Often dismissed as a laggard in the global cyberarms race, North Korea has long been seen as a chronic cyber-superpower wannabe. Its poverty, minimal Internet access, and paucity of malicious software to its credit together have indicated that the "hermit kingdom" has just not yet arrived.
But that equation is changing. While the North's nuclear ambitions and maltreatment of its citizens absorb diplomatic bandwidth, a four-year cyberattack-and-espionage campaign targeting South Korean banks, news media, telecoms, and military think tanks has revealed North Korean cyberwarfare capabilities to be far more potent than previously believed, US experts say and new analyses show.
What's more, say American cyberwarfare and North Korea experts, the North's advancing capabilities show a dangerous potential to slide into real-world conflict.
"Over the past four years the North has seriously intensified its cyberwarfare development efforts at South Korea's expense," says Alexandre Mansourov, a visiting scholar at the US-Korea Institute at Johns Hopkins University in Baltimore. "The [Korean People's Army] is basically planning for a future cyberwar and has been hacking to collect intelligence and prepare to disrupt information and communications, surveillance, and reconnaissance systems of its enemies: South Korea, the US, and Japan."
Analyses of these attacks, while falling short of "smoking gun" proof, leave little doubt North Korea is not only behind major attacks against the South – but that its capabilities are much broader than previously believed, Dr. Mansourov and others say. As a result, these experts are boosting their estimates of the sophistication and pace of the North's cybermilitary development – and of its threat to the United States.
Most revealing is the new linkage between the North and four years of increasingly threatening attacks on South Korea, analyzed by leading cybersecurity firms in the past five months. The attacks have cost the South more than $750 million, South Korean lawmakers said this month, citing Defense Ministry data.
The first major attack, on July 4, 2009, began with a modest distributed denial-of-service (DDoS) bombardment – with millions of requests per second (tiny compared with today's attacks) clogging Korean and US government and financial websites for days. The attacks appeared to emanate from 435 different servers in 61 countries around the world – including in South Korea itself.
But a second attack on March 4, 2011, went beyond basic DDoS by launching malicious software that wiped hard drives on systems at one of the South's biggest banks, leaving 30 million customers without ATM services for days.
The picture clears
Initial investigations suggested that the North was responsible, but were ultimately inconclusive.
Clarity began to emerge this past spring following the biggest attack. It began at 2 p.m. on March 20 with several South Korean banks and media outlets hammered by a massive malware attack erupting from inside their own networks. In minutes, a cyberweapon dubbed "DarkSeoul" infected and wiped clean the critical master boot records of 32,000 computers, wrecking them and crippling those organizations for days – one of the most costly and destructive cyberattacks the world has seen.
The digital trail initially led to a cybergang called the "WhoIs Team" – its skull calling card digitally tattooed on the computer hard drives of South Korean banks. Adding to the confusion, another group – the "New Romantic Cyber Army Team" – also claimed responsibility.
But US cybersecurity company McAfee saw something else. "Operation Troy," as McAfee dubbed the attack in a June report, was actually the culmination of a "secret, long-term," and "sophisticated" four-year campaign by just one cyberattacker – not the two cybergangs.
"Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets," McAfee investigators reported. "We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible."
Which group? South Korean fingers jabbed at North Korea. While McAfee never publicly named a culprit, its officials said privately that Pyongyang was behind the four years of increasingly sophisticated attacks.
The McAfee analysis was not the last to track the attacks back to North Korea's doorstep. The same month, cybersecurity giant Symantec issued its own report linking the four years of cyberattacks to a single actor amid not-so-veiled references – "regardless of whether the gang is working on behalf of North Korea or not."
In September, researchers at Kaspersky Lab announced discovery of an extensive cyberespionage campaign against six South Korean military think tanks. Far from being a primitive hack, the "Kimsuky" campaign, named after a snippet of malicious code, was "extraordinary in its execution and logistics," wrote Dmitry Tarakanov, a researcher at the Moscow-based firm, who said digital tracks led to the North.
"Taking into account the profiles of the targeted organizations ... one might easily suspect that the attackers might be from North Korea," Mr. Tarakanov wrote. "The targets almost perfectly fall into their sphere of interest."
Together, the Operation Troy and Kimsuky findings roused cyber experts to upgrade their estimates of the North's capabilities.
Just three years ago, James Lewis, an expert at the Center for Strategic and International Studies (CSIS) in Washington, was deeply skeptical of the North as a serious cyberthreat to South Korea or US forces in the Pacific. At the time, he dismissed it in an essay titled “Speak Loudly and Carry a Small Stick: The North Korean Cyber Menace.”
