South Korea’s Ministry of Defence (MND) has allegedly been hacked by North Korea. The news comes from officials at the nation’s ‘cyber command’ branch, whose job it is to protect against hacking. According to South Korean officials, hackers working for Kim Jong-un have penetrated their systems, making off with vital state secrets in the process.
Although unconfirmed at the moment, the hackers in question would presumably be part of North Korea’s elite cyber-warfare agency “Bureau 121.” Those were the hackers allegedly responsible for the high profile Sony hack back in November 2014.
For now, it remains unclear what was stolen from South Korean servers, with guesses ranging from important classified documents to possible top secret war plans.
Ongoing Cyber Warfare
This isn’t the first time that North Korea has been accused of hacking South Korean organizations. In the past, however, Kim Jong-un’s elite hackers are believed to have mainly targeted corporate rather than state targets. To date, those accusations include banks, media outlets, and government contractors.
Talking to South Korea’s Yonhap news agency, a spokesman for the military made the following comment,
“It seems the intranet server of the cyber command has been contaminated with malware. We found that some military documents, including confidential information, have been hacked.”
For now, it is unknown how the malware made it onto the military’s computer system. It seems likely (from previously discovered attack methods), however, that Bureau 121 probably targeted someone on the military’s servers with a spear phishing attack.
Clues from Sony Hack
Bureau 121 are known to be highly patient and skillful hackers. Back in 2014, it was revealed that the Sony hack was initiated with spear phishing. That is a type of hacking known as social engineering. It is a highly effective, yet non-brute-force method, that relies on human error to get malware onto a victimized system.
During the Sony hack, the North Korean hackers stole admin credentials using the malware they spoon-fed onto Sony’s servers. Following that, the Bureau 121 hackers carefully buried themselves within Sony’s system for around two months, carefully planning their attack and making off with tons of documents in the process. A Pentagon spokesperson commented, at the time, that the way in which the attack was carried out was,
“Incredibly careful, and patient.”
Good at Hiding Their Tracks
What is also known from past attacks is that the North Korean hackers are incredibly good at using Proxy servers to obfuscate their IP address. As such, it remains unclear as to whether South Korea actually knows that the attacks originated from North Korea or whether they are simply pointing the finger blindly.
In the aftermath of the Sony hack, the Pentagon’s certainty about North Korea’s involvement was considered somewhat a mystery at first. FBI director, James Comey, cleared things up by explaining that covert implants in servers and firewalls around the world (originally revealed by Edward Snowden) were used to ascertain North Korea’s guilt:
“We could see that the IP addresses they used … were IPs that were exclusively used by the North Koreans. It was a mistake by them. It was a very clear indication of who was doing this. They would shut it off very quickly once they realized the mistake, but not before we saw them and knew where it was coming from.”
Heavy-handed US Surveillance Practices
What this demonstrates, is that without the US’s shady cyber espionage practices, it is unlikely that the finger could have ever been pointed at Bureau 121 quite so confidently. With that in mind, it remains uncertain just how South Korea’s ‘Cyber Command’ center is so sure about North Korea’s blame on this occasion.
“We consider this attack to have been perpetrated by North Korea,” an official said. “As well as investigating, we are strengthening our system against such attacks, at both interior and exterior connection points, and educating military personnel.”
No details, you will notice, are revealed about why South Korea considers this to be the case.
It is true that North Korea is believed to have around 6,000 hackers working for the state. That is quite the hoard of hackers and certainly makes it possible that the attack was carried out by Kim Jong-un’s elite hackers.
There are undoubtedly plenty of geopolitical reasons why Kim Jong-un would be actively going after South Korean state secrets. Jens Monrad, senior intelligence analyst at cybersecurity firm FireEye, made the following comment:
“Given the isolated status of North Korea, as well as the ongoing political tensions between North Korea and South Korea, it is very likely that North Korea will attempt to conduct cyber-attacks against South Korea.”
Ongoing Cyber Warfare Operations
Kim Heung-Kwang, a north Korean defector and computer expert, has previously also disclosed that since back in 2010, Bureau 121 hackers have been working on advanced application programming interfaces (APIs) to launch attacks on foreign infrastructure.
In June of this year, Kim Jong-un’s hackers were blamed for an attack on a South Korean defence contractor. During that penetration, over 40,000 documents were taken. Those included wing designs for the US’ F-15 jet fighter and photos of parts of unmanned spy planes.
Elite Hackers Slacking off?
The hack in June 2016 allegedly originated from an IP address in Pyongyang. We will have to wait and see whether it is the same alleged location behind this latest attack. In addition, one would like to see proof that the IP is not a proxy itself, being exploited by a third party.
After all, the fact that the IP address is in Pyongyang certainly seems to stand in stark contrast to the careful and methodical use of proxies that we have been led to believe Bureau 121 employed in the past.