the government hacker unit is to create tools for lifting cash from online game websites, which are sold to Chinese and Korean criminals. They also hack personal information from commercial websites and take over personal computers. These hackers work in China with the support of the Korea Computer Center under Office 39 of the Workers’ Party of Korea, which raises illicit funds for Kim’s regime. According to reports from the Seoul Metropolitan Police’s International Crime Investigation Team, around $500 per month from each hacker finds its way to Office 39.
The National Intelligence Service has rarely offered any details into any investigation into the cyber attacks, citing security reasons, but routinely points the finger North Korea. Political propaganda? Perhaps, but either way blaming Pyongyang offers a convenient excuse to prematurely terminate any investigations.
Domestic Anonymous Hackers
While the focus is on threats that may or may not be presented by an outside adversary, real threats are emerging domestically. Political brawls in South Korea usually erupt over North Korean policy. The battle is now moving online.
“Anonymous” hackers, with their Guy Fawkes mask logos, began to appear in South Korea in late 2012. A loose network of beginner hackers in their teens and early 20s created a community of sorts using social media such as Twitter and Facebook and a mobile phone chat application. Their first target was North Korea, with their rhetoric and attacks becoming increasingly aggressive from March to June of 2013. Not all announced attacks—most targets were North Korean media websites—were successful, nor have the attacks demonstrated anything beyond DDoS attacks, which is not actually hacking.
What is interesting is the reaction of other anonymous hackers—these ones not wearing a Guy Fawkes mask. Despite the official South Korean government announcement, the source of the attack on June 25—the 63rd anniversary of the outbreak of the Korean War—this year was highly likely a South Korean individual with political views friendly to North Korea. This attack seems to have been in response to the anti-North Korean activities of “Anonymous South Korea” and their advance announcement of large-scale DDoS attacks on more than 20 North Korean websites at noon on June 25, 2013.
At 9: 30 on the morning of June 25, DDoS attacks were launched against the office of the South Korean president and defaced the website with praise for Kim Jung Un and a message “hacked by Anonymous South Korea.” There are two reasons for believing that the attack was the work of a South Korean individual. First, the attack encompassed other targets such as USFK Classifieds, an automobile sales website, hardly likely to be on the radar of a government team. Leaked personal information of U.S. soldiers was likely to have been created by a fake Social Security Number generator, given that the attacker claimed to have obtained the data by infiltrating DefenseTalk.com, an ordinary news website that would be unlikely to possess Social Security Numbers. Other leaked information from the ruling party and president’s office was barely even confidential. Second, the attached exposed his identity on his Twitter account before the attack. He apparently had no qualms at making personally identifiable information available to all, and he had multiple conversations with other Twitter users about this plans.
Now Anonymous South Korea is discussing plans for a DDoS attack targeting South Korean government websites in the future, especially the Ministry of Gender Equality and Family and the National Intelligence Service. They claim to support either North nor South Korea and want to be labeled neither heroes (by South Koreans hostile to North Korea) nor an enemy (by pro-North Koreans). No details are known, but a Twitter hash tag #OpKorea is spreading and those leading the group are convincing others that threatening “our own” government is legitimate.
On June 9, 2012, the website of one of South Korea’s three largest newspapers, JoongAng Daily News, was defaced with the image of a smiling cat. A message left on the screen credited the attack to a female hacker whose nickname is “IsOne.” This hacker also infiltrated the software used in the newspaper’s production. The website was soon restored, but the paper’s publishing scheduled was disrupted for the day. Then, at 8:21 pm on June 10, 2012, a person using the same nickname posted attack methods, extracted databases and other information about the attack on a web forum discussing pro-North Korean politicians and their policies. The attacker wrote that she wanted to share the information she had obtained with public.
Six days later, the National Police Agency’s Cyber Terror Response team announced that the attack had been tracked to the computer of a North Korean hacker going by the designation “IsOne.” But could the computer used in a government-sponsored attack really be so easily traced? And would a government hacker expose their nickname, offering investigators an important clue to tracking them down? There are multiple indications that this attack was carried out by an individual hacker whose priority was to demonstrate her skills and spread information to others sharing a similar political view.
In another case, the attack clearly reflected domestic politics. October 26, 2011 was the date of elections to fill vacancies in the South Korean National Assembly. At 11:20 am, DDoS attacks were carried out for two hours against the websites of the National Election Commission and the candidate for Seoul city mayor, a member of the opposition Democratic United Party (as it was then known), which is dovish the North Korean regime. An investigation by the Cyber Terror Response Center discovered that the attack was initiated by two members of South Korea’s ruling Grand National Party (which has also since changed its name).
Clearly, internal political polarization in South Korea is a source of cyber threats. As such, it is disappointing to witness the dysfunction of the National Intelligence Service and the lack of inter-agency response. The National Intelligence Service has recently been criticized for information leaks, illegal interference, a bribery and corruption scandal involving its former chief, and a psychological campaign against a political party.
Without question, North Korea has a hacking and cyber warfare unit and it is clearly a threat to cyber security in South Korea. But responding to every attack with anti-North Korean rhetoric only creates more confusion and deters appropriate investigations into internal threats. Perhaps South Koreans should start looking at themselves, in addition to Kim Jong-un’s hacker unit.
Soo-Kyung Koo is a freelance writer and associate at AVH, LLC, a Washington DC-based security reporting company. She received her MA in Government at Georgetown University.