CyberWarfare: The Power behind DPRK

CERT-LatestNews ThreatsStrategic

 Bureau 121 Special Cyber Warriors and hard-coded personnel in training at Military College of Computer Science in North Korea.

North Korean Cyber Organization

Bureau 121 comprises of around 1800 hard coded cyber warriors. It comes under the General Bureau of Reconnaissance, an elite spy agency run by the North Korean military. Reuters contacted Jang Se-yul who was working with them at North Korea’s military college for computer science, or the University of Automation, before defecting to the South six years ago. He stated that the Bureau 121 hackers were most talented and rewarded personnel within the North Korean military.

The North Korea has about six secretive organizations under the Reconnaissance General Bureau (RGB) that specializes in intelligence gathering includes cyber warfare these shady outfits are operating under the administration of the General Staff Department (GSD). The Bureau consists of several front cover companies and recruited foreign international business around the globe. Cybernetic Lab and units especially the hard-core cyber unit 180 which is also a component of the GSD the main entity responsible for the command and control of the KPA, that also falls under the Ministry of People’s Armed Forces (MPAF), according to an insider source. This arrangement would give the RGB a mysterious compartmentalization structure for access and control from the top of the chain of command and ensure the cyber component could conduct operations independently. 
Otto Frederick Warmbier arrives at a court for his trial in Pyongyang, capital of the Democratic People's Republic of Korea (DPRK)

Understand that the RGB is impenetrable if you dare to ignore this you may risk yourself or fellow colleagues for being caught or killed in the process. Some of the world well known and highly organized intelligence organizations, like the CIA, Mossad and MI6 have tried multiple attempts dare to get access to the central core of RGB,but dismally failed and publicly humiliated by the North Korea Intelligence whose again expose their secretive plan and activities before execution. CIA have sent one of their well trained agents posing as students, journalists or tourists but oftentimes they ended up arrested by North Korean security. Otto Frederick, Matthew Todd Miller,Jeffrey Edward Fowle, Merrill Edward Newman and the list is endless: These are good example for us here to learn how tough the intelligence web in the DPRK. Cyber organizations in the DPRK, are very independent and those inside the country primarily focusing on domestic electronic surveillance and political control or spreading political propaganda to foreign nationals. 

Recently, US-South Korean military plan to assassinate Kim Jong Un and preparations for a potential surprise attacking at nuclear sites were among the trove of classified military documents reportedly stolen by North Korean hackers. The hack consisted of 235 gigabytes of military documents and about 80 percent of what was stolen hasn’t been identified.

Therefore, the RGB’s work relates little to physical activities that done by other units for tactical support or combat operations. Bureau 121 particularly used to engage in foreign operations for compromising and intelligence-gathering. The unit is thought to operate primarily out of Pyongyang as well as the Chilbosan Hotel in Shenyang, China. Lab 110 is one of them believed to conduct technical reconnaissance, infiltration of computer networks, intelligence gathering through hacking, and planting viruses on enemy networks.
DPRK’s cyber force have ranged from as few as 1,800 hackers and civilian computer experts to nearly six thousand, which would make it the third largest cyber agency behind the United States and Russia. The estimation report came from ROK Intelligence 2015.  There is skepticism among the American intelligence community, this underestimation largely hyped by liberal media about North Korea’s cyber capabilities. 