"McAfee and Kaspersky are really the first credible reports we've seen about North Korea's cyberwar capability," Mr. Lewis now says. "The North has obtained the ability to penetrate South Korean systems and potentially cause serious disruption." While still a league away from being a global "cyber-superpower," the North today is flexing its muscles and transforming itself into a potent force, he says.
"They have improved considerably their cyberattack capabilities and could pose a threat to US institutions," he says. "Maybe not our military or, say, the Federal Reserve. But are there US targets they could disrupt? Yes, there are."
Why the North loves cyber
Driving the North’s quest for cyberwarfare capability are a combination of the practical and the strategic, experts say. Critical for a poor nation with rich adversaries, such weapons are:
• Cheap to deploy and cost effective. Cyberattacks depend on malicious software which can be developed or purchased for far less than aircraft or other conventional military hardware. Cyberattacks can be deployed frequently to harass the South at a tiny fraction of the cost of actually deploying troops and tanks – and with more directly impact on the public.
• A strategic counterbalance. Cyberattack systems are seen as a core “asymmetric” warfare strategy vital if the North’s less technologically capable forces are to survive any future fight with the combined forces of South Korea and the US.
• Anonymous. Difficulty attributing cyberattacks makes it easier to avoid sanctions and retaliatory strikes.
Another driver is Pyongyang's top-down push. Development began around 1999, about the time Kim Jong-il launched the North's own fiber-optic, computer hardware, and commercial software industries. Together, these provide expertise that can be tapped for a cyberarmy.
The pace of cyberarmy-building picked up in 2009, accelerating again after Kim Jong-un took power in 2011. He is said to be a computer and Internet aficionado who presses for cyberforce development and tactics.
"They actually consider it to be an 'asymmetric' fifth front in any multi-front warfare against their enemies," says Mansourov.
Indeed, North Korea's ongoing attacks on South Korea appear to be a kind of cyber-sword sharpening – refining capabilities and testing defenses – far different from most of today's much more subtle and better-cloaked cyberconflicts, some experts say.
"Most nations are not trying to take down the servers of other countries – or at least they are trying hard to hide it," says Bruce Bechtol Jr., associate professor of political science at Angelo State University in San Angelo, Texas, and author of several books on North Korea's military. "But North Korea's main thing seems to be taking down servers, conducting damaging operations, and instilling fear."
South Korea advances
At the same time, North Korea's own vulnerability to being hacked is real, despite its outdated reputation as a nearly nondigital nation with few targets of significance.
Growth in the North's fiber-optic cable systems, Internet and intranet-connected national networks, and even a flowering of mobile smart phones among the nation's elite – all are potential targets for US intelligence agencies or the South's own cyberforces, Mansourov notes.
Indeed, South Korea is ramping up its own cybermilitary. In June, during joint military exercises between the US and South Korea, the North was struck by a two-day outage of all its internal websites. The state news agency decried “concentrated and persistent virus attacks,” insisting that the US and South Korea “will have to take responsibility for the whole consequences.”
"Cyberattacks on the South do not occur in a vacuum," Mansourov says. "Every instance of a North Korean attack is likely something prompted by the actions of us or our allies."
Some say the cyber tit for tat could get out of hand and slide toward more serious reprisals.
North Korea's capability "poses an important 'wild card' threat, not only to the United States but also to the region and broader international stability," testified Frank Cilluffo, codirector of the Cyber Center for National and Economic Security at George Washington University, in Congress after the March attacks.
"North Korea's cyber-development is almost just a new harassment mechanism for them, a low-cost, asymmetric method to harass its neighbor in the south," says Matt Rhoades, director of the cyberspace and security program at the Truman National Security Project, a Washington think tank. Such harassment, he warns, is a "slippery slope that could, through miscalculation, lead to real escalation."
Digital attacks attributed to the North are still often characterized as "unsophisticated." Yet hackers for cyber-superpowers such as China typically use the least advanced approach needed for an attack to succeed – saving the most sophisticated for when it counts most.
So even if North Korea under Kim Jong-un is not yet a cyber-superpower, its aggressive pace of development puts it squarely on that path, Lewis at CSIS and others say.
"North Korea will do its best to keep its actual capabilities secretive," writes Ryo Hinata-Yamaguchi, a Japanese researcher who analyzed North Korea's intentions as a fellow at the CSIS Pacific Forum, in an e-mail interview. Today's attacks are "merely to show frustration towards South Korea.... If North Korea were to get serious, they would directly hit [the South's] military networks, government, financial, transportation."
For the North, lobbing moderately damaging cyberweapons and DDoS attacks southward may be more about testing the South’s cyber-defenses – while perhaps winning valuable concessions from the South, too, several experts say.
“That’s just the North negotiating with us,” Lewis says he was told by South Korean officials after the 2011 attack.
