Cyber Threat posed by North Korea and China to South Korea and US Forces Korea Steve Sin i May

2009

Acknowledgement. Thanks to Mrs. Hwa-young Sin (ABD) of Seoul National University and Dr. Horace Jeffery Hodges of Ewha Womans University for wonderful recommendations and sharp critiques that contributed greatly to the improvement of this paper.
Abstract: Recent cyber attacks on the US and the Republic of Korea’s government agencies, research institutes, private companies, and infrastructure have created significant cause for concern among the government officials and the computer security experts of both countries. Located

in the heart of Northeast Asia, the proving ground for cyber-warfare (CW), computer networks of the United States Forces Korea (USFK) are ripe targets for the region’s CW organizations. The

Yonhap News Agency reported on May 5th that the US military, after years of tracking which countries accessed them the most, has found that users inside North Korea logged onto US military websites and networks most frequently. This paper explores the CW capabilities and

developments of North Korea and China in an effort to ascertain possible threats posed against the US entities and interests in the region.

Keywords: cyber-warfare, CW, cyber attack, US Forces Korea, Republic of Korea, North Korea, China, hacking, hacker, cyber spy

Steve Sin is a Major in the US Army currently assigned as the Senior Analyst of Open Source Intelligence Branch, Directorate of Intelligence, US Forces Korea. The views expressed in this paper are those of the author and do not necessarily reflect the official policy or position of the US Forces Korea, the Department of the Army, the Department of Defense, or the US Government.

i

1

The April 21st edition of the Wall Street Journal carried a report about computer spies originating from China penetrating the US Defense Department networks to steal information about the Pentagon’s Joint Strike Fighter project as well as the US Air Force’s air traffic control system. 1 These revelations follow another
Spies are said to have stolen data on the F-35 Lightning II fighter. Here, the plane undergoes flight testing over Texas. (Photo: courtesy of US Air Force)

recent WSJ report that hackers from abroad were able to infiltrate the computers used to control the US

electrical-distribution system as well as other infrastructure. 2

Attacks like these – or US

awareness of them – on the US Defense Department, other government agencies, and US infrastructure, as well as what was revealed in the US-China Economic and Security Review 2008, have created significant cause for concern among the US government officials and the computer security experts. The most recent cyber attacks use strains of computer viruses,

logic bombs, and other advanced techniques that can paralyze computer and communications networks.

Located in the heart of Northeast Asia, the proving ground for cyber-warfare CW, computer networks of the USFK are ripe targets for the region’s CW organizations. The Yonhap News

Agency reported on May 5th that the US military, after years of tracking which countries accessed them the most, has found that users inside North Korea logged onto US military websites and networks most frequently. This paper explores the CW capabilities and

developments of North Korea and China in an effort to ascertain possible threats posed against the US entities and interests in the region.

2

Cyber-Warfare Developments of Potential Adversaries in the Region.

No one should

assume that adversaries lack the sophistication to take advantage of software vulnerabilities. Asia has emerged as the proving ground for CW. where CW have become commonplace. This is especially the case in Northeast Asia,

As shown in the matrix below, two ii of the six potential

adversaries of the US are located in Northeast Asia – China (ranked number 1) and North Korea (ranked number 4). There have been numerous open source reports on the CW capabilities

and developments of these two countries – the latest of which was a report that Chinese hackers have stolen information about the F-35 Lightening II Fighter Program from the Pentagon computers 3 (a report that the Chinese government categorically denies 4 ).

Technolytics, with support from Intelomics and Spy-Ops iii , created a cyber threat matrix in 2007. It measured intent and capabilities of six potential adversaries of the US. 5

Although Russia is within the area of interest for USFK, this paper will only address the two Northeast Asian countries that are within USFK’s theater of operations. iii The Technolytics Institute (Technolytics) was established in 2000 as an independent executive think tank. The institute consults for the US government, as well as governments of other nations, on information security and information security management. Intelomics and Spy-Ops are also security management consulting organizations for the US government.

ii

3

Democratic People’s Republic of Korea (North Korea). North Korea reportedly set up a CW unit in the late 1980s. Open source reports refer to two different organizations – the

