Making sense of North Korea’s hacking strategy
In late September, the security company FireEye Threat Research discovered spear phishing emails sent to U.S. electric utilities “by known cyber threat actors likely affiliated with the North Korean government.”
North Korea’s isolation makes it hard for the United States to come up with an effective strategy to counter Pyongyang’s cyber attacks. The closed nature of its society means Washington has had to rely on outside sources for intelligence-gathering and the North Korean population’s limited access to the internet means that many of its cyber forces operate from outside North Korea.
A South Korean Defense White Paper noted in that North Korea had about 6,000 “cyber warfare troops.” While most fear a nuclear attack from North Korea, North Korea has consistently used cyber attacks as a distraction from its nuclear program. Since North Korea’s second nuclear test in May 2009, its cyber attacks have targeted South Korea’s critical networks every time there is a nuclear test. After its third test in February 2013, South Korean television stations and a bank suffered from the 3.20 Cyber Terror attack, known as DarkSeoul. In January 2016, when North Korea had its fourth nuclear test, there was a massive spear phishing campaigntargeting South Korean public officials.
In the midst of these many offensives, it is difficult to ascertain pattern or strategy in North Korea’s cyber attacks. But using North Korea’s assaults on South Korea as indicative of broader Pyongyang cyber strategy, the recent discovery of North Korean-origin malware in the U.S. electrical grid is likely part of an early-stage probe for weaknesses in the U.S. system. While it may be obvious that North Korea wants the ability to attack critical U.S. infrastructure, Pyongyang also wants to send a broader signal that it has the capability to penetrate American systems. Just making the international community aware of this threat could grant it leverage in any negotiations about its nuclear program.
In 2017, the South Korean Ministry of Trade, Industry, and Energy charged that hackers tried to access two South Korean state-owned electric companies, Korea Electric Power Corporation (KEPCO) and Korea Hydro & Nuclear Power (KHNP) almost 4,000 times over 10 years. Choo Mi-ae, the leader of South Korea’s ruling party, said an official KEPCO report confirmed that at least 19 of the 2013-2014 attacks on the utility originated from the North.
In December 2014, North Korean hackers leaked blueprints and test data for KHNP, the South Korean nuclear operator. The hackers, known as “Who Am I” and claiming they were protesting against nuclear facilities, leaked the information over social media, presumably to try to create public panic and to disrupt energy policies in the South.
A nationwide attack on U.S. electricity providers would be difficult given that local stations operate independently of each other, using a range of technology and, in many cases, old manual systems. That said, reconnaissance is the first step in any major attack – physical or cyber.
To tackle this threat, the United States must stop other countries from directly and indirectly supporting North Korea’s cyber attacks. North Korea accesses the outside world through a Chinese internet provider and North Korean hackers reportedly operate from inside China. A Russian company recently started providing an internet connection to North Korea and Iran provides it with equipment. There are rumors that North Korean hackers operate from countries in South and Southeast Asia. The Trump administration needs to build new relations with North Korea’s allies to weaken the activity of North Korean hackers within their territories.
Perhaps most urgently, Washington needs to determine Pyongyang’s end game. Researchers say that North Korea’s hackers netted millions from the 2016 cyber heist at Bangladesh Bank and on exchanges trading in virtual currencies like Bitcoin and Ethereum.
North Korea’s attempt to probe the U.S. power grid indicates Pyongyang is looking for a bargaining chip to gain leverage if it ever engages in any talks with Washington. As with its nuclear program, North Korea will continue to develop its cyber strategy with help from sympathetic regimes while simultaneously avoiding escalating to a “real” war against the United States. Although we still have most to fear from a nuclear attack, Pyongyang’s threats – and ability – to use its cyber strength are cause for serious concern.
This abrigded article is taken from Reuters