At least South Korea’s intelligence knew exactly the threat of DPRK’s cyber warfare because it works directly on the ROK’s domestic fabrics on daily basis and want United States to consider DPRK cyber threats as priority. Irrespective, the shortage of concrete knowledge of DPRK cyber organizations which compounded by the nature of DPRK’s secrecy. North Korea has divided its networks into two components domestic intranet  and normal internet to avoid detection from outside. Only government and military agencies can access the outward-facing network routed through China, which hackers use for conducting cyberattacks. The other component is the kwangmyong, is a monitored intranet of government-selected content.   The use of Chinese networks and other countries’ IP addresses to access the global Internet provides a buffer for DPRK hackers to deny responsibility for their intrusions and attacks. Moreover, they can safely conduct outbound attacks while avoiding inbound attacks from the ROK or the United States. The use of third parties or vassal state’s networks for outward Internet access also makes DPRK cyber operations reliant on continued cooperation from China and other partners. 
DPRK has developed offensive  and defensive cyber capabilities. Few DPRK systems or networks if compromised would reduce its war fighting capabilities especially on electronic warfare. The high-profile cyberattacks attributed to DPRK hackers have served largely strategic and political purposes. However, cyber support to combat units in the event of full-scale war likely remains a key component of a DPRK strategy.
Cyberwarfare is very unique in such a way that once a new methodology or technique has been used often in an attack, the victim can easily create countermeasures relatively in a short period to prevent future attacks. Probably for this reason the DPRK has not, and most likely would not, conduct large-scale tactical or operational cyberattacks on the ROK or the United States unless at war. Rather, the DPRK would conduct only small-scale reconnaissance and testing of methodologies on enemy networks. This approach would mitigate the risk of enemies developing countermeasures that would compromise advantages the DPRK wants to maintain during full-scale war.


 North Korean leader Kim Jong Un giving instructions to the officials of security and defense in Pyongyang .
Although U.S. and partner forces know relatively little about the DPRK’s cyber capabilities, China and Russia can be studied as models. China, as North Korea’s closest (and perhaps only) ally, provides not only outward-facing networks for North Korean cyber units but also bases of operations, such as the Chilbosan Hotel, and training. Known Chinese cyber actions have primarily focused on technological espionage, something the DPRK probably has little interest in as it lacks the infrastructure to build or maintain technologically advanced weaponry as China does. In contrast, Russia’s cyber activities during its 2008 invasion of Georgia and 2014 military action in Ukraine suggest the DPRK’s likely tactical cyber actions in the event of war on the Korean Peninsula. 

At a recent meeting of U.S. strategists partaken in closed doors discussion to evaluate North Korea’s capabilities, some participants expressed concerns that the escalating cyberwar could actually tempt the North to use its weapons both nuclear and cyber, very quickly in any conflict, for fear that the United States has secret ways to shut the country down. The director of the CIA, Mike Pompeo, said last week that the United States is trying to compile a better picture of the leadership around Kim Jong Un, for a report to President Donald Trump. Figuring out who oversees cyber and special operations is a central mystery. The Japanese press recently speculated it could be an official named Jang Kil Su. Others are curious about Gen. No Kwang Chol, who was elevated to the Central Committee of the North’s ruling party in May 2016 and is one of the only members whose portfolio is undisclosed.

North Korean Tactical CyberWarfare

The war on the land, air, and sea around the Korean Peninsula would commence soon, or escalate, at a specific date and time It should be stated that the cyber war has already begun. While, arguably, the cyber war with the DPRK is an ongoing issues. The North Korea would need to increase and intensify the cyber reconnaissance and attacks before a general war in order successfully support its conventional combat units. 

  Bureau 121, is one of notorious unit and North Korea’s elite cyber-warfare cell behind the Sony Hacks.

In the lead-up to war and early stages of war, North Korean asymmetric cyber units would target civilian communications through simple denial of service. DPRK have demonstrated such capability from 2014 to president, the DPRK reportedly hacked “more than 140,000 computers” in the ROK belonging to government and businesses, and it tried to attack the ROK transportation system’s control network. The attacks, likely been carried out by Bureau 121, to gain access to and monitor ROK government and business communications. If US attack North Korea, the DPRK might turn off all 140,000 computers, rendering these organizations’ communications defunct. It might have been able to shut down or desynchronize the ROK transportation network and disable GPS systems that guiding aircraft and bombers like 1B-Lancer Bombers.