State Security Agency’s electronic communications monitoring and computer hacking unit, reportedly located at the Korea Computer Center in Pyongyang; 6 and the North Korean Ministry of People’s Armed Forces’ (MPAF) iv CW unit, known as Unit 121 (reportedly created in 1998). Unit 121 is reportedly subordinate to the Reconnaissance Bureau, v which is In the past, Unit 121’s

directly subordinate to the General Staff Department of the MPAF.

staff was reported to be anywhere between 500 to more than 1,000 hackers, but the latest report from the South Korean (ROK) Yonhap News Agency is that the unit has roughly 100 hackers. vi The unit’s reported capabilities include moderately advanced Distributed Denial

of Service (DDoS) capability and moderate virus and malicious code capabilities. 7

The Ministry of People's Armed Forces is organizationally subordinate to the state structure but is controlled by the Korean Workers Party. The ministry is responsible for management and operational control of the armed forces. Prior to 1992, it was under the direct control of the president, with guidance from the National Defense Commission and the KWP Military Affairs Department. The 1992 state constitution shifts its control to the National Defense Commission (GlobalSecurity.org). v The Reconnaissance Bureau is subordinate to the General Staff Department of the Ministry of People’s Armed Forces and is responsible for collecting strategic, operational, and tactical intelligence for the Ministry of the People's Armed Forces. It is also responsible for infiltrating intelligence personnel into South Korea though tunnels under the demilitarized zone and seaborne insertion (GlobalSecurity.org). vi The Yonhap News Agency reported on May 5, 2009, that “the General Staff of the North Korean People’s Army has been operating for years a ‘technology reconnaissance team,’ which is exclusively in charge of collecting information and disrupting military computer networks in South Korea and the US.” Although this report did not specifically identify the “technology reconnaissance team” as Unit 121, the mission, capability, and the subordination of this team suggest they are one in the same. It appears that a hacker unit of 100 is much more reasonable than 500-1,000. An April 20, 2009 JoongAng Ilbo article states that a ROK NIS official said, “We understand that North Korea has human resources specializing in hacking that number around 500-600 people.” It appears this report also points to the conclusion that rather than the Unit 121 having 500-1,000 hackers, it is more likely that 500-1,000 (or 500-600 as noted in the JoongAng Ilbo article) is the total estimated number of hackers that North Korea has in its CW “inventory.”

iv

4

According to a North Korean defector who defected in 2004 and claims to have been an officer within Unit 121, the unit conducts some of its operations from a North Korean government-operated hotel called Chilbosan in Shenyang, China, according to this defector. Reportedly, the hackers of Unit 121 work in teams, specializing in specific targets (e.g., South Korean government agencies, US government agencies, etc.) 8

In May 04, the ROK media reported that the Defense Security Command (DSC) confirmed, for the first time, that North Korea does have a unit dedicated to hacking, and has been acquiring information from the ROK government agencies and research labs for quite some time. 9 At the ROK Defense Information Security Conference held in Jun 06, Byun Kae-

jong, a researcher at the ROK Agency for Defense Development (ADD), claimed North Korea’s hacking capabilities equals that of the US CIA vii . Byun also claimed that test

vii

The ROK’s claim that North Korea’s CW capability is comparable to that of the US CIA has been

5

results, based on modeling, showed North Korea possesses CW capabilities that could inflict damage the military networks of the US Pacific Command as well as those located in the continental US. 10 According to a media report released in Oct 05, the ROK military

confirmed that in 2004, North Korea “tapped” into 33 out of 80 military wireless communications networks used by 14 different ROK units during the Corps level field exercises and the ROK-US combined Ulchi-Focus Lens exercise. 11 In Jul 06, A ROK

military official stated that North Korea’s Unit 121 “has hacked into the South Korean and US Defense Department" and caused much damage to the ROK, but the military official did not elaborate further. 12

In Oct 07, North Korea tested a logic bomb containing malicious code designed to be executed should certain events occur or at some pre-determined time. The test led to a

