Attacks/Breaches
1/15/2015
11:17 AM
Mike Walls
Mike Walls
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
67%
33%

Why North Korea Hacks

The motivation behind Democratic People's Republic of Korea hacking is rooted in a mix of retribution, paranoia, and the immature behavior of an erratic leader.

Second in a series on the motivations that compel nation-states to hack. 

The Democratic People’s Republic of Korea (DPRK) is about as far from a democratic republic as a country can get. It is certainly not a government “of” its citizens. The country has been dominated by a small group that exercises complete control over every aspect of North Korean society. Leading the handful of power brokers has been the “Supreme Leader,” a title which has belonged to three men since Korea was partitioned following World War II.

The first two “Supreme Leaders,” Kim ll-sung and Kim Jong-il, established cults of personality among North Koreans and were viewed as eccentric on the world stage. Throughout their reigns, the DPRK was involved in a number of incidents, most of which involved some form of military action intended to provoke a reaction from the Republic of Korea (ROK), and her most steadfast ally, the United States. There have been over 150 incidents between the DPRK, the ROK, and the US since the Korean Conflict. Some of those conflicts have resulted in the deaths of South Korea citizens, military personnel, and US service members.

The current Supreme Leader, Kim Jong-un, has continued his predecessor’s legacies of maintaining a large and imposing conventional military, and has established a militaristic presence in the cyberdomain. However, Kim Jong-un is somewhat hampered in his efforts to establish the DPRK as a dominant player in the cyberworld, because DPRK cyber capability is rudimentary, particularly compared to the other nations we will discuss. In spite of resource constraints, the DPRK is working hard to establish a credible cyber capability. Like the Chinese Government, the DPRK is believed to be building a cyberarmy, and it is widely known that it has invested heavily in an elite cyber espionage group called Bureau 121.

(Image: Michael Day, 'North Korea Is Best Korea,' uploaded by russavia, via Wikimedia Commons)
(Image: Michael Day, "North Korea Is Best Korea," uploaded by russavia, via Wikimedia Commons)

The motivation behind DPRK hacking is rooted in an interesting mix of paranoia and retribution. The paranoia is similar to the Chinese Government’s view of the United States as a military and economic threat because it perceives the US as meddling in Eastern Pacific affairs. In the case of the DPRK, the paranoia is amplified to the extreme. The deep distrust that the DPRK harbors toward the West and the ROK, its neighbor to the south, is rooted in the Korean Conflict, which ended with an armistice in 1953. The ROK and DPRK are literally still at war, and both countries have maintained a wartime footing since the armistice. As the aggressor, the DPRK doesn’t hesitate to provoke the ROK whenever it serves its purpose. As an example, the DPRK is alleged to have conducted cyberattacks on ROK government and media organizations, coincident with the Korean Conflict Anniversary in 2013.

The recent cyberattack on Sony Pictures is particularly interesting because it appears to go further than what we typically see from the hacktivist community. Generally, hacker groups attempt to make visible statements expressing their displeasure with an organization or government by defacing a website or temporarily disrupting business operations. In the Sony case, the group identified as the Guardians of Peace, and allegedly affiliated with the DPRK, was responding to a discrete event and identified a specific desired short-term outcome, i.e.: Don’t release the movie The Interview. This was a remarkable and unprecedented demand facilitated in cyberspace.

Find out more in How NOT To Be The Next Sony: Defending Against Destructive Attacks.

North Korea’s response to the release of the movie was both impulsive and excessive by democratic standards. But the response is not surprising given the previous erratic and adolescent behavior of Kim Jong-un. (Anyone who enjoys the antics of Dennis Rodman can’t possibly be mature enough to lead a country -- I had to say it.) It is as if the Supreme Leader, by proxy, lashed out on a playground like a young child, “getting back” at a playmate for name-calling. In this case, the “lashing out” is the hack, and “getting back” is Sony’s harsh economic loss. Generally unknown, the Guardians of Peace allegedly drove the behavior of a major motion picture corporation and successfully disrupted the corporation’s business operations. In military parlance, that’s called a soft kill, which can be every bit as effective as a hard kill.

