4 November 2017

NORTH KOREA – DAVID OF THE CYBER WORLD?

Part II
- Maj Gen P K Mallick,VSM (Retd)

North Korea Hacks South Korean Warship Blueprints

North Korea stole blueprints of missile-equipped ships and unspecified submarines in a heist last year of classified documents from the world’s biggest shipbuilder. About 60 classified military documents were among the 40,000 hacked from South Korea’s Daewoo Shipbuilding and Marine Engineering Co in April 2016. They included information on construction technology, blueprints, weapons systems and evaluations of the ships and submarines. South Korea’s Aegis-equipped ships and submarines are key to plans for a preemptive strike against North Korea should it send a submarine equipped with ballistic missiles to target key facilities in the South. 

Information War

North Korea is emerging as a significant actor in cyberspace with both its clandestine and military organizations gaining the ability to conduct cyber operations. These attacks have shown that the country is capable of conducting damaging and disruptive cyber attacks during peacetime. North Korea seems heavily invested in growing and developing its cyber capabilities for both political and military purposes

North Korea was potentially behind phony evacuation messages sent via cellphones and social media to military families and defense personnel in South Korea last month. That incident opens the possibility that last year’s breach may have led to the harvest of personal information used for the notifications.

Financial Domain

The attacks on the Bangladesh Central Bank, additional banks around the world, and the WannaCry ransomware campaign represent a new phase in North Korean cyber operations, one that mirrors the phases of violence and criminality North Korea has passed through over the past 50 years. Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West. Soon the digital bank heists began — an attack in the Philippines in October 2015; then the Tien Phong Bank in Vietnam at the end of the same year; and then the Bangladesh Central Bank. Researchers at Symantec said it was the first time a state had used a cyberattack not for espionage or war, but to finance the country’s operations.

Now, the attacks are increasingly cunning. Security experts noticed in February that the website of Poland’s financial regulator was unintentionally infecting visitors with malware. It turned out that visitors to the Polish regulator’s website — employees from Polish banks, from the central banks of Brazil, Chile, Estonia, Mexico, Venezuela, and even from prominent Western banks like Bank of America — had been targeted with a so-called watering hole attack, in which North Korean hackers waited for their victims to visit the site, then installed malware in their machines. Forensics showed that the hackers had put together a list of internet addresses from 103 organizations, most of them banks, and designed their malware to specifically infect visitors from those banks, in what researchers said appeared to be an effort to move around stolen currency.

Bangladesh Central Bank. In early 2016, a new pattern of activity began to emerge in an unusual operation against the Bangladesh Central Bank. Actors obtained the legitimate Bangladesh Central Bank credentials for the SWIFT interbank messaging system and used them to attempt to transfer $951 million of the bank’s funds to accounts around the world. A few simple errors by the actors about a withdrawal request that had misspelled “foundation” as “fandation.” (and some pure luck) allowed central bankers to prevent the transfer of or recover most of the funds, but the attackers ended up getting away with nearly $81 million. The National Security Agency (NSA) has attributed this attack on the Bangladesh Central Bank to the North Korean state, however, the investigation within the U.S. government is still ongoing. Threat analysts from numerous companies have attributed this attack and subsequent attacks on banks around the world through early 2017 to the Lazarus Group (which DHS, FBI, and NSA have all linked to the North Korean government over the past three days).

RANSOMWARE. The most widespread hack was WannaCry, a global ransomware attack that used a program that cripples a computer and demands a ransom payment in exchange for unlocking the computer, or its data. The hackers based the attack on a secret tool, called “Eternal Blue,” stolen from the National Security Agency. In the late afternoon of May 12, panicked phone calls flooded in from around Britain and the world. The computer systems of several major British hospital systems were shut down, forcing diversions of ambulances and the deferral of nonemergency surgeries. Banks and transportation systems across dozens of countries were affected.