United Nations Security Council resolution banning sales of mainframe computers and laptop personal computers to North Korea; however, the resolution has not deterred the North Korean military from a continued CW weapons development program. 13

disputed by US experts. According to some US experts, although online attacks from North Korea could pose a threat, the ROK's assessment of North Korea’s cyber warfare capability may be an overestimate. John Pike, director of GlobalSecurity.org, which maintains an online guide to North Korea's military, said in an e-mail interview with The Korea Times in Jun 04 that he would be surprised if the North did not operate a contingent of hackers. “It is an obvious thing to do and is not that hard to do,'' Pike said. “The North can build atomic bombs and long-range missiles. Computer hacking is easier than (making) an atomic bomb or a missile.'' Peter Hayes, executive director of the Nautilus Institute, which published a study on North Korea's IT aspirations in 2002, echoed Pike's remarks. “Clearly, there is an excellent programming capacity in the DPRK, including highly commercial and competitive capabilities,'' Hayes said in another e-mail interview. “Obviously, the DPRK will be concerned both to counter cyber warfare directed at their intra-nets and to take the cyber-offensive during wartime. Thus, it would be prudent to assume that they have such a capacity.'' However, both experts rejected the claim by the ROK DSC that North Korea’s hacking unit is comparable to that of the US CIA. “This is an exaggeration since North Korea is a small and poor country,'' Pike said. Hayes also doubted that North Korea had such highpowered capabilities due to its closed culture and its lack of technology, resources, and applied experience. “In a net assessment, cyber-warfare capabilities must be linked as a multiplier to other defensive and offensive capacities in which regard North Korea is inferior in almost all respects,'' Hayes said.

6

In Sep 08, the ROK government accused of North Korea of attempting to conduct cyberespionage against the ROK military by sending an email to a ROK Army colonel tainted with a Trojan horse virus. The ROK Ministry of National Defense (MND) announced that the The spokesman for the

networks and classified information were not compromised.

ministry stated “North Korea has attempted to hack the military system for quite a long time . . . . North Korea is known to be developing people capable of hacking.” 14

The ROK Prime Minister, Han Seung-Soo, told the ROK ministers in a cabinet meeting in Oct 08 that the cyber threats from China and North Korea are very serious and called on the cabinet to take appropriate action. The ROK National Intelligence Service (NIS) reportedly

told the Prime Minister, in one of its reports, that about 130,000 items of the ROK government information had been hacked since 2004. The NIS stated that the

compromised items were extracts of government documents that were restricted but not “highly confidential.” It did not mention, however, how many of the 130,000 items were

suspected of being hacked by North Korea. 15

The ROK DSC confirmed in 2004 that North Korea also uses about 26 internet web sites, run directly by the North Korean government or other pro-North Korean organizations, to promote the regime and other political propaganda. The DSC also said through these

websites that North Korea sets forth guidelines for its espionage agents operating abroad. 16

People’s Republic of China (China).

Among the six potential adversaries of the US (as

with the Technolytics Institute’s Cyber Threat Matrix), China has the most extensive and most tested CW capabilities although the technical expertise is very uneven. China began

to implement a CW plan in 1995, and since 1997 has conducted several exercises in which computer viruses have been used to interrupt military communications and public

7

broadcasting systems.

In Apr 97, the Central Military Commission established a 100-

member unit to devise “ways of planting disabling computer viruses into American and other Western C2 defense systems”. 17 In 2000, China established a strategic CW unit (which

US observers have called Net Force) designed to “wage combat through computer networks to manipulate enemy information systems spanning things from spare parts deliveries to fire control and guidance systems”. 18

Although it is often very difficult to attribute activities originating in China to official agencies or private netizens, Chinese CW units have been very active. Since 1999, there have

been periodic rounds of attacks against official websites in Taiwan, Japan, and the US. These have typically involved fairly basic penetrations, such as defacing websites or crashing servers using denial of service (DS) programs. More sophisticated Trojan horse

programs were used in 2002 to penetrate and steal information from the Dalai Lama’s computer network. 19 Trojan horse programs camouflaged as Word and PowerPoint

documents have been inserted in computers in government offices in several countries around the world. 20 Portable, large-capacity hard disks, often used by government

agencies, have been found to carry Trojan horses which automatically upload to Beijing websites everything that the computer user saves on the hard disk. 21 Since the late 1990s,

the People’s Liberation Army (PLA) has conducted more than 100 military exercises involving some aspect of CW although the practice has generally exposed substantial shortfalls. 22

