Sam Coleman

The non-nuclear North Korea could be as deadly as the nuclear one

In Blog post by Sam Coleman

With mounting evidence pointing to the hermit kingdom as a nation state cybercriminal, experts wonder which battlements Kim Jong Un is wiling to use: cyber weapons or nuclear ones?

Some say the tipping of the North Korean cyber army’s hand was a slight that the temperamental Dear Leader 2.0 could not let stand. In 2016, irreverent and sacred cow slayer Seth Rogan and wingman James Franco produced the filmic stocking stuffer The Interview, a spoofing comedy where Kim Jong Un is seen as a needy, petulant dictator who’s head is ceremoniously and to comic effect blown off. Had it not been for North Korea’s covert cyber reaction, the film would have probably passed into Rotten Tomatoes obscurity. Instead, it made headlines and became almost a sovereign duty for patriotic Americans to watch. Why? Because North Korean hackers openly declared war on the film studio behind the film, Sony Pictures. Using an ATP strategy that preyed on the typically lax security of most multinationals, they sucked out the company’s data—films in production, emails, financial records etc—and weaponised them. The data breaches’ release caused massive repetitional and financial damage to the firm, causing a key executives to resign in disgrace and the stock to reel. Unit 121, the North Korean cyber army, had announced itself to the world and as we’ve witness over the next two years, it has become as sporadic and destructive as any of North Korea’s military options. Jang Se-yul, who studied at Automation Univeristy before defecting to the South six years ago, said Unit 121 is now made up of 1,800 cyber-warriors, and is considered the elite of the military. “For them, the strongest weapon is cyber. In North Korea, it’s called the Secret War,” Jang said.

The Secret War has many heads. One powerful cranium is what North Korea is particularly obsessed with: finances through almost nefarious means. Through decades of sanctions and a feared hereditary autocracy, North Korea is known to smuggle everything from drugs, human trafficking to high-end gemstones and oil in and out of the Hermit Kingdom, each transaction extracting a cut that goes to the ruling elite. The production of counterfeit currencies and cigarettes are another lucrative trade. This has led to the term”criminal sovereignty” being applied by foreign policy experts such as Paul Rexton Kan and Bruce Bechtol.

But it’s the cyber where some of this intent may bear the most fruit. Last year’s successful attack on the Federal Reserve of New York’s SWIFT code system that was meant to divert 1 Bln US from the Bangladesh Bank. It was a sophisticated attack, with both insider information, advanced systems knowledge and a transnational network of receivers to accept and launder the funds. Only a simple typo on one the documents foiled the entire 951 Mln from being stolen, as it was 101 Mln was taken with 38 Mln recovered. Dridex malware code was used in the attack but researchers at security companies, including Symantec and BAE have fingerprints that attribute the attack to North Korea-based Lazarus, one of the world’s most active state-sponsored hacking collectives. Attribution fingerprints of the Sony hack were seen on the cyber heist pointing to the conclusion by many experts that North Korea was becoming the first nation state to use cyber attacks for criminal enrichment. But what came next pointed to the most worrisome aspect of the North Korean Secret War: weaponised attacks to inflict large scale damage. WannaCry would be a game changer.

EternalBlue, the NSA cyberweapon released into the wild by the mysterious ShadowBrokers, was one that researchers worried would cause crippling destruction to networks and security. But it was the WannaCry worm that took EternalBlue’s SMB protocol vulnerability and made it the first truly global ransomware, one that shocked the world and brought the terminology into the mainstream. Britain’s National Cyber Security Centre headed a multinational inquiry into the attacks. Ultimately, the group determined that a North Korean government-led hacking group known as Lazarus was behind the attacks. That theory was backed up by researchers at Kaspersky Lab and Symantec, who also found that internet addresses used in the infrastructure of the attacks and techniques to disguise the true purpose of the code also matched. Symantec found evidence that early versions of Wanna Cry were installed on systems that also had other Lazarus malware installed. The Secret War had now struck its most serious blow with intelligence communities across the world taking notice… and action. Obama was said to have started a programme to use cyber weaponry to diminish North Korea’s missile systems in the same way that Stuxnet and Nitro Zeus were said to have brought Iran’s nuclear weapons authors to the negotiating table. Using the “Left of Launch” strategy posited by the Missile Defence Advocacy Alliance (“The strategy is to attack by electronic embedment or through the electronic radar signatures of the threat’s command and control systems and the targeting systems of the threatening ballistic missiles”) South Korea, Western allies and the US are said to be meeting the North Koreans on this attack plain.

Meanwhile, however, the North Koreans are furiously trying to shore up their increasingly sanctions hit economy by using another of their cyber strategies: mining bitcoins as well as hacking accounts. With the Chinese embargoing coal, Kim Jong Un is turning that spare energy to revenue use by powering his bitcoin server mines, massive operations that yield massive profits through using thousands of servers to slowly create bitcoins. Strangled of their hard currency which is used to keep loyalty of top members of the North Korean elite, bitcoin and other cryptocurrencies are seen as a strategic push by the Secret War’s orchestrators. Others have noted that three attempted robberies in 2017 of South Korean bitcoin exchanges have all the hallmarks of Unit 21 in tactic and intent. This new focus on bitcoin has led CNN to proclaim ominously that “North Korea is trying to amass a bitcoin war chest” and researchers to warn of a fiscal time bomb in the cryptocurrency space. “Sanctions against North Korea are likely to fuel their cybercrime activity,” said Bryce Boland, Singapore-based chief technology officer with FireEye. “Attacks on cryptocurrency exchanges can be a great vehicle to obtain what is ultimately hard currency.”