Others, too, reject the notion that the North is a laggard, even if it's not yet able to deploy anything as sophisticated or dangerous as Stuxnet, which targeted Iran's nuclear fuel facility at Natanz in 2009.
"This idea that's been out there for a while, that the North Koreans are an incompetent or unsophisticated cyberthreat, is really laughable," says Peter Hayes, executive director of the Nautilus Institute, an Asia-Pacific security think tank in Berkeley, Calif. "They've got very high-level programmers, very sophisticated. You have an extremely competent cyberadversary in North Korea."
Building the North's cyberarmy
Besides selecting industry experts for its cyberarmy, the North annually plucks hundreds of its best and brightest to be trained at elite universities in Pyongyang. Russian teachers are brought in, while others are sent to Russia and China for advanced training, defectors say.
Eventually those recruits funnel into the North's two cyberwarfare units. One is the State Security Agency's communications monitoring and computer hacking group. Others enter Unit 121 of the Reconnaissance General Bureau of the Korean People's Army, the North's elite cyberfighting force, experts say.
Key elements of Unit 121 operate out of bases in China, including a luxury hotel in the heart of Shenyang, capital of Liaoning Province, which borders North Korea, experts say.
Beyond merely pulling itself up by its bootstraps, the North relies especially heavily on China for help in developing and extending its cyberwarfare capability, they say.
"The North is using China as one of their major bases for their cyber-operations, and uses servers in China to conduct DDoS and other cyberattacks on South Korea," Mansourov says. "They [Unit 121] are believed to have conducted hacking operations from inside China that falsify classified data and disrupt US and South Korean systems."
While Russia provides key assistance, China's help goes much deeper. It includes regular upgrades to the high-speed Internet lines flowing into the North as well as supplying Pyongyang with high-end Chinese-made servers, routers, and other network hardware, experts say.
"China plays a major role in supporting the North's cyber-operations," says Steve Sin, a former senior analyst at the Open Source Intelligence Branch of the Directorate of Intelligence at US Forces Korea and author of a 2009 study of North Korea's cyber-capability. "If nothing else, China's government is complicit in what North Korea is doing, because they could just shut down or throttle back its Internet connection, but they're not."
China's Internet services and other infrastructure make the North's hacking far more effective than it otherwise would be. It would be far easier to identify attacks from the North if they emerged over the few Internet lines flowing out of that country into China, these experts say.
And that's one big reason launching cyberattacks directly from within the North is forbidden, defectors claim. Deniability is critical in order to avoid United Nations sanctions or US bombs. Instead, North Korea's cyber-espionage, DDoS, and hacking attacks are done by Unit 121 and covert cells around the globe, including in the US, South Asia, Europe, and South Korea, defectors say.
Overall, the arrangement leaves China in an excellent position to deny knowledge of any cyberattacks by the North on other nations, experts say.
“China can simply say, ‘We don’t know what’s going on, how can you pinpoint this to North Korea,’ ” says Lee Sung-yoon, a North Korea specialist at the Fletcher School of Law and Diplomacy at Tufts University in Belmont, Mass.
By bolstering or even enabling North Korea’s cyberwarfare capabilities, China enhances its traditional geopolitical pit-bull-on-a-chain stance in which North Korea buffers China’s southern flank, while also keeping the US, Korea and Japan diplomatically off balance in Asia, he and other experts say.
“The Chinese are probably quite pleased with North Korea’s cyber-saber rattling,” Dr. Lee adds. “It’s really no threat to them and strengthens their hand with respect to Washington.”
The Chinese embassy in Washington did not respond to requests for comment on allegations that it aids North Korea’s cybermilitary development and operations.
But in the just-detected “Kimsuky” cyberespionage campaign against six military-connected think tanks in South Korea, Kaspersky investigators tracked the digital footprints of the cyberspies to 10 IP-addresses (internet computer identifiers) inside Jilin and Liaoning, Chinese provinces that border North Korea.
Did those IP addresses belong to cyberspies of the elite Unit 121 enjoying life at a hotel in Shenyang between hacking attacks on the South?
Even though IP addresses can be spoofed, “no other IP-addresses have been uncovered that would point to the attackers’ activity,” writes Mr. Tarakanov, the Kaspersky cyber-sleuth of the Kimsuky cyberspying on the South’s think tanks.
While there is still no conclusive proof recent attacks were North Korean, evidence indicates Pyongyang is building a capability that poses a serious and rising threat to the South and the US, experts say.
"We in the US tend to dismiss these smaller powers, like North Korea," says Mr. Sin. "But there's a danger that comes with that: How many conflicts have we lost to a smaller guy? You know, we kind of dismiss it – and it still comes and bites you."