In Aug 99, following a spate of cross-Strait attacks against computer networks and official websites in Taiwan, the Taiwanese MND in Taipei announced that the MND had established a Military CW Strategy Policy Committee and noted that “we are able to defend ourselves in an information war.” 23 In Jan 2000, the Director of the MND’s Communication Electronics

8

and Information Bureau announced that the Military CW Strategy Policy Committee had “the ability to attack the PRC with 1,000 different computer viruses.” 24 In Aug 2000, Taiwan’s Hankuang 16 defense exercise included training in CW, in which more than 2000 computer viruses were tested. Two teams of cyber-warriors used the viruses in simulated attacks on In Dec 2000, the Taiwanese MND’s Military CW Strategy

Taiwan’s computer networks. 25

Policy Committee was expanded and converted into a battalion-size center under the direct command of the General Staff Headquarters, and with responsibilities for network surveillance, defense, and countermeasures. 26 In its 2002 National Defense Report,

released in Jul 02, the MND for the first time included discussion of electronic and CW units. It proclaimed Taiwan’s commitment to the achievement of superiority over the PRC in information and electronic warfare, and it ranked EW and CW ahead of air and sea defense in terms of current MND focus. It specifically cited such threatening developments by the

PRC as “Internet viruses, killer satellites, and electromagnetic pulses that could fry computer networks vital to Taiwan’s defense and economy.” 27

In Nov 08, The Financial Times reported that Chinese hackers have penetrated the White House computer network on multiple occasions and obtained e-mails between government officials. The US government information security experts suspect that the Chinese

government sponsored these attacks, which the Chinese government categorically denies. The Chinese cyber attacks also targeted computers at the US base in Bagram, Afghanistan, where a computer virus affected three quarters of the computers on base. US-China

Economic and Security Review 2008, submitted to the Congress, stated that China is aggressively developing its power to wage cyber warfare and is now in a position to delay or disrupt the deployment of America's military forces around the world, potentially giving it the upper hand in any conflict. The report disclosed an alarming increase in incidents of It

Chinese computer attacks on the US government, defense companies, and businesses.

9

notes that China now has both the intent and capability to launch cyber attacks "anywhere in the world at any time." 28

In March of this year, the Information Warfare Monitor, an internet research group, said a 10-month research project on cyber spy activities originating from China has revealed that, over the period of the project, hackers based in China hacked into computer systems in 103 nations. These hackers gained access to 1,295 computer systems of foreign ministries

and embassies, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, The Philippines, India, Pakistan, Germany Thailand, and South Korea. 29 The researchers said that this

particular group of hackers, which they named GhostNet, were focused on the governments of South Asian and Southeast Asian nations. 30 Great Britain, Australia, the ROK, and the

US have all reported purported Chinese-based hacking activities against its government networks or infrastructure between March and April of of 2009. 31

Statistics on Cyber Attacks against the ROK and the ROK’s Defense against CW. The number of attacks on South Korean commercial and government websites increased markedly during 2000 and has been increasing steadily. Between Apr and Jun 04, computers at multiple A total of 314

ROK government institutions came under a full-scale attack from China.

computers – including 235 computers at national institutions, Korea Coast Guard, National Assembly, Korea Atomic Energy Research Institute, Korea Institute for Defense Analyses, Agency for Defense Development, Air Force University, (former) Ministry of Maritime Affairs and Fisheries, Small and Medium Business Administration, and Education Center for Unification, and 79 computers at private companies and universities – were hacked. The ROK MND is

presuming that this attack was an conducted by North Korean hacker unit operating from China. 32

10

In 2008, a ROK government report stated the number of attacks on 25 science and technology research centers under the ROK government was 1,632 in 2006, 1, 870 in 2007, and 1,277 in 2008 as of Jul 08. According to the report, attacks by foreign hackers accounted for 64.3Between

percent of the total with 1,050 cases in 2006, 60.4-percent in 2007 with 1,129 cases.