Then only sheer luck enabled a 22-year-old British hacker to defuse,the ransomware attack It ended thanks to Marcus Hutchins, a college dropout and self-taught hacker living with his parents in the southwest of England. He spotted a web address somewhere in the software and, on a lark, paid $10.69 to register it as a domain name. The activation of the domain name turned out to act as a kill switch causing the malware to stop spreading.

Britain’s National Cyber Security Center had picked up no warning of the attack, said Paul Chichester, its director of operations. “This was part of an evolving effort to find ways to disable key industries,” said Brian Lord, a former deputy director for intelligence and cyber operations at the Government Communications Headquarters in Britain. “All I have to do is create a moderately disabling attack on a key part of the social infrastructure, and then watch the media sensationalize it and panic the public.” 

According to a Washington Post report published on June 14, the NSA has compiled an intelligence assessment on the WannaCry campaign and has attributed the creation of the WannaCry worm to “cyber actors sponsored by” the RGB. This assessment, ascribed the April campaign as an “attempt to raise revenue for the regime.” British officials privately acknowledge that they know North Korea perpetrated the attack, but the government has taken no retaliatory action, uncertain what they can do. It is assessed that use of ransomware to raise funds for the state would fall under both North Korea’s asymmetric military strategy and ”self-financing” policy, and be within the broad operational remit of their intelligence services.

BITCOIN. North Korea is drenched in chronic economic problems, due to a one-sided focus on military spending and decades of economic sanctions from the international community. Under the U.N. sanctions imposed in August, China has banned imports on North Korea's iron, coal and seafood, which accounts for about 35 percent of North Korea's trading income. North Korea may be "mining" bitcoin as a way to get around the tighter sanctions. It also helps that bitcoin is an open and decentralized network, making "mining" a legal and relatively easy activity for anyone who has access to the internet. Ultimately, it's up to the international community and the bitcoin community to decide whether they're comfortable trading bitcoin with North Korea.

Recently, North Korean hackers’ fingerprints showed up in a series of attempted attacks on so-called cryptocurrency exchanges in South Korea, and were successful in at least one case, according to researchers at FireEye. The attacks on Bitcoin exchanges, which see hundreds of millions of dollars worth of Bitcoin exchanged a day, offered Pyongyang a potentially very lucrative source of new funds. Researchers say, there is evidence they have been exchanging Bitcoin gathered from their heists for Monero, a highly anonymous version of cryptocurrency that is far harder for global authorities to trace.

Any North Korean activity in bitcoin is likely a tiny fraction of global trade activity. The total trade volume of bitcoin was nearly $2 billion, according to CryptoCurrency Market Capitalizations. Bitcoin in itself is not criminal by any means; it's not a suspect activity. But the timing of that activity was an interesting correlation with the WannaCry [cyber]attack," The "mining" started five days after the cyberattack, which locked tens of thousands of computer and data files for ransom payments in bitcoin. The attack has also been attributed to North Korea by the U.S. National Security Agency.

"Mining" is a process of earning bitcoins. Miners use high-performance computers to solve complex mathematical problems and verify bitcoin transactions online. In return they are rewarded with bitcoins.

But who would be capable of pulling off such activity in the autocratic country? After all, most North Koreans have no access to the internet. Only a small minority of users — university students, scientists and select government officials — have access to Kwangmyong, a domestic intranet "that offers email and websites but is totally shut off from the rest of the world," according to a Slate article.

"Only the most senior leaders and ruling elite are granted access to worldwide internet directly North Korean elites access internet primarily through three IP ranges, one of which is assigned by China Netcom.


CASH. Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions of dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges.

One former British intelligence chief estimates the take from its cyber heists may bring the North as much as $1 billion a year, or a third of the value of the nation’s exports.

Learning From Iran, Growing Bolder

For decades Iran and North Korea have shared missile technology, and American intelligence agencies have long sought evidence of secret cooperation in the nuclear arena. In cyber, the Iranians taught the North Koreans something important: When confronting an enemy that has internet-connected banks, trading systems, oil and water pipelines, dams, hospitals, and entire cities, the opportunities to wreak havoc are endless.

