POLITICAL FOES, FINANCIAL SITES AMONG TARGETS FOR NORTH KOREA
ble of unleashing global havoc.
Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is using its hacking capabilities for actual attacks against its adversaries in the West.
And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyber potential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.
The country’s primitive infrastructure is far less vulnerable to cyber retaliation, and North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are already imposed. And Kim’s advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.
“Cyber is a tailor-made instrument of power for them,” said Chris Inglis, a former deputy director of the National Security Agency, who now directs cyberstudies at the U.S. Naval Academy. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
Inglis, speaking at the Cambridge Cyber Summit this month, added: “You could argue that they have one of the most successful cyber programs on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost.”
It is hardly a one-way conflict: By some measures the United States and North Korea have been engaged in an active cyber conflict for years.
Both the United States and South Korea have also placed digital “implants” in the Reconnaissance General Bureau, the North Korean equivalent of the Central Intelligence Agency, according to documents that Edward J. Snowden released several years ago. U.s.-created cyber and electronic warfare weapons were deployed to disable North Korean missiles, an attack that was, at best, only partially successful.
Indeed, both sides see cyber as the way to gain tactical advantage in their nuclear and missile standoff.
Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions a dollars a year from ransomware, digital bank heists, online video game cracking and, more recently, hacks of South Korean Bitcoin exchanges.
One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation’s exports.
The North Korean cyberthreat “crept up on us,” said Robert Hannigan, former director of Britain’s Government Communications Headquarters, which handles electronic surveillance and cybersecurity.
“Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously,” he said. “How can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?”
From minor leaguers to serious hackers
Kim Jong Il, the father of the current dictator and the initiator of North Korea’s cyberoperations, was a movie lover who became an internet enthusiast, a luxury reserved for the country’s elite. When Kim died in 2011, the country was estimated to have 1,024 IP addresses, fewer than on most New York City blocks.
Kim, like the Chinese, initially saw the internet as a threat to his regime’s ironclad control over information. But his attitude began to change in the early 1990s, after a group of North Korean computer scientists returned from travel abroad proposing to use the web to spy on and attack enemies like the United States and South Korea, according to defectors.
North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. In the late 1990s, the FBI’S counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York.
“The FBI called me and said, ‘What should we do?’ ” recalled James A. Lewis, at the time in charge of cybersecurity at the Commerce Department. “I told them, ‘Don’t do anything. Follow them and see what they are up to.’”
A National Intelligence Estimate in 2009 wrote off the North’s hacking prowess, much as it underestimated its longrange missile program. It would be years before it could mount a meaningful threat, it claimed.
But the regime was building that threat.
When Kim Jong Un succeeded his father, in 2011, he expanded the cyber mission beyond serving as just a weapon of war, focusing also on theft, harassment and political-score settling.
“Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly,” Kim Jong Un reportedly declared, according to the testimony of a South Korean intelligence chief.
And the array of U.N. sanctions against Pyongyang only incentivized Kim’s embrace.
“We’re already sanctioning anything and everything we can,” said Robert P. Silvers, the former assistant secretary for cyberpolicy at the Department of Homeland Security during the Obama administration. “They’re already the most isolated nation intheworld.”
Learning from Iran, growing bolder
For decades Iran and North Korea have shared missile technology, and U.S. intelligence agencies have long sought evidence of secret cooperation in the nuclear arena. In cyber, the Iranians taught the North Koreans something important: When confronting an enemy that has internet-connected banks, trading systems, oil and water pipelines, dams, hospitals and entire cities, the opportunities to wreak havoc are endless.
By midsummer 2012, Iran’s hackers, still recovering from a U.S. and Israeli-led cyberattack on Iran’s nuclear enrichment operations, found an easy target in Saudi Aramco, Saudi Arabia’s state-owned oil company and the world’s most valuable company.
That August, Iranian hackers flipped a kill switch at precisely 11:08 a.m., unleashing a simple wiper virus onto 30,000 Aramco computers and 10,000 servers that would destroy data, and replace it with a partial image of a burning American flag. The damage was tremendous.
Seven months later, during joint military exercises between U.S. and South Korean forces, North Korean hackers, operating from computers inside China, deployed a similar cyberweapon against computer networks at three major South Korean banks and South Korea’s two largest broadcasters. Like Iran’s Aramco attacks, the North Korean attacks on South Korean targets used wiping malware to eradicate data and paralyze their business operations.
Protecting Kim’s image
A chief political objective of the cyberprogram is to preserve the image of the North’s 33-yearold leader, Kim Jong Un. In August 2014, North Korean hackers went after a British broadcaster, Channel Four, which had announced plans for a television series about a British nuclear scientist kidnapped in Pyongyang.
First, the North Koreans protested to the British government. “A scandalous farce,” North Korea called the series. When that was ignored, British officials found that the North had hacked into the television network’s computer system. The attack was stopped before inflicting any damage, and David Abraham, chief executive of Channel Four, initially vowed to continue the production.
That attack, however, was just a prelude. When Sony Pictures Entertainment released a trailer for “The Interview,” a comedy about two journalists dispatched to Pyongyang to assassinate North Korea’s young new dictator, Pyongyang wrote a letter of complaint to the secretary-general of the United Nations to stop the production. Then came threats to Sony.
Michael Lynton, then Sony’s chief executive, said when Sony officials called the State Department, they were told it was just more “bluster,” he said.
“At that point in time, Kim Jong Un was relatively new in the job, and I don’t think it was clear yet how he was different from his father,” Lynton said in an interview. “Nobody ever mentioned anything about their cyber capabilities.”
In September 2014, while still attempting to crack Channel 4, North Korean hackers buried deep into Sony’s networks, lurking patiently for the next three months, as both Sony and U.S. intelligence completely missed their presence.
The director of national intelligence, James Clapper, was even in Pyongyang at the time, trying to win the release of a detained American, and had dinner with the then-chief of the Reconnaissance General Bureau.
On Nov. 24, the attack on Sony began: Employees arriving at work that day found their computer screens taken over by a picture of a red skeleton with a message signed “GOP,” for “Guardians of Peace.”
Robbing banks, Pyongyang style
Beyond respect, and retribution, the North wanted hard currency from its cyberprogram.
So soon the digital bank heists began — an attack in the Philippines in October 2015; then the Tien Phong Bank in Vietnam attheendofthesameyear;and then the Bangladesh Central Bank. Researchers at Symantec said it was the first time a state had used a cyberattack not for espionage or war, but to finance the country’s operations.
Now, the attacks are increasingly cunning. Security experts noticed in February that the website of Poland’s financial regulator was unintentionally infecting visitors with malware.
It turned out that visitors to the Polish regulator’s website — employees from Polish banks, from the central banks of Brazil, Chile, Estonia, Mexico, Venezuela and even from prominent Western banks like Bank of America — had been hit with a watering hole attack, in which North Korean hackers waited fortheirvictimstovisitthesite, then installed malware in their machines. Forensics showed that the hackers had put together a list of internet addresses from 103 organizations, most of them banks, and designed their malware to specifically infect visitors from those banks, in what researchers said appeared to be an effort to move around stolen currency.
More recently, North Koreans seemed to have changed tack once again. North Korean hackers’ fingerprints showed up in a series of attempted attacks on cryptocurrency exchanges in South Korea, and were successful in at least one case, according to researchers at Fireeye.
The attacks on Bitcoin exchanges, which see hundreds of millions of dollars worth of Bitcoin exchanged a day, offered Pyongyang a potentially very lucrative source of new funds. And, researchers say, there is evidence they have been exchanging Bitcoin gathered from their heists for Monero, a highly anonymous version of cryptocurrency that is far harder for global authorities to trace.
The most widespread hack was Wannacry, a global ransomware attack that used a program that cripples a computer and demands a ransom payment in exchange for unlocking the computer, or its data. In a twist the North Koreans surely enjoyed, their hackers based the attack on a secret tool, called “Eternal Blue,” stolen from the National Security Agency.
In the late afternoon of May 12, panicked phone calls flooded in from around Britain and the world. The computer systems of several major British hospital systems were shut down, forcing diversions of ambulances and the deferral of nonemergency surgeries. Banks and transportation systems across dozens of countries were affected.
Britain’s National Cyber Security Center had picked up no warning of the attack, said Paul Chichester, its director of operations. Investigators now think the Wannacry attack may have been an early misfire of a weapon that was still under development — or a test of tactics and vulnerabilities.
“This was part of an evolving effort to find ways to disable key industries,” said Brian Lord, a former deputy director for intelligence and cyber operations at the Government Communications Headquarters in Britain. “All I have to do is create a moderately disabling attack on a key part of the social infrastructure, and then watch the media sensationalize it and panic the public.”
It ended thanks to Marcus Hutchins, a college dropout and self-taught hacker living with his parents in the southwest of England. He spotted a web address somewhere in the software and, on a lark, paid $10.69 to register it as a domain name. The activation of the domain name turned out to act as a kill switch causing the malware to stop spreading.
British officials privately acknowledge that they know North Korea perpetrated the attack, but the government has taken no retaliatory action, uncertain what it can do.
A cyber arms race
While U.S. and South Korean officials often express outrage about North Korea’s cyber activities, they rarely talk about their own — and whether that helps fuel the cyber arms race.
Yet both Seoul and Washington target the North’s Reconnaissance General Bureau, its nuclear program and its missile program. Hundreds, if not thousands, of U.S. cyberwarriors spend each day mapping the North’s few networks, looking for vulnerabilities that could be activated in time of crisis.
At a recent meeting of U.S. strategists to evaluate North Korea’s capabilities, some participants expressed concerns that the escalating cyberwar could actually tempt the North to use its weapons — both nuclear and cyber — quickly in any conflict, for fear that the United States has secret ways to shut the country down.