If increased in scope and aggressiveness, such attacks could cut the ROK’s communication and information-sharing capabilities with the military. Conducted in conjunction with special operations forces destroying physical communications systems in the ROK, the DPRK might disable ROK and U.S. communications, leaving units on the battlefield blind. Cutting communications in the early stages of the war would cripple the ROK and U.S. ability to coordinate artillery and aerial assets, giving DPRK forces time and space to overwhelm ROK and U.S. forces in the demilitarized zone.
While targeting of communications and critical networks in the ROK would hamper ROK and U.S. efforts, alternative means of communication might still enable the two nations to counter the DPRK’s aggression. However, vital secondary means of communication could be neutralized by targeting the ROK power grid, potentially negating the ROK and U.S. advantages over DPRK forces by slowing a timely coordinated response to aggression. Several years ago, such an attack would have been deemed impossible for a nation like the DPRK. Today, such an attack by the DPRK in the event of war is almost certain.
For example, in December 2015, Russian hackers caused a power outage in Ukraine via cyberattack. They installed malware on Ukraine’s power plant network and remotely switched breakers to cut power to over 225,000 people. Russia then swamped Ukrainian utility customer service with fake phone calls to prevent the company from receiving customer calls. Given the level of sophistication that DPRK cyber units seem to have, could reached the same relationship Russia maintains, it is likely that the DPRK has received support from Russia for potentially conducting similar attacks against ROK power plants.  By knocking out critical communications, transportation, and support infrastructure, the DPRK would cause confusion and disorder that would facilitate its conventional infantry forces’ overwhelming ROK and U.S. forces.
In order to negate ROK and U.S. technological superiority, the DPRK would just employ more sophisticated cyberattacks against GPS, radar, logistics support systems, and weapons targeting systems. How exactly the DPRK would conduct such attacks is outside the scope of this discussion. The Defense Science Board warns, “should the United States find itself in a full-scale conflict with a peer adversary U.S. guns, missiles, and bombs may not fire, or may be re-directed against our own troops.” Resupply, including food, water, ammunition, and fuel may not arrive when or where needed”. The Science Board cautioning.  

[embedded content]

 North Korea is unknown world and possesses most dangerous cyber attack capabilities 북한 사이버 공격 능력은 .
Hacking or taking radar and GPS offline, could confuse ground and air power, offering DPRK units freedom of maneuver on the battlefield. Moreover, the disruption of GPS would not only negate the use of GPS-guided weapons systems, but, more dangerously, it could also cause weapons to fire at incorrect coordinates. The hacking of U.S. satellites, which China reportedly has already shown it can accomplish, could blind ROK and U.S. intelligence to DPRK movements on the ground.
If the DPRK hacked automated logistical networks that supported ROK and U.S. forces on the peninsula, those forces would have difficulty sustaining warfighting capabilities. Tracking, requisitioning, and delivering essential war supplies could be disrupted by a simple DDOS attack that would shut down systems or corrupt data, causing logistical supplies to be sent incorrectly. ROK and U.S. soldiers could quickly find themselves without the resources necessary to fight.
Therefore, the DPRK could use cyberattacks to ensure its numerical superiority and overwhelming volume of firepower could triumph despite inferior materiel. When combined with electronic warfare and special operations forces acting behind the battle lines, this would, consistent with the ideals in Unrestricted Warfare, cause ROK and U.S. forces to lose momentum and maintain a defensive and reactionary posture.
The side-principal rule, in essence, is the idea that war can be won through nonwar actions. When taking these two theories together, it becomes apparent that while the Chinese may believe they could not defeat the United States in war through conventional combat, they probably believe they could defeat the United States if nonwar actions were used to diminish the U.S. military’s strength to around two-thirds of its combat power.
DPRK, with its goal of kukka mokp’yo and its extremely limited resources, the options are fewer. So, DPRK likely would translate the golden ratio and side-principal rule into diminishing of ROK and U.S. forces through cyberattacks, combined with numerous other asymmetric means, by one-third. With their systems taken offline or corrupted, U.S. and ROK warfighting capabilities would be diminished or disrupted to a point where, theoretically, the DPRK army could launch a massive ground invasion. Cyberattack, therefore, is a means by which the DPRK likely would strike at enemy warfighting support systems, thereby giving its numerically superior military the space, time, and freedom of maneuver to sustain a fight on the peninsula.
A cyberattack could include a nuclear-detonated electromagnetic pulse that would disable electronic devices within a 450-mile radius. The DPRK could, theoretically, achieve this by detonating a nuclear device in the atmosphere at an altitude of thirty miles. This attack could negate technological advantages of friendly forces on the peninsula, rendering equipment with an electronic component useless. However, given the threat of nuclear retaliation as well as the increased likelihood of U.S. support of a prolonged war, which would most likely result in the DPRK’s defeat, this option probably would remain a last resort short of a tactical nuclear strike.