Perhaps most interesting, and at the same time most concerning, is the notion that the Sony hack was an act of terrorism, which reasonable people may conclude. The FBI defines terrorism as “an act that appears to be intended to intimidate or coerce a civilian population; and to influence the policy of a government by intimidation or coercion.” If we substitute the word “corporation” for “government” in the definition, we have a terror act intended to intimidate and coerce the Sony Pictures Corporation into ending distribution of the movie. While we can’t say with certainty that the Sony hack was actually an act of terror, the event may have validated the idea that terrorism in the cyberdomain can be successful, a point that won’t be missed by terror groups.

More on this topic:

 

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/19/2015 | 1:55:38 PM
Re: North Korea and Sony: Asking the Wrong Questions ?

Sony hack could be a blueprint for terrorism in the cyber domain.

@Mike    I do agree.   Sony's ineptness has opened a whole new world of possibilities.  Instead of panic, actual leadership skills were needed and those at the top of Sony's Film Division came up short.   

It really is discouraging to see individuals  ( Sony Entertainment  Management ) who earn a considerable amount of money show they are not worth it.  Of course Sony is not alone - but  they certainy subscribe to the philoshpy that " you don't have to really know what you are doing to be paid well".  The top management at Sony are prime examples of the "corporate disconnect" that has been fostered for the past two decades(at least).    

So now Sony becomes a text book case for many things, just add "What not to do with cyber blackmail" to it.

Just don't tell Sony - they will want licensing and residuals from it.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/19/2015 | 1:45:00 PM
Re: North Korea and Sony: Asking the Wrong Questions ?

"..With regard to the Sony hack, assuming the FBI is correct (I have no reason to think they arent), then my thought is that the leader of North Korea is lashing out at Sony for producing the movie in question."

 

@Mike    Thank you for the clarification.  Well I am not so quite persuaded by the FBI's claims, which are at best obvious and at worst " a little late" as well.  This is a multifaceted  issue of course but even this basic point is up for some debate.

 

But since you have no reason not to believe the FBI then I can understand your premise and the resulting argument that comes from it.    Not that I agree of course but at least I understand your position.

mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/18/2015 | 9:31:08 PM
Re: North Korea and Sony: Asking the Wrong Questions ?
The intent of the blog is to suggest possible motivations behind North Korean cyber activity.  With regard to the Sony hack, assuming the FBI is correct (I have no reason to think they arent), then my thought is that the leader of North Korea is lashing out at Sony for producing the movie in question.

Regarding this being an act of terror, I'm only suggesting that the Sony hack could be a blueprint for terrorism in the cyber domain.  Whether intended as terrorism or extrotion, whomever is behind the hack has demonstrated an ability to make a major corporation capitulate to specific demands.  The point I am making is that terror groups are watching, and are learning from the hack.  

I hope that clarifies things a bit and I thank you for the comments!

 

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/18/2015 | 9:17:24 PM
North Korea and Sony: Asking the Wrong Questions ?

I am not sure what to conclude from this Blog,  the act against Sony was an act of terror ?  The reason N. Korea responded was because their leader is immature ?   What was the motivation ?   You mentioned nothing about Sony which does bare some ( and some might argue most ) of responsibility for their breech.  

 

I must have missed the point of this Blog because I don't get the point at all. 

mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/16/2015 | 12:19:33 PM
Re: Future Forecast
In traditional warfighting we think of kinetic capabilities as those that result in obvious physical damage e.g. bombs destroying buildings.  While cyber capabilities can certainly create damaging physical effects on networks, military professionals tend to view cyber as a non-kinetic capability, essentially because we dont see things blowing up when cyber is employed. 

