NIS and Election Commission Announce Results of 'Joint Security Inspection'
Election Commission Refused NIS Inspection and Gave 'Perfect Score'
Actual Score in 30s... "Severe Management Negligence"
North Korea Could Manipulate from Early Voting to Vote Counting Values
The Central Election Management Committee (hereinafter referred to as the CEMC) computer network and voting and counting systems have been revealed to be in a state where North Korea can infiltrate and manipulate them at any time. In particular, despite the CEMC having leaked confidential documents due to cyberattacks backed by North Korea, led by Kimsuky, it refused security inspections by the National Intelligence Service (NIS) and submitted a self-assessment claiming a 'perfect score of 100' based on false grading.
On the 10th, the NIS announced the results of the 'CEMC security inspection' at the National Cybersecurity Cooperation Center in Seongnam, Gyeonggi Province. A joint security inspection team consisting of three organizations?the NIS, Korea Internet & Security Agency (KISA), and the CEMC?conducted inspections from July 17 to September 22, uncovering numerous security vulnerabilities. The inspection was carried out in three areas: system vulnerabilities, hacking response status, and infrastructure security management, with the inspection team attempting to infiltrate the CEMC computer network as simulated hackers. As a result, it was revealed that North Korea could manipulate everything from early voting to the counting results.
Election Commission staff are inspecting the ballot sorter at the counting center. [Image source=Yonhap News]
First, it was confirmed that the CEMC computer network could be infiltrated from outside even into systems requiring security. The computer network is largely composed of three types: internet network, business network, and election network. Among these, the business and election networks, which operate key election systems related to voting and counting, should be isolated from external access, but due to poor system management, network separation was not properly implemented.
A representative case of poor management was that the CEMC had been using the initial password values from the product launch without change. This made it possible to steal or manipulate the integrated voter registry. In particular, it was possible to alter early voting status to change individuals who had already voted into those who had not, or to register non-existent 'ghost voters' as actual voters.
Regarding the counting system, it was diagnosed that hacking the counting database (DB) via the internet was possible. The DB was not installed on a secure internal network, and password management was also poor. Hackers could change the vote counts for specific candidates, and if such manipulated results were broadcast through election broadcasts, it could cause confusion in the election, according to the inspection team's assessment.
The 'ballot sorter' was also found to be vulnerable to hacking. It was possible to install malware on the sorter via USB or connect