Information Warfare: North Korean Sith Incentives

Archives

February 24, 2019: Yet another North Korean Cyber War attack on South Korea was recently discovered. This one involved a successful effort to hack an Android bus navigation app used in four South Korean cities. The malware, once on the phone, sent back all information found on the phone that included matching one of the words on a list. The nature of the words on the keyword list indicated the malware was collecting military and political information useful mainly to North Korea. This Android malware had been in operation since August 2018 and was discovered and eliminated by the end of 2018.

South Korea believes there are more bits of North Korean malware at work as attacks like this have been on the increase for years. South Korea intelligence believes that most of these hackers are working outside North Korea, if only because the Internet connections are better. There are believed to be about 200 of these North Korea hacker cells (mainly in China, Russia and Southeast Asia nations) each with a few to a dozen personnel and usually hiding in plain sight as “employees” of legitimate firms (often set up by locals working for North Korea). These thousand or so North Korea hackers are in it mainly for the money and manage to earn nearly $100 million a year for the Kim dynasty back home. While overseas the North Korean hackers, and their families back home are treated well, by North Korean standards. If any of these hackers try to escape the special security agents assigned to prevent that, they are not really free. Those North Korean hackers that make it out alive will be declared traitors and efforts made to hunt them down and kill them. Meanwhile, their families back home will be punished severely and many, if not most, will die. Some of these hackers have apparently gotten away but no one is revealing any details. There is still a reward for the death of these traitorous hackers and apparently there is no expiration on the offer as long as the escaped hacker lives.

These hackers are part of a growing network of North Korean specialists and secret police agents doing all sorts of things useful for the North Korean government. In 2018 it was revealed that North Korea had established a program for foreign agents that is only open to members of the elite North Korea families. The children of these families are eligible to attend the Mangyongdae Revolutionary Academy to learn some very special skills. Graduates of Mangyongdae are most likely to get the most senior government and military jobs when they get older. There are only about a hundred graduates a year and for the last few years, a computer science program has provided a specialized course for Mangyongdae students seeking to become foreign agents in “enemy” countries, especially South Korea. These agents are trained to hunt down high-level defectors in foreign countries and either arrange to kill the defector or at least find out how the defector is doing, how many secrets they have divulged and, if possible, persuade the defector to shut up or even return to North Korea. To accomplish this the Mangyongdae students are taught the latest hacking techniques and what tools and mercenary hackers are available in the hacker underground and how to deal with the tools, and local mercenaries, to put together specialized efforts to track down defectors and monitor them. This means the Mangyongdae must be able to pass as a South Korean (speak with a South Korea accent, know the customs and slang) and assume a false identity convincingly.

As important as all these skills are the most important item is loyalty to North Korea. The Mangyongdae agents go after the growing number of high-level North Koreans who are illegally leaving the country. The agents are trained to use social media to seek out known or suspected defectors, make contact and obtain more information about them.

In addition to tracking down high-caste defectors, the Mangyongdae level agents are also assigned to monitor the loyalty of North Korea hackers working outside North Korea. North Korean defectors have revealed much about how North Korea has managed to establish and maintain hacking operations outside North Korea and make a lot of money for the cash-hungry North Korea government. This became a higher priority operation in the last few years because of the growing list of economic sanctions imposed while at the same time there were more opportunities for Internet-based misbehavior. Some of these defectors were associated with the North Korean hackers who are, it turns out, mostly based outside North Korea because Internet access is better and operating outside North Korea makes it easier to deny that North Korean hackers are engaged in illegal activity. South Korea has obtained a lot of details about the North Korean hacker operations and even allowed some defectors familiar with those operations to speak openly about it. Obviously, many of these North Korean hackers are not as loyal as they are supposed to be and something much be done to identify and punish the ones that defect and expose how the hacker program works.

The Mangyongdae agents are also trained in the usual methods of secretly contacting “the center,” usually via North Korea operatives based outside of North Korea and able to relay messages to and from North Korea itself. The skills North Korea hackers have developed are world class and increasingly difficult to counter or even detect. But this edge in skills and techniques depends on having loyal operatives in key positions, thus the importance of the Mangyongdae agents. The Mangyongdae agents are apparently expected to spend a few years overseas mainly to prove that they have to temperament to acquire needed skills and accomplish a difficult mission. Once back in North Korea these proven Mangyongdae agents face a brilliant future in the North Korean bureaucracy because they have not only proved their loyalty but also exemplary success in a difficult situation.

One of the most difficult tasks for North Korean intel and security people is managing software specialists working outside the country. The North Korea hacker force consists of about 6,800 personnel but only a quarter of these have software programming or engineering skills that enable them to develop and carry out the hacks. The rest are support staff, including many security personnel who monitor hacker activities to ensure loyalty and productivity. Over the last few years, more and more of the hackers have been assigned to money-raising operations rather than intelligence collection (spying). North Korea needs cash more than secrets and as a result, each of these hackers has been bringing in about $100,000 a year in much-needed income for North Korea. Alas for the hackers, like most North Koreans working abroad, see little of that money. This does not inspire loyalty and resolve to avoid the temptation to defect. The overseas hackers are well aware of how much better life is outside North Korea but while these hackers are aces at the keyboard they are much less capable when dealing with Mangyongdae agents and other secret police personnel assigned to keep them working and preventing escape.

Most of the foreign operations are in China where the hackers and their support staff live in Spartan conditions and are closely watched. These hackers are aware of how much more valuable their skills would be in South Korea (where some currently are, working for South Korean software firms). Unfortunately, you risk your life (and those of your family) if you try to escape. But some have and some still do. Basing so many of the North Korean hackers in China is partly because there is apparently an arrangement with the Chinese to enable the North Koreans to keep operating in return for favors. In addition to not hacking Chinese networks, or any foreign ones the Chinese consider off-limits, the Chinese receive cash and, more importantly, access to data the hackers obtain. Some hacks attributed to “Chinese hackers” are apparently carried out by North Korean hackers in order to pay for continued presence in China (and the cooperation of Chinese security forces to prevent North Korean hackers from defecting.) Only the most trusted North Korean hackers are allowed to work outside of China or Russia.

North Korean hacking in general, even when a lot of it was done from North Korea, have proven to be very effective. In 2013 South Korea came up with a number (over $800 million) for the cost of dealing with North Korean cyber attacks since 2007. The list was quite detailed. The attacks in March and June of 2013 accounted for 93 percent of the total damages. South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the 2013 ones showed that the North Koreans were getting better and that South Korea was not keeping up. The 2014 operation against smartphones was the first North Korean effort against smartphones and indicated there would be more and there were.

Long believed to be nonexistent, by 2013 it was clear that the North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the 1990s and their Mirim College program trained most of the North Korean Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit was increasingly active as the number of Mirim graduates grew.

Since the late 1980s, Mirim College was known as a facility that specialized in training electronic warfare specialists. But by the late 1990s, the school was found to be also teaching some students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained five departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a three year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students. The Mirim program has been modified since 2015 and is believed to be producing more graduates each year and in a growing number of specialties. Mirim graduates were key to getting the Mangyongdae program going.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years, North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But by 2016 there was tangible and growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the late 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.