North Korea: How the least-wired country became a hacking superpower

Editor's note: This story was first published in May 2013.

SEOUL, South Korea — This year, North Korea has been flaunting its nuclear hardware in an effort to extort concessions from the United States and South Korea.

But the tactic has failed to provoke panic for one key reason: Officials doubt that Pyongyang would be stupid enough to start a nuclear war.

While nukes are better seen than used, and thus of limited blackmail value, dictator Kim Jong Un possesses a quieter weapon that’s more readily unleashed — and has already become a serious nuisance: cyber war.

Experts say Pyongyang typically deploys it about once a year, although it’s not always clear that North Korea is behind the attacks.

The most recent offensive hit Seoul in April 2013. The strike disabled anti-virus software, brought down ATMs across the country and froze online banking systems for days. About 30,000 computers had their hard drives wiped and went dead.

In an Austin Powers-style twist, the malicious software displayed pixilated skulls on the monitors of infected machines.

After initially saying the strike originated in China, officials tracked it to a specific Pyongyang neighborhood. A month before the assault erupted, they said, hackers had quietly planted a simple but devastating software program on computers at three South Korean television broadcasters and three banks. Authorities identified the code as a hard-drive wiper called “DarkSeoul,” first identified a year ago.

Although this type of virus is relatively simple and has been around since the early 1980s, experts acknowledged that its impact was devastating. A computer security expert from Cisco, Seth Hanford, wrote that the “highly targeted” attack led to significant downtime and a “severe” loss of data.

On April 12, North Korea denied it was the culprit, but the South has maintained the accusation.

Although North Korea is among the poorest and most isolated countries, it is surprisingly adept at hacking — a testament to how dangerously accessible cyber warfare is to anyone that wants to pursue it.

Training a cyber brigade, it turns out, does not demand high levels of tech sophistication, and is a handy way to pester a far stronger foe.

A convenient arsenal

On the Korean battlefield — which remains manned 60 years after the end of the shooting war that divided the Koreas — the North is indisputably outgunned and outmaneuvered. That fact has led Pyongyang to adopt a modified guerrilla warfare strategy. As the Pentagon described it in a May report to Congress: “North Korea uses small-scale attacks to gain psychological advantage in diplomacy and win limited political and economic concessions.”

In the 1970s and 1980s, Pyongyang sent agents on risky operations to sabotage South Korean targets and hijack one South Korean civilian airliner. In November 2010, the north launched an artillery barrage at an island near the DMZ, and sunk a South Korean naval corvette in March 2010, leaving 46 South Korean sailors dead.

Strikes like these, however, can provoke dangerous retaliation. In contrast, cyber warfare supports the nation’s military strategy, and carries less risk.

A digital offensive requires a “very low developmental cost and can bring catastrophic results,” said Hyeong-wook Boo, an analyst at the Korea Institute for Defense Analyses, a think tank in Seoul. “The North Korean espionage team sees cyberspace as a very favorable place for its activities.”

The threat has been looming since the late 1990s, when North Korea unleashed its first basic denial of service (DDoS) attacks on its neighbor. Since then, the computer plots have become somewhat more sophisticated, targeting South Korean banks and businesses with malware and throwing the occasional wrench in the markets.

According to the National Intelligence Service, South Korea’s spy agency, the north was probably behind six cyber attacks from 2008 to 2012. Two of the largest came in 2009 and 2011, when Seoul accused the North of sneaking malware into its biggest banks and attacking government websites.

In the first of these, the US was also a key target.

Starting on July 4, 2009, hackers activated a “botnet” of 50,000 hijacked zombie computers to coordinate three waves of assaults targeting the public websites of the Pentagon and White House. The denial of service attacks also disrupted the websites of the South Korean intelligence agency and a major South Korean newspaper, but did not bring them down completely.

Two years later, Seoul accused North Korea of unleashing a far stronger salvo of denial-of-service attacks on government and banking cyber-networks. The South Korean government said that North Korean hackers had gained control of the laptop of an IBM employee, who was a cyber security contractor for the large Korean bank, Nonghyup. (IBM did not respond to calls seeking comment.)

The sleuths managed to access the company’s entire banking system. The attack was contained by government-backed antivirus programs, but authorities admitted they were worried by the magnitude of the onslaught.

The March, 2011 attack turned out to be the most devastating so far. The episode, if committed by the North Korean military, demonstrated that while North Korea still hasn’t reached an incredible sophistication in its hacking brigade, it still has the potential to wreak havoc with a well-placed and well-timed assault.

“They targeted the spots they’ve always wanted to target,” said Andrei Lankov, a North Korea expert at Kookmin University in Seoul. “It is highly likely that this was committed by North Korea. They hit the banks, because they’ve always want to inflict damage on the South Korean economy. Their reason for attacking the media was to show contempt for them as mouthpieces.”

Un-wired

Remarkably, Pyongyang has emerged as a major force in digital war despite being a cyber exile.

According to World Bank statistics, internet use in North Korea is the lowest in the world, at 0 percent of the population. Rounding error renders that figure slightly misleading: The regime does in fact dole out global internet access to trusted cadres. Experts estimate that the number of users is in the hundreds.

Owning a private computer is banned, but the regime has distributed about 4 million computers to its 24.4 million citizens, who are allowed to access a handful of closed-off intranets closely vetted by the government, using its own operating system, called “Red Star.”

There’s only one internet café, in Pyongyang.

How North Korea conjures a skilled cyber brigade from its decidedly unwired ranks is impossible to know for certain, but experts have pieced together a picture based on reports from refugees and on the methods used to infiltrate southern computer systems.

The North Korean military runs a cyber warfare command officially known as “Unit 121,” reporting to the all-powerful General Bureau of Reconnaissance, alleges the North Korea Intellectuals’ Solidarity, a group of professors and intelligentsia who have escaped to the South.

The reconnaissance body is the north’s top spy agency, thought to have masterminded a line-up of conventional and cyber strikes on the south. Its chief, General Kim Yong-chol, is believed to have devised the sinking of a South Korean corvette.

The size of the cyber brigade and the nature of their work remain a matter of debate. Kim Heung Gwang, a former computer science professor in Pyongyang and head of the defectors’ group, told GlobalPost that Unit 121 consists of two otherwise-nondescript buildings in a suburb of Pyongyang. Other defectors have said the North Korean military harbors between 500 and 3,000 battle-hardened techies in the unit.

The regime takes notice of children who show mathematical talent, and gives them rigorous training at elite elementary and middle schools, defectors say. The brainy sprats later make their way to elite North Korean universities – such as Kim Il Sung and Kim Chaek University of Technology — from which they are formally recruited into elite cyber circles.

Not all of the computer students go on to the military. Many prodigies end up serving their country in less sinister ways. Some eventually join a handful of semi-public firms, such as one German-started foreign company, Nosotek, which programs mobile phone applications, earning excellent wages by North Korean standards.

But a lot of them prefer crafting viruses, hoping that it will land them lucrative jobs among the power elite, reports the North Korean news blog New Voices International, a website that interviews defectors.

At least one hacker has defected to the south by way of Southeast Asia in late March 2013, according to the South Korean government. (GlobalPost’s efforts to contact the hacker through two defector organizations were unsuccessful.)

Most refugees are poor, or come from backgrounds that are politically disfavored in the far north, where a nationwide caste system, known as songbun, prevails. The hackers, on the other hand, live well, in communal homes that are luxurious by North Korean standards, according to the Intellectuals’ Solidarity. Because they live comfortably they have less reason to flee.

But others contend the North Korean cyber threat is actually a paper tiger. Joo Seong-ha, a North Korean refugee and journalist, wrote in the conservative newspaper, Dong-a Ilbo, that the country is home to 10 teams of five or fewer cyber-warriors each. He also said that, according to his own interview with a hacker who defected, aging conservative leaders hardly offer them support because they don’t grasp the concept of cyber-warfare.

The source claimed that the regime sends 10 computer engineers each year to study in India, a coveted destination for training. While many see North Korea as an isolated state, it is common for the government, and organizations affiliated with top leaders, to send citizens overseas for all sorts of goodwill exchanges and even art projects. 

Seoul’s cyber defense

For years, experts have urged the South Korean government and private companies to step up the protection of their IT systems.

By some measures, South Korea tops Asian countries in prevalence of computer viruses and malware. In April 2013, Microsoft reported that South Korea had the highest number of computers reporting the detection and removal of malware using its antivirus software.

To hold off incursions from the North, Seoul recently announced it was improving security at its 23 nuclear power plants by separating their networks from the internet — a key step in preventing such a utility from being brought down by hackers.

The US and South Korea have also announced a new cyber-defense counterstrategy, but have refrained from disclosing the details. “The US and South Korean militaries will cooperate to develop diverse deterrence scenarios against hacking attacks and increase anti-cyber warfare forces to over 1,000 to better deal with emerging threats from countries like North Korea,” a defense ministry spokesman told IDG News Service in Seoul.