Information Warfare: They Phished The Wrong Guy

Archives

February 19, 2022: Over the last two decades North Korea has become a major source of malicious and mercenary hacking efforts. Over the last decade North Korea concentrated its Cyber War efforts on raising cash for their bankrupt communist economy. This has long been big news in South Korea, which was one of the first targets of North Korean hackers and remains at the top of the North Korean target list. The rest of the world was seen as an endless source of victims for Internet-based attacks seeking money. While Russian and Chinese Cyber War efforts are seen as major military and economic threats, North Korea is regarded as an annoying petty thief and not worth media or government Internet protection attention.

Over the last year this attitude has changed, something demonstrated recently when an individual Internet security specialist got fed up with lack of government or media response to the constant North Korean hacking. This was triggered by an early 2021 North Korean attack against Internet security researchers, in order to get a better sense of what this community knew and to steal whatever useful (to hackers) new security protection and testing tools out there. One of the North Korea targets was a security specialist who later identified himself as P4x. Like many other Internet security experts, P4x had software installed that detected and blocked such hacks and the North Korea one was no different. P4x reported the attack to government agencies that handled such things, providing an example of the malware the North Koreans used. Months passed andP4x heard nothing from the government and, when he contacted the FBI, which investigated and prosecuted Internet based crimes, he was told that the North Korean hack was being investigated but would say nothing more. As a veteran Internet security expert, P4x knew this meant nothing was being done. So, he decided to hack back and do it in a way that would be visible to the rest of the world. It took months of work to probe North Korean websites, servers and hacker facilities. P4x knew that North Korea had little access to the world-wide Internet and most North Korea users were confined to an intranet that only accessed websites based in North Korea.

By the end of 2021 P4x was ready to start his individual attack on the North Korean Internet. By mid-January 2022 these attacks became newsworthy because they were shutting down large segments of the North Korean Internet presence. The shut downs only lasted a few hours but it became obvious to Internet experts and some reporters for publications that specialized in Internet news that the North Koreans had been hacked. This gave Px4 an opportunity to contact one of these journalists (from Wired magazine) and provide the proof (screen shots only the hacker would have) of how he did it and why. Px4 did not disclose which North Korea vulnerabilities he had found and exploited, but did comment that it was common knowledge that the North Korean Internet and operating system was out-of-date, poorly maintained and vulnerable. Px4 avoided interfering with any government-sponsored hacking operations that might be underway and took down the most visible North Korea Internet targets. Px4’s efforts also generated calls from other Internet security specialists to start a joint effort. So Px4 created a dark web (not accessible via search engines) website called FUNK, where Internet security specialists can discuss further actions against the North Korean menace.

This sort of thing is very popular in South Korea, which has been a frequent target of North Korean Cyber War campaigns. This includes infrastructure attacks against targets like South Korean nuclear power plants, which generate about a third of its electricity. The first North Korea attacks against the nuclear plants were traced back to servers in northeast China. South Korea tried to persuade China to crack down on North Korean hackers using servers in China. South Korea is a major supplier of nuclear power plant components to China and in 2016 sold China a complete nuclear power plant. China had its own priorities and refused to crack down on the North Korean hackers.

North Korean attacks often demonstrate new methods of getting past security. One example was smishing, which is a two-step process similar to phishing. What both of these methods have in common is the exploitation of human error. This is frequently used for attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. Phishing is often carried out in the form of an official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"). The attachment, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. Smishing does not try to deliver malware but simply gets the recipient to reply to the message. The hackers then respond with a message that does contain the malware. This sort of cleverness is seen as the sort of thing the North Korean would develop. North Korean hackers have been increasingly successful at launching Internet based attacks in South Korea.

In 2014 North Korea managed to distribute games containing spy software to over 20,000 South Korean smartphone users. The North Korean “spyware” was seeking information from banks as well as documents relating to reunification plans and defense matters. The spyware allowed the North Koreans to transfer data from the infected smartphone and secretly turn on the camera. The government quickly found a way to block this sort of thing. North Korea denied any involvement, as it usually does. But since 2000 the evidence has been piling up of increasing North Korean Internet based espionage via the Internet.

Long believed to be nonexistent, North Korea cyberwarriors do exist. North Korea has had personnel working on Internet issues since the early 1990s. Their Mirim College program has trained several thousand Internet engineers and hackers so far. North Korea has a unit devoted to Internet based warfare and this unit is increasingly active.

Since the late 1980s, Mirim College in North Korea has been known as a facility that specialized in training electronic warfare specialists. But by the late 1990s, the school was found to be teaching students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted, largely from the elite high schools or as transfers from the best universities. Students stayed for 5 years. The school contained five departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a 3-year course resulting in the equivalent of a Master’s Degree. Only about a hundred or so students are allowed.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. Because of that it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. Soon there was growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.

 


Article Archive

Information Warfare: Current 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 


X

ad
0
20

Help Keep Us Soaring

We need your help! Our subscription base has slowly been dwindling. We need your help in reversing that trend. We would like to add 20 new subscribers this month.

Each month we count on your subscriptions or contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage. A contribution is not a donation that you can deduct at tax time, but a form of crowdfunding. We store none of your information when you contribute..
Subscribe   Contribute   Close