06.02.2017 Author: Konstantin Asmolov

New Adventures of “North Korean Hackers”

675445345234Against the backdrop of the scandalous stories about Russian hackers, the author returns to the topic of North Korean hackers seeing as the body evidence for charges in both cases is characterized by quasi arguments.

The story began with an ordinary list of scandalous news in March 2016, when the South Korean intelligence service reported an attempt to hack the network managing the transportation system made by hackers from the DPRK.

On May 12, 2016, the web site of South Korea’s Air Forces suffered a cyber attack. They failed to prove the guilt of Pyongyang based on the preliminary results of investigation, but “its involvement could not be ruled out”. On the same day, the South Korean military and industrial companies and arms trading agents received emails with a computer virus allegedly sent from the address of the Defense Acquisition Program Administration.

In late May 2016, the DPRK was charged with the involvement in the scandalous theft of 81 million dollars from the Central Bank of Bangladesh. The attack took place on February 4-5, when the Bangladeshi regulator was not working. In general, the malefactors planned to steal $951 million, but the withdrawal of the major part of funds was prevented.
According to The New York Times that referred to the experts of the Symantec Company, there was irrefutable evidence that a series of hacker attacks on banks, as a result of which at least $ 81 million was stolen, was organized by one group. The code used by the criminals resembled the program used by the computer trespassers during the attack on Sony Pictures in 2014, as well as on the South Korean banks and media companies in 2013.

The scandal was big, but after the analysis of a series of attacks on 12 Asian banks, on June 17 of the same year, the investigators detected the involvement of the hackers from Russia, Moldova, and Kazakhstan in the theft of $81 million. This conclusion was made based on the analysis of the scumware used. Several attacks used Dridex botnet, which was applied by the cyber groups from countries of the former Soviet Union, including Russia, Moldova, and Kazakhstan. Dridex gets into a computer via email and collects the user’s personal data (username, passwords, etc.), which can be used to access privileged networks.

Having assumed the fact that the attack on the banks could be committed by groups that use Dridex, or by North Korean hackers, the investigators admitted that the scumware could have been sold on the black market by criminals. However, according to the estimates made by Symantec, the cyber group using Dridex is characterized by strict organization and discipline, it sticks to the 5-day business week and even takes a break for the New Year holidays. This fact has almost spurred on the version of the DPRK’s involvement but it is not clear why Pyongyang’s hackers take a break for Christmas. Perhaps, for highly secret reasons.

Almost simultaneously, on May 31, 2016, the Prosecutor’s Office of the Republic of Korea came to the conclusion that the hackers’ attack in 2015 related to the code signing certificate that had been made by the North Korean hackers. They broke the server of one of the companies engaged in developing the computer programs and copied the materials on the code signing certificate. Later on, these data were used in 10 malware distributed in the global network to penetrate the site of one of the scientific institutions of South Korea. Subsequently, 19 computers of 10 government offices related to this website were infected with the malware. The trace of North Korean involvement was identified due to the fact that the server of the attacked company was visited by a user with a North Korean IP-address owned by the DPRK 26 times over the course of two months.

On June 13, 2016, Reuters reported that North Korean hackers had broken over 140 thousand computers operating in major South Korean companies and public institutions, and installed malware planned to be used for a large-scale cyber attack. The hacking was performed from the North Korean IP-address, which was used to attack the South Korean banks in 2013. The goal of the new attack was the software used in 160 South Korean companies and departments managing internal networks. Allegedly, the hackers got access to 42,608 files, including those with information about F-15 American destroyers. However, the South Korean police stated that military secrets had not been threated by a serious attack. Most documents had no sensitive information and had been in the public domain.

On June 20, 2016, the South Korean police confirmed that it had secret evidence that Pyongyang’s hackers had planned to attack the united administration network that managed the computers of a number of corporations and state institutions, including companies from SK Group, Hanjin, Korean Air, KT. According to police data, the North Korean hackers could break into the companies’ computer networks any time, install a malicious code that could control 130,000 PCs.

According to the South Korean experts, the prepared cyber attack might have exceeded the attack in 2013 more than twofold. That time, financial and broadcasting companies had faced an attack, the total damage of which had amounted to 900 million dollars. Given the fact that the IP-addresses of the previous and the current attacks were the same, it can be assumed that the cyber attack had been prepared for a long time at the state level and Pyongyang intended to broaden its scope.

On July 22, the Minister of Science, ICT and Future Planning of the Republic of Korea reported that the number of cyber attacks by North Korea had increased more than twofold in the first half of the year in comparison with the same period of the previous year, which could be explained by Pyongyang’s aim to disrupt and create distrust in the government. Thus, the hackers perform large-scale attacks on the smartphones of the government representatives and on important state entities.

