Information Warfare: The Mysterious Matriculates of Mirim and Moranbong


July 26, 2009:  Starting on this past July 4th, Internet based attacks began on government and military web sites in South Korea and the United States. These attacks continued, intermittently, for another two weeks. At first it was believed these DDOS (distributed denial of service) attacks came from North Korea. These attacks were carried out by first using a computer virus (often delivered as an email attachment), to install a secret Trojan horse type program, that allows someone else to take over that computer remotely, and turn it into a "zombie" for spamming or DDOS (distributed denial of service) attacks to shut down another site. Researchers were able to trace where some of the DDOS attacks appeared to come from, and where the zombie software installed was controlled from.

There are millions of zombie PCs out there, and some of these can be rented, either for spamming or lunching DDOS attacks. Anyone with about $100,000 in cash, including North Korea, could have carried out the recent attacks on South Korean and U.S. government sites. You can equip a web site to resist, or even brush off, a DDOS attack, and some of those attacked were prepared. But others were not. To date, researchers have been unable to prove that the attacks actually came from North Korea. It appears that the attacker was an amateur, but someone who was a fan of North Korea. There are many of these people in South Korea, Japan and elsewhere in the West.

Even before July 4th, South Korea reported that attacks on their military and government data networks were up 20 percent this year, with hundreds of serious attempts each day, to hack in and steal defense secrets. More North Korean locations are showing up as the source of these attacks. This appears to solve the growing mystery about what the mysterious North Korean Cyber War units are up to.

For the last five years, one of the enduring questions among computer security people was, "where are the mysterious, elite North Korean hackers?" For nearly two decades, the South Korean media has been reporting on the cyberwar capabilities of North Korea. Initially, this revolved around activity at Mirim College, a North Korean school that, since the early 1990s, has been training, for want of a better term, computer hackers. In 1997, North Korea established Moranbong University, to produce even more elite Internet espionage experts. This school is small, accepting only 30 students each year, for a five year program of computer and military subjects. About a hundred cyberwar experts, all military officers,  are graduated from Mirim College each year.

North Korea is supposed to have, at present, a cyberwar unit of nearly a thousand skilled hackers and Internet technicians. South Korean intelligence believes the North Korean have a unit of at least a hundred very good hackers who have been ordered to scout out the South Korean government and military networks.

It was long thought that it was more likely that those Mirim and Moranbong grads were hard at work maintaining the government intranet, not plotting cyberwar against the south. Moreover, North Korea has been providing programming services to South Korean and Chinese firms. Not a lot, but the work is competent, and cheap. So there is some software engineering capability north of the DMZ. But now there is the growing evidence of North Korean hackers at work.

The mystery angle shows up when you try to find any incidents of North Korean hackers actually doing anything. That could be construed as particularly ominous. Only the most elite hackers do their work without leaving behind any tracks, or evidence. Some have maintained that, because North Koreas Internet connections come from China, the North Korean cyberwarriors could be cleverly masquerading as Chinese hackers. However, after a decade, there should be some visible signs of North Korean hacking. It's highly unlikely that the North Korean hackers have been able to wander around the net without leaving some signs. While North Korea has produced some competent engineers, we know from decades of examining their work, that they don't produce super-scientists, or people capable of the kind of innovation that would enable North Korean cyberwarriors to remain undetected all these years. Thus some conclude that the growing number of North Korean connections are actually the result of Chinese hackers trying to make it look like the North Koreans are responsible for some of the growing number of attacks on Western targets.

So do the North Korean cyberwarriors exist, or are they a creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses? North Korea probably has some personnel working on Internet issues. North Korea probably has a unit devoted to Internet based warfare. But we know that North Korea has a lot of military units that are competent, in the same way robots are. The North Koreans picked this technique up from their Soviet teachers back in the 1950s. North Korea is something of a museum of Stalinist techniques. But it's doubtful that their Internet experts are flexible and innovative enough to be a real threat. Nevertheless, we know that, a decade ago, North Korean leader Kim Jong Il ordered that more emphasis be placed on Internet based espionage, as it was becoming increasingly difficult to set up spy networks in South Korea.

South Korea has to be wary because they have become more dependent on the web than any another country other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they will work it on South Korea first. So whatever the skill level of the North Korean hackers, they will practice on South Korea first.





Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close