North Korea’s Hacking

On Nov. 24, the attack on Sony began: Employees arriving at work that day found their computer screens taken over by a picture of a red skeleton with a message signed GOP,” for “Guardians of Peace.” “We’ve obtained all your internal data including your secrets and top secrets,” the message said. “If you don’t obey us, we’ll release data shown below to the world.” That was actually a diversion: The code destroyed 70 percent of Sony Pictures’ laptops and computers. Sony employees were reduced to communicating via pen, paper and phone. Lynton said the FBI told him that nothing could have been done to prevent the attack, since it was waged by a sovereign state. “We learned that you really have no way of protecting yourself in any meaningful way,” he said of such nation-state attacks.
Sony struggled to distribute the film as theaters were intimidated. (Ultimately it was distributed for download, and may have done better than it would have.) In London, outside investors in Channel Four’s North Korea project suddenly dried up, and the project effectively died. The Obama White House responded to the Sony hack with sanctions that the North barely noticed, but with no other retaliation. “A cyber battle would be a lot more risky for the United States and its allies than for North Korea,” 
The digital bank heists began an attack in the Philippines in October 2015; then the Tien Phong Bank in Vietnam at the end of the same year; and then the Bangladesh Central Bank. Researchers at Symantec said it was the first time a state had used a cyberattack not for espionage or war, but to finance the country’s operations. Now, the attacks are increasingly cunning. Security experts noticed in February that the website of Poland’s financial regulator was unintentionally infecting visitors with malware.
It turned out that visitors to the Polish regulator’s website employees from Polish banks, from the central banks of Brazil, Chile, Estonia, Mexico, Venezuela and even from prominent Western banks like Bank of America had been hit with a watering hole attack, in which North Korean hackers waited for their victims to visit the site, then installed malware in their machines. Forensics showed that the hackers had put together a list of internet addresses from 103 organizations, most of them banks, and designed their malware to specifically infect visitors from those banks, in what researchers said appeared to be an effort to move around stolen currency.
More recently, North Koreans seemed to have changed tack once again. North Korean hackers’ fingerprints showed up in a series of attempted attacks on cryptocurrency exchanges in South Korea, and were successful in at least one case, according to researchers at FireEye. The attacks on Bitcoin exchanges, which see hundreds of millions of dollars worth of Bitcoin exchanged a day, offered Pyongyang a potentially very lucrative source of new funds. And, researchers say, there is evidence they have been exchanging Bitcoin gathered from their heists for Monero, a highly anonymous version of cryptocurrency that is far harder for global authorities to trace.
The most widespread hack was WannaCry, a global ransomware attack that used a program that cripples a computer and demands a ransom payment in exchange for unlocking the computer, or its data. In a twist the North Koreans surely enjoyed, their hackers based the attack on a secret tool, called “Eternal Blue,” stolen from the National Security Agency.
In the late afternoon of May 12, panicked phone calls flooded in from around Britain and the world. The computer systems of several major British hospital systems were shut down, forcing diversions of ambulances and the deferral of nonemergency surgeries. Banks and transportation systems across dozens of countries were affected too.
Britain’s National Cyber Security Center had picked up no warning of the attack, said Paul Chichester, its director of operations. Investigators now think the WannaCry attack may have been an early misfire of a weapon that was still under development by the North Koreans to test its tactics and vulnerabilities.
Thanks to Marcus Hutchins, a college dropout and self-taught hacker living with his parents in the southwest of England. He spotted a web address somewhere in the software and, on a lark, paid $10.69 to register it as a domain name. The activation of the domain name turned out to act as a kill switch causing the malware to stop spreading. British officials privately acknowledge that they know North Korea perpetrated the attack, but the government has taken no retaliatory action.
 While U.S. and South Korean officials often express outrage about North Korea’s cyber activities, they rarely talk about their own, which also helps fuel the cyber arms race.

The Science and Tech weblog, is about science,technology,esoteric and international breaking news with national interest.