On July 11, 2016, the trace of the North Korean involvement was identified in the cyber attack on one of the major online markets of South Korea that took place in May. As a result of the unauthorized access to a server of the Interpark site owner, the database of ten million users containing the names, addresses, and telephone numbers of customers was stolen. It turned out that the malicious code was identical to that used in 2009, 2012 and 2013 against South Korean government agencies, financial companies, and the media, and the letter with ransom demand contained words and phrases that were typical for the North Korean dialect and passed through four IP-addresses in three countries, but the source was the IP-address of the Ministry of Post and Telecommunications of the DPRK.

On August 2, 2016, the email passwords of 56 employees of the South Korean government agencies were leaked: officials received messages regarding the need to change their current email password due to their having been leaked and they had to go through 27 web sites created by the hackers, which resembled official websites or sites owned by Google or Naver. Ninety people received the hackers’ notification including the employees of the Foreign Affairs Ministry, the Ministry of Defence, scientific institutions related to the DPRK studies, as well as media representatives. Once again, the hackers used the IP and server identical to those used during the cyber attacks on the Korean Corporation of hydro and nuclear power.

A similar attack was carried out in November – South Korean users received a filed entitled “The Concern of the Republic of Korea.” The file contained various information on the scandal around Park Geun-hye and Choi Soon-sil. After the file was opened, Trojan software started to steal information from the user’s PC.

As usual, it was “detected” that the initial message sender was an IP-address located in Pyongyang. In order to conceal the North Korean source, the senders used US proxy servers to send messages to South Korea, but the same IP-address from Pyongyang was used on March 20, 2013 to make a series of attacks on the websites of different media and financial institutions in the Republic of Korea. Therefore, Seoul is sure that the recent attacks have been carried out by North Korean hackers.

On January 25, 2017, “North Korean hackers possibly attacked the website of a major defence company of South Korea.” The cyber attack’s format is wormhole hacking, when a virus hacks the information of those who visit the website.

Let us talk about “the detection of the trace of North Korean of involvement” and why similar arguments are wrong.

  •  “Similar software was used during the previous attacks of the North Korean hackers“. Even if we omit the question whether the previous attacks were surely made by the North Koreans, it can be noted that there are only a limited number of unique hacking software programs and most hackers use a limited set of tools. In the cases when the software was named, it was not North Korean.
  • ​ “The IP-address belongs to the DPRK“. IP masquerade programs are even more widespread than hacking ones: in fact, any browser with a VPN function allows the user to pretend to be a user from another country. In addition, 26 visits in two months actually rather very few.
  • The attack was carried out from Shenyang, which means the North Koreans are involved“. Well, if it was committed from China, it obviously means the DPRK was involved. Even though the Chinese intelligence service and hackers affiliated with them are famous for their cyber attacks on their enemies.
  • ​ “We have secret evidence” (we will not share it as it is secret). No comment.

In this context, it is easily forgotten that

  • stealing stranger’s electronic signature is the typical business of cyber criminals taking into account the value of the software signing certificate by Microsoft.
  •  South Korea leads in terms of non-protected or badly protected Wi-Fi access points: 47.9% of points in Korea are very fragile.
  • ​ According to a report published by Akamai Korea, an Internet service provider, 4,500 DDos-attacks were performed in Q1 in the Republic of Korea, which was a quarter more than in the same period of the previous year, and the capacity of 19 of those attacks exceeded 100 Gbps. China is ranked first in terms of the number of DDoS-attacks, which accounts for 27.2% of all DDoS attacks in the world.
  •  Evidence of the involvement of a specific computer occurs when the computer is physically taken and examined thus proving that the attack was carried out from this computer.
  • ​ The attacks on the DPRK are real as opposed to the “fairy tales” by the South. In March 2013, a real radio electronic war was organized against the Republic, and the access to the Internet was blocked in its territory. In January 2015, the American newspaper, the New York Times, reported that the US National Security Agency had penetrated the DPRK’s computer networks in 2010. According to the New York Times, the NSA managed to install a spyware in the DPRK’s networks, which helped monitor the activities of the computers of interest to the American intelligence service.

In fact, we hare contending with the habit of declaring the trace of North Korean involvement should there be any reasonably significant cyber attack regardless of who might actually be the perpetrator. The enemy is demonized, and the vigilance increases but whether the level of cyber security as a whole improves is still unclear.

Konstantin Asmolov, PhD in History, Leading Research Fellow at the Center for Korean Studies of the Institute of Far Eastern Studies of the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook.


×
Please select digest to download:
×