By midsummer 2012, Iran’s hackers, still recovering from an American and Israeli-led cyberattack on Iran’s nuclear enrichment operations, found an easy target in Saudi Aramco, Saudi Arabia’s state-owned oil company and the world’s most valuable company.

Mar 13 Seven months later, during joint military exercises between American and South Korean forces, North Korean hackers, operating from computers inside China, deployed a very similar cyberweapon against computer networks at three major South Korean banks and South Korea’s two largest broadcasters. Like Iran’s Aramco attacks, the North Korean attacks on South Korean targets used wiping malware to eradicate data and paralyze their business operations. It may have been a copycat operation, but Mr. Hannigan, the former British official, said recently: “We have to assume they are getting help from the Iranians.”


Attribution. Attribution of specific cyber activity to the North Korean state or intelligence organizations is difficult, and up until recently, circumstantial. On June 12, US-CERT released a joint technical alert that summarized analysis conducted by the U.S. Department of Homeland Security (DHS) and FBI on the “tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.”

This alert marked the first time the U.S. government linked threat actor groups and malware long-suspected to be utilized by North Korean state-sponsored actors with the with North Korean government itself. DHS and FBI explicitly identified two threat actor groups, Lazarus Group and Guardians of Peace, and three tools, Destover, Wild Positron/Duuzer, and Hangman, as used by the North Korean government. While the FBI and DHS identified many indicators of compromise, Yara rules, and network signatures, the report did not provide any evidence supporting the attribution to the North Korean government or details on which organization or unit might be responsible.

A recent analysis by the cyber security firm Recorded Future found heavy North Korean internet activity in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. In some cases, like that of New Zealand, North Korean hackers were simply routing their attacks through the country’s computers from abroad. In others, researchers believe they are now physically stationed in countries like India, where nearly one-fifth of Pyongyang’s cyberattacks now originate.

North Korean Cyber Infrastructure

The North Koreans are getting the hang of “cyber operations”. They’re not as skilled yet as the Chinese and the Russians (not to mention the Americans), but they’re making real progress. Who thought that a country with only about 1,000 internet addresses could inflict serious damage on a nuclear-tipped superpower would have been regarded as preposterous, nobody in Washington (or London) is laughing any longer.

A small minority of users, such as university students, scientists, and select government officials, are allowed access to North Korea’s domestic, state-run intranet via common-use computers at universities and internet cafes. Slate described the domestic intranet this way:

The network, called Kwangmyong, currently connects libraries, universities, and government departments and is slowly making its way into homes of better-off citizens. It houses a number of domestic websites, an online learning system, and email. The sites themselves aren’t much to get excited about: They belong to the national news service, universities, government IT service centers, and a handful of other official organizations. There’s also apparently a cooking site with recipes for Korean dishes.

The data reveals that North Korea’s leadership and ruling elite are plugged into modern internet society and are likely aware of the impact that their decisions regarding missile tests, suppression of their population, criminal activities, and more have on the international community. These decisions are not made in isolation nor are they ill-informed as many would believe.

South Korean media assesses that there may be as many as 4 million mobile devices in North Korea. So while mobile devices are widespread in North Korea, the vast majority of North Koreans do not have access to the internet. Mobile devices sold to ordinary North Koreans are enabled with minimal 3G services, including voice, text messaging, and picture/video messaging, and are restricted to operating only on North Korea’s domestic provider network, Koryolink.

American Publication Recorded Future Report

India has been second largest trading partner of North Korea after China As per the Directorate General of Foreign Trade, India’s export to North Korea was $76.52 million and import stood at $132.53 million in 2014-15. While India largely exported oilmeals, cotton yarn and machinery, Pyongyang exported iron and steel. From $209.05 million, the bilateral came down $130.38 million in 2016-17.