Jan and Jul 08, the attacks from abroad accounted for 57.8 percent of the total – 738 cases. 33

On April 8th of this year, the Yonhap News Agency reported that hackers, apparently based in China, had infiltrated the ROK Ministry of Finance’s intranet in February. The ROK official told

Yonhap that the investigation is ongoing and it is not known whether any information was compromised. The official said the ROK NIS believes the hackers might be “working for the

Chinese government.” 34

The ROK MND and the NIS both reported in 2000 that the ROK’s armed forces should prepare for CW in the future from enemy countries and that they should consider establishing specialist units for CW. Four years after the reports, in 2004, the NIS began operating a fully functional

National Cyber Security Center. 35

In 2007, the ROK, which operates similar weapon systems to that of the US, organized a 30member CW team to take part, for the first time, in a US-led international anti-hacking exercise. To further bolster CW cooperation between the two nations, the ROK and the US militaries committed themselves to a tentative agreement to fight against cyber terrorism against their defense networks on April 30th of this year. According to the MND, the agreement seeks to facilitate the exchange of knowledge on detecting and fighting cyber terrorism. 36

11

Conclusion and Assessment. The CW threats of today and the future represent a new way of thinking about conflict and warfare. CW attacks are particularly dangerous because of our These computers control critical systems

reliance on computers, networks, and technology.

that run power plants, telecommunications infrastructure, military command and control nodes, and more. Even a cursory survey reveals that our potential adversaries in the Northeast Asian

region possess highly developed CW capabilities; continue to develop new and more sophisticated CW arsenals; and have at least tested their capabilities if not already used them in actual attacks against their adversaries. Therefore, it would be prudent for one to assume that

the networks of the USFK and other US government agencies in the ROK, as well as the networks of out ROK counterparts, are under constant attack. There are open source reports

stating that North Korea and China have conducted CW attacks against US Department of Defense networks, but these reports lack specifics of the incidents and do not specify that these attacks were aimed at the USFK.

The US and ROK CW experts believe the recent attacks on their government networks were clear cases of state-sponsored espionage activities. Given the constant advancement of

information technology, and that CW can be carried out anonymously with a high probability of success, state-sponsored CW attacks on our networks will continue to rise in frequency and sophistication.

The April 30 memorandum of agreement will not only serve as the basis of future cooperation between the two allies against the growing threat of CW in the region but throughout the world. With this agreement, the ROK and the US have embarked on a new journey – into cyber-space – to strengthen even further our already strong relationship. Alongside our ROK partners, USFK stands ready to write a new chapter in the remarkable ROK-US blood-forged alliance.

12

Endnotes: 1. Siobhan Gorman, August Cole, and Yochi Dreazen, “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, 21 April 2009. 2. Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies,” Wall Street Journal, 8 April 2009. 3. Op. Cit. 4. “China Denies Hacking US Fighter-Jet Files,” Voice of America, 23 April 2009. 5. Kevin Coleman, “World War III: A Cyber War has Begun,” Technolytics, 30 September 2007. 6. John Larkin, “Preparing for Cyberwar,” Far Eastern Economic Review, 25 October 2001, p. 64. 7. “N. Korea Has Cyber Warfare Unit Targeting S. Korean, U.S. Military: Sources,” Yonhap News Agency, 05 May 2009; Kevin Coleman, “Inside DPRK’s Unit 121,” DefenseTech.org. 24 December 2007; and “North Korean Hacking Unit Collects South Korean Intelligence Confirmed,” NoCut News, 27 May 2004. 8. “Sisa Magazine 2580,” MBC, aired 29 October 2006, accessed 11 December 2008. 9. “North Korean Hacking Unit Collects South Korean Intelligence Confirmed for the First Time,” NoCut News, 27 May 2004. 10. “North Korean Hacking Capability ‘Penetrating the CIA and the Pentagon is the Standard,” Sisa Seoul, 21 October 2005. 11. Sisa Seoul, 21 October 2005. 12. “NKorea operates cyber warfare unit to disrupt SKorea's military command: official,” The Sydney Morning Herald, 12 July 2006. 13. Kevin Coleman, “Inside DPRK’s Unit 121,” DefenseTech.org. 24 December 2007. a

