Northwest Arkansas Democrat-Gazette
N. Korea said to steal nations’ war plans
SEOUL, South Korea — North Korean hackers stole a vast cache of data, including classified wartime contingency plans jointly drawn by the United States and South Korea, when they breached the computer network of the South Korean military last year, a South Korean lawmaker said Tuesday.
The stolen documents included the South Korean military’s plan to remove North Korean leader Kim Jong Un, referred to as a “decapitation” plan, should war break out on the Korean Peninsula, the lawmaker, Rhee Cheol-hee, told reporters.
Rhee, a member of the governing Democratic Party who serves on the defense committee of the National Assembly, said he only recently learned of the scale of the North Korean hacking attack, which was first discovered in September 2016.
It was not known whether any of the military’s top secrets were leaked, although Rhee said that nearly 300 lower-classification confidential documents were stolen. The military has not yet identified nearly 80 percent of the 235 gigabytes of leaked data, he said.
A Defense Ministry spokesman, Moon Sang-gyun, refused to comment on Rhee’s disclosure.
A spokesman for the Pentagon, Col. Robert Manning, would not discuss whether the hacking had occurred, saying only that he would not “discuss the specifics” of the incident.
North Korea and South Korea have long had each other’s computer networks in their sights. The United States, piggybacking on South Korean operations, broke into the North’s computer systems in 2010, targeting the Reconnaissance General Bureau, the North’s equivalent of the CIA.
South Korean intelligence officials told lawmakers in June that Kim was desperate to get hold of South Korea’s decapitation plan. He had also begun using his deputies’ cars as decoys to move from place to place, they said.
When the hacking was discovered last year, the ministry blamed North Korea. But it has acknowledged only that “some classified information” was stolen, saying that revealing more details would only benefit its enemies.
Some South Korean news media outlets, citing anonymous sources, had earlier reported that the leaked data included wartime contingency plans. But Rhee is the first member of the parliamentary committee that oversees the military to disclose similar details.
It remained unclear how much the hacking has undermined the joint preparedness of the South Korean and U.S. militaries, with South Korean officials simply saying that they have been redressing whatever damage was caused by the cyberattack.
The military plans for dealing with North Korea have been rewritten in recent months by U.S. Secretary of Defense James Mattis in response to the North’s accelerated threats.
The plan containing the so-called decapitation operation, Operations Plan 5015, had been updated in 2015 to reflect the growing nuclear and missile threat from North Korea. Its details remain classified.
Under their mutual defense treaty, the United States takes operational control of South Korean troops in the event of war on the divided Korean Peninsula. The two allies hone their war plans through annual joint military exercises.
As Kim has accelerated his nuclear and missile programs in recent years, South Korean defense officials have publicly discussed pre-emptive strikes at critical missile and nuclear sites in North Korea and an operation to eliminate the North’s top leaders.
In the hacking attack, later code-named “Desert Wolf” by security officials, North Korean hackers infected 3,200 computers, including 700 connected to the South Korean military’s internal network, which is normally cut off from the Internet. The attack even affected a computer used by the defense minister.
Investigators later learned that the hackers first infiltrated the network of a company providing a computer vaccine service to the ministry’s computer network in 2015. They said the hackers operated out of Internet Protocol addresses originating in Shenyang, a city in northeast China that had long been cited as an operating ground for North Korean hackers.
The intruders used the vaccine server to infect Internet-connected computers of the military with malicious codes in August of last year, the investigators said. They could also infiltrate the malware into the military’s closed internal network when it was mistakenly linked to the Internet during maintenance.