India has been under pressure from USA to cut off all relations with North Korea. India has obliged halting all trade, except for food and medicine. However, India’s embassy in Pyongyang with two diplomats will continue to function. 

The USA has its own way of putting pressure. In a stunning report from the New York Times claimed that India serves as a base for North Korea's cyber warfare.

Citing a report by the Recorded Future, the American publication said nearly a fifth of the Pyongang's attacks originate from India. The report claims that most of North Korean cyber operations are carried out from foreign countries like India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. While in some cases, the North Korean hackers route their attacks through their computers from abroad, in cases like that in India, hackers are physically stationed to carry out attacks. The report by Recorded Future also indicates that India, despite serving as a base for North Korea's cyberwar, also remains at a potential threat from similar attacks. 

It is interesting to see what the report from Recorded Future, a CIA Funded organization, says. In the open domain there has not been much rebuttal from the Government of India side. You can view the report here. [https://www.recordedfuture.com/north-korea-internet-activity/ ]

This data and analysis demonstrate that there are significant physical and virtual North Korean presences in several nations around the world — nations where North Koreans are likely engaging in malicious cyber and criminal activities These nations include India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.

Based on our analysis, we were able to determine the following:

It is clear that North Korea has a broad physical and virtual presence in India. Characterized by the Indian Ministry of External Affairs as a relationship of “friendship, cooperation, and understanding,” the data we analyzed supports the reports of increasingly close diplomatic and trade relationship between India and North Korea.

Patterns of activity suggest that North Korea may have students at least seven universities around the country and may be working with several research institutes and government departments.

Nearly one-fifth of all activity observed during this time period involved India.

North Korea also has large and active presences in New Zealand, Malaysia, Nepal, Kenya, Mozambique, and Indonesia. Our source revealed not only above-average levels of activity to and from these nations, but to many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations.

It has been widely reported that North Korea has a physical presence to conduct cyber operations in China, including co-owning a hotel in Shenyang with the Chinese from which North Korea conduct malicious cyber activity. Nearly 10 percent of all activity observed during this timeframe involved China, not including the internet access points provided by Chinese telecommunications companies.

Our analysis finds that the profile of activity for China was different than the seven nations identified above, mainly because North Korean leadership users utilized so many Chinese services, such as Taobao, Aliyun, and Youku, which skewed the data. After accounting for use of Chinese internet services, which of course do not signify either physical or virtual presence in China, the pattern of activity to local Chinese resources, news outlets, and government departments mirrored the seven previously identified nations.

Additionally, during this time frame it appeared that some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers.

In particular, activity targeting the Indian Space Research Organization’s National Remote Sensing Centre, the Indian National Metallurgical Laboratory, and the Philippines Department of Science and Technology Advanced Science and Technology Research Institutes raised flags of suspicion, but we could not confirm malicious behavior


North Korea appears to be funding itself with bitcoin, according to a recent report. Recorded Future, an intelligence research firm backed by Google Venture and In-Q-Tel (a venture capital firm funded by the CIA), reported that North Korea began "mining" bitcoin on May 17 and could be using the digital currency to generate income for the regime.

The United Nations Security Council on Monday unanimously approved new sanctions against North Korea, the harshest yet — capping North Korea's oil imports, banning textile exports, ending additional overseas labor contracts. Bitcoin "mining" could become a viable income source for this further-isolated nation that's craving nuclear weapons.

"We weren't able to determine the volumes, like how many bitcoin they can generate per certain time period. We could just see activity," said Priscilla Moriuchi, the director of strategic threat development at Recorded Future.

Future Threat Trends from North Korean Cyber Operations

Evidence is mounting that sanctions, international pressure, and possibly increased enforcement by China are beginning to take their toll on the North Korean economy and in particular, North Korea intelligence agent’s ability to procure goods for regime leadership. A May 2017 report from the Korea Development Institute concluded that North Korea’s black market had helped the nation endure the impacts of the international sanctions last year.

Left unchecked and barring any unpredictable power shift, North Korea is likely to continue to place strategic value in its cyber capabilities. Future North Korean cyber attacks are likely to fall along a spectrum, with one end being continued low-intensity attacks and the other end characterized by high-intensity attacks from an emboldened North Korea. Concurrently, the DPRK will likely deepen the integration of its cyber elements into its conventional military forces. Although North Korea’s history of low-intensity provocations makes it more likely that it will continue on the lower end of the spectrum, the 

Specific policy recommendations for the United States and the U.S.-ROK alliance are :

Prepare a graduated series of direct responses targeting North Korea’s cyber organizations.

Curb North Korea’s operational freedom in cyberspace.

Identify and leverage North Korea’s vulnerabilities to maintain strategic balance.

A dopt damage mitigation and resiliency measures to ensure that critical systems and 
networks maintain operational continuity during and after an attack.

CONCLUSION

In international relations one does not assume that your adversary is nuts and do not underestimate his capacity to inflict serious damage on you. West has made both the mistakes with regard to North Korea. Our reasons for doing so are, at one level, understandable. In economic terms, the country is a basket case. According to the CIA’s world factbook, its per-capita GDP is $1,800 or less, compared with nearly $40,000 for the UK and $53,000 for the US. Its industrial infrastructure is clapped out and nearly beyond repair; the country suffers from chronic food, energy and electricity shortages and many of its people are malnourished. International sanctions are squeezing it almost to asphyxiation. 

And yet this impoverished basket case has apparently been able to develop nuclear weapons, plus the rocketry needed to deliver them to Los Angeles and its environs. Kim’s priority is to avoid regime change. He knows that if you have nukes, then no one – not even Trump – is going to try any funny business, especially when it’s clear that a seriously aggressive move by the US would mean the death of hundreds of thousands of South Koreans. The North Korean leader’s rationale for developing nuclear weapons that are ready for deployment is identical to Britain’s rationale for renewing Trident: deterrence.

While American and South Korean officials often express outrage about North Korea’s cyberactivities, they rarely talk about their own — and whether that helps fuel the cyber arms race. Yet both Seoul and Washington target the North’s Reconnaissance General Bureau, its nuclear program and its missile program. Hundreds, if not thousands, of American cyberwarriors spend each day mapping the North’s few networks, looking for vulnerabilities that could be activated in time of crisis. Both the United States and South Korea have also placed digital “implants” in the Reconnaissance General Bureau, the North Korean equivalent of the Central Intelligence Agency, according to documents that Edward J. Snowden released several years ago. American created cyber and electronic warfare weapons were deployed to disable North Korean missiles, an attack that was, at best, only partially successful.

At a recent meeting of American strategists to evaluate North Korea’s capabilities, some participants expressed concerns that the escalating cyberwar could actually tempt the North to use its weapons — both nuclear and cyber — very quickly in any conflict, for fear that the United States has secret ways to shut the country down.

North Korea has understood how digital technology can convert industrial and economic weakness into a strength. The reason why major industrialised countries hold back from responding in kind to one another’s cyber attacks is because their societies are all desperately dependent on complex, fragile and insecure network infrastructures. So all fear the unfathomable consequences of retaliation. And, accordingly, a new doctrine of mutually assured destruction keeps an uneasy peace in cyberspace.

North Korea, however, doesn’t have much of a digital infrastructure and so has less to fear. Which is why Kim may be smarter than we like to think.


Indeed, both sides see cyber as the way to gain tactical advantage in their nuclear and missile standoff.

There is evidence Pyongyang has planted so-called digital sleeper cells in the South’s critical infrastructure, and its Defense Ministry, that could be activated to paralyze power supplies and military command and control networks. The North Korean cyberthreat “crept up on us,” said Robert Hannigan, the former director of Britain’s Government Communications Headquarters, which handles electronic surveillance and cybersecurity.“Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously,” he said. “How can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?”

No comments: