On September 9, 2018, the world witnessed North Korea’s seventieth Foundation Day Parade. Media and scholars noted the absence of ballistic missiles that could carry nuclear weapons. This prompted some to proclaim North Korea was tempering its behavior.
Kim Jong-un has put his nuclear arsenal away, for now, but his cyber army never stopped going to work. Since North Korea’s charm offensive began in January, the Reconnaissance General Bureau (RGB) has continued conducting attacks against South Korea. The following explains one cyberattack method used by the RGB, examples of it used post–summitry, and why South Korea has had difficulty stopping these attacks.
Cyber-Attacks Targeting South Korean Software
South Korea is an integrated and advanced digital society. Over the last decade South Korea has ranked amongst the top for internet connectivity, internet speed, and smartphone ownership. Last year two internet banks opened, attracting a large percentage of the population to join up. The spread of cryptocurrency exchanges has also proliferated. Unfortunately, South Korea lags behind in combating cyberattacks, especially from North Korea.
South Korea has always been a target for North Korean hackers. This has included espionage, disruption and cryptocurrency acquisition. Alexander Kilmburg suggests that South Korea has a hyper-localized internet, meaning almost all users of the internet interact solely with other Korea internet products, with few Koreans interacting with users overseas. Hyper-localization has manifested in infrastructure, language and software.
HWP (Hangul Word Processor) is the most popular word processor in South Korea. It is used by government and state owned companies, often being used for attachments when sending emails. However, HWP is vulnerable to attacks. Park Moonbeom and Park Yongjun note when HWP was released, zero-day vulnerabilities were found. Sangmyung Choi suggests that North Korea latched onto the vulnerabilities of HWP, noting they knew of twenty-three vulnerabilities in the HWP software and have utilized these in cyberattacks. HWP’s use is confined to the Korean domestic market which means it is not included in many virus protection programs, making it a prime target for North Korea.
This weakness permitted North Korean hackers to use primitive techniques to attack. In 2014 North Korea hacked Korea Hydro and Nuclear Power (KHNP), a subsidiary of the Korea Electric Power Corporation (KEPCO), that operates twenty-three nuclear reactors. After this attack the attackers published details of more than ten thousand KNHP employees, and information indicating they accessed documents about how the reactors operate. The attack was accomplished by sending phishing emails to contractors asking for personal details contained in an infected HWP document. The attackers then demanded money to stop the release of further details, a technique used in future attacks.
Tailored Attacks Post–Summitry
North Korea continues to attack South Korea in cyberspace. On June 17, 2018, South Korean cyber experts identified malicious HWP files disguised as financial reports/application forms. One form targeted email accounts of attendees of a recent G20 Financial Meeting. Alienvault analyzed two similar documents: “Financial Stability Conference held”, and “[Name] Computer Experience.” They described the malware as Manuscrypt, which impersonates and communicates with South Korean forum software.
On June 20, 2018, approximately $31 million was stolen from Bithumb, a cryptocurrency exchange based in Seoul. Reports indicate attacks began when malicious HWP files were sent in May and June, after the first inter-Korean Summit. These documents were linked to previous attacks conducted by North Korea, in particular the use of fake resumes. KBS reported well-known malware code was sent to numerous cryptocurrency organizations including Bithumb. Hauri, a cybersecurity firm in Korea, stated that HWP documents disguised as resumes hid malicious code. Choi notes that when this attachment is opened your PC is infected with code that is hidden with the infection infiltrating the server, removing virtual currency.
The Logic Remains
Some have noted that North Korea was quieter in cyberspace after it began its charm offensive. Mass disruptive attacks have ceased, there has been no WannaCry, but they have continued to attack South Korea during times of thawing relations.
North Korea is still under sanctions and needs a method for creating hard currency, and have done so illicitly. Two methods include ship-to-ship transfers, and cryptocurrency acquisition. The Bithumb hack confirms this is a way for Pyongyang to boost their GDP, with Priscilla Moriuchi noting that upwards of $700 million has been acquired through illegal means.
Jong-In Lim mentions that the Panmunjom Communique states that there would be no aggressive actions between South Korea and North Korea. This communique stated no provocative actions would take place in the seas, land, air and in all spaces. Lim states that he believes this includes cyber in the last “space.” If this is the case then the actions taken by North Korea since the first summit took place are violating the agreement. Thus far there has been no repercussions for North Korea in the cyber realm, although their operations continue to cost South Korea millions of dollars. The South Korean government appears to be unwilling to discuss these issues with North Korea, at least in public, likely worrying about disrupting summitry.
North Korea has concentrated largely on offensive capabilities, while neglecting to develop defensive capabilities. This is a smart strategy. While they have been critiqued widely for missile and nuclear weapon development, cyber-crime goes largely unreported or cynically reported by the mass media, with in depth reports largely in the realm of cyber specialist blogs. This is problematic, as the experts who know North Korea’s hacking capabilities in depth are not policy makers or those who influence policy.
South Korean Responses
Organizational culture and institutional arrangements hinders responses to attacks. The Korea Internet & Security Agency’s (KISA) document about current cybersecurity trends and responses in Korea highlights these problems. The national cybersecurity framework shows a clear delineation between the public, military and the nongovernmental sectors. Thus there is no catch-all method for sharing information about attacks. For example, the National Intelligence Service (NIS) is responsible for analyzing attacks against government infrastructure and also receives malware samples from private organizations. However, no official channel allows the NIS to report to other agencies about its findings. The NIS by nature is secretive, but if it shared more information about North Korean attacks it would help other organizations.
The ingrained use of HWP software makes the Korean government an easy target for RGB hackers. Microsoft and PDF files have also been used in hacking efforts, but HWP appears to be used in many attacks against Korean targets. Until malware protection against HWP attacks is effective, a change in organizational practice may be useful.
A methodology for deterring North Korea needs to be developed. The United States’ decision to name and shame North Korea for the Sony Hack in 2014 will not deter a country that actively endorses criminal activity. An aggressive methodology is difficult for South Korea who has trumpeted the summitry as an effective step toward a new peace regime.
There is an ingrained belief that cyber attribution is impossible, or at least very difficult. In a recent Yonhap News report about reshaping South Korea’s cyber command the author stated that cyberattacks are “hardly attributable.” This is not accurate. Cyber specialists consistently attribute attacks to North Korea. Park and Park, and Chris Doman from Alienvault, mention that North Korea cyber warfare groups constantly re-use code. The malicious code encryption methods are the same, the system information gathering module codes are the same and the user agent and IP addresses are also similar. Thus, attribution is not fantasy like some sources assume. This is North Korea, and they are not going away any time soon.
Pyongyang may not be willing to flaunt its missiles in public, but the RGB continue to work in the shadows. They are still going to work and states around the world should not be blind to this.
Dylan Stent is a PhD candidate in the School of History, Philosophy, Political Science and International Relations at Victoria University of Wellington. His study focuses on foreign and national security, diplomacy, and nationalism on the Korean Peninsula. Dylan can be reached at [email protected].
Image: South Korean soldiers stand guard in the demilitarized zone separating the two Koreas, in the truce village of Panmunjom, South Korea February 7, 2018. Picture taken on February 7, 2018. REUTERS/Josh Smith