However, understanding of the cyber environment is rapidly changing. By that I mean, military professionals are beginning to understand where the cyber domain fits in the group of traditional warfighting domains (land, sea, air).  My thought is that we will get to the point very soon where the cyber domain is recognized in the same way as the traditional warfighting environments, and at that time the term kinetic will mean something different. I hope that helps.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/16/2015 | 8:01:51 AM
Re: Future Forecast
So the question I see is...what do alliances really mean in the Cyber world?

Excellent point -- and an issue that is very much TBD.

I'm also curious about your use of the word "kinetic." Wondering if you could explain to a neophyte what you mean by kinetic in this context. 
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/15/2015 | 5:33:24 PM
Re: Future Forecast
Thats a great question and a topic worth exploring in its own right!

The question is interesting because we tend to view "alliances" in a militarty context.  

In the modern era we have formal treaties like the North Atlantic Treaty Organization (NATO), the "Five Eyes" (an intelligence focused alliance between the US, UK, Canada, Australia and New Zealand), and the South East Asia Treaty Organization (SEATO) to name a few.

If we look at Nations that we (the "Free World") have in recent history (70 years) viewed as adversaries, the picture is a little less clear but we can still discern informal alliances by actions of countries on the geo-politcical scene.  For instance, we know that the Russians are cooperating with the Iranians on nuclear capability; we know that the Iranians and the North Koreans have traded military arms; we know that when there is an international incident, we can generally anticipate how the permanent members of the UN Security Council (the countries with veto power) will vote.  Typically we see the US, UK and France aligned to one point of view, and Russiia and China aligned with an opposing point of view.

So why is this interesting...In the kinetic world, the rules of the game are relatively clear.  If Country A attacks Country B, and there is a formal miltary alliance or implied realtionship between them as Ive described above, the choices are clear for countries aligned with the Countries in question.  In other words, If Germany were attacked by a convential military force, member countries of NATO would be obligated to come to the defense of Germany. In less formal relationships we cant be certain of how a particular country will react, but there is a higher probability that countries in those relationships will respond militraily if one partner is attacked.

In the non-kinetic world, the Cyber Domain, we have already seen how the picture is much less clear.  Imagine if a country attacked a major US corporation, on US soil, with conventional weapons (think the SONY attack with bombs).    It is reasonable to assume that the US would have responded to the attack militarily Fast forward to 2014...same scenario but a cyber attack rather than bombs.  The response was much different.  Sanctions, condemnations, and political posturing...no clear cyber response by the US.

So the question I see is...what do alliances really mean in the Cyber world?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 4:16:13 PM
Re: Future Forecast
I suppose you will get into this in the remaining installments of the series,, but curious.Are there many alliances between nation-state threat actors?
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/15/2015 | 3:56:08 PM
Re: Future Forecast
Thanks and great questions!

We know that China has maintained a relationship since the Korean Conflict, so it is possible that the 2 countries could collaborate on cyber activities targeting entities that each country may see as either threats, or rich targets of opportunity.  But here is a point to think about...

We know that the Chinese Government has been targeting other Nations for quite some time (reference my last piece on China).  But the question is, "why would China risk what has arguably been a tremendous record of successful exploitation in the cyber domain, by partnering with what is widely considered as a Country with unsohisticated cyber capability, and a completey erratic pattern of behavior on the global geo-political scene?"  I think the answer is, the Chinese Government wouldn't. 
swreynolds92
50%
50%
swreynolds92,
User Rank: Strategist
1/15/2015 | 2:03:19 PM
Future Forecast
With all the buzz surrounding North Korea hacking Sony, and Admiral Rogers saying China has the ability to shut down our infrastructures, is it possible we could see a cyber collaboration between the two countries in an effort to cripple the US? Should we be fearful considering North Korea injected itself into a huge corporation like Sony Pictures, and China at any point can flip the switch and it seems like we'd be in big, big trouble?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.