14. “South Korea suspects North of attempted hacking,” Reuters – India, 02 September 2008. 15. “South Korea PM Warns of Hacking Threat by North Korea, China,” AFP – Hong Kong, 14 October 2008; and “130,000 Gov't Documents Hacked,” Chosun Ilbo, 15 October 2008. 16. “NORTH KOREA: North Korea operating computer-hacking unit,” The Korea Herald, 28 May 2004. 17. Ivo Dawnay, “Beijing Launches Computer Virus War on the West,” Age (Melbourne), 16 June 1997, p. 8. 18. Jason Sherman, “Report: China Developing Force to Tackle Information Warfare,” Defense News, 27 November 2000, pp. 1 and 19. 19. Christopher Bodeen, “Mainland Asks Taiwan to Stop Interference,” The Washington Times, 26 September 2002; and Doug Nairne, “State Hackers Spying on Us, Say Chinese Dissidents,” South China Morning Post, 18 September 2002. 20. Michael Goldfarb, “Outrage in Berlin Over Chinese Cyber Attacks,” The Weekly Standard, 31 August 2007. 21. Yang Kuo-wen, Lin Ching-chuan and Rich Chang, “Bureau Warns on Tainted Discs,” The Taipei Times, 11 November 2007, p. 2. 22 . I-Ling Tseng, Chinese Information Warfare (IW): Theory Versus Practice in Military Exercises (1996–2005), MA Sub-thesis, Graduate Studies in Strategy and Defence, Strategic and Defence Studies Centre, The Australian National University, Canberra, March 2005. 23. “MND Sets Up Information Warfare Committee,” ADJ News Roundup, August 1999, p. 14. 24. Francis Markus, “Taiwan’s Computer Virus Arsenal,” BBC News, 10 January 2000; and Wendell Minnick, “Taiwan Upgrades Cyber Warfare,” Jane’s Defence Weekly, 20 December 2000, p. 12.

b

25. “Taiwan to Conduct Cyber Warfare Drills,” Jane’s Defence Weekly, 16 August 2000, p. 10; Minnick, “Taiwan Upgrades Cyber Warfare,” p. 12; and Damon Bristow, “Asia: Grasping Information Warfare?” Jane’s Intelligence Review, December 2000, p. 34. 26. Minnick, “Taiwan Upgrades Cyber Warfare,” p. 12.; and Darren Lake, “Taiwan Sets Up IW Command,” Jane’s Defence Weekly, 10 January 2001, p. 17. 27. Ministry of National Defense, Republic of China, 2002 National Defense Report, Ministry of National Defense, Taipei, July 2002; “Taiwan Prepares for Cyber Warfare,” CNN.Com, 29 July 2002; and “Taiwan Report Finds Cyber threat From China,” International Herald Tribune, 30 July 2002. 28. “Chinese hack into White House network,” The Financial Times, 06 November 2008; “Obama, McCain computers 'hacked' during election campaign,” The Guardian, 07 November 2008; “Computer Virus Hits U.S. Military Base in Afghanistan,” US News, December 2008, 28 November 2008; and Ed Pilkington, “China winning cyber war, Congress warned,” The Guardian, 20 November 2008. 29. “Chinese Hack Systems to Steal Dalai Lama’s Documents,” Indo-Asian News Service, 29 March 2009. 30. “Vast Cyber Spy Network ‘Operating from China,’” South China Morning Post, 30 March 2009. 31. “Spy Chief Fear Chinese Cyber Attack,” Sunday Times, 29 March 2009; “Chinese diplomat dismisses Australian ‘cyber espionage’ claims,” The Australian, 7 April 2009; Gorman, “Electricity Grid in U.S. Penetrated by Spies”; and Gorman, Cole, and Dreazen, “Computer Spies Breach Fighter-Jet Project.” 32. “There is a ‘CIA-Class’ Hacker Group in North Korea’s Ministry of People’s Armed Forces – the World is Currently at Cyber War,” JoongAng Ilbo, 20 April 2009. 33. Bristow, “Asia Grasping Information Warfare?” p. 35; and “More Than 1,500 Hacker Attacks a Year on Korean Research,” Chosun Ilbo, 23 October 2008

c

34. “China-Based Hackers Access Finance Ministry Intranet: Sources,” Yonhap News Agency, 08 April 2009. 35. “North Korea Ready to Launch Cyber War: Report,” Computer Crime Research Center, 04 October 2004, accessed 03 December 2008. 36. Sam Kim, “S. Korea, U.S. Agree To Join Forces To Fight Cyber Terrorism,” Yonhap News Agency, 04 May 2009.

d

Sign up to vote on this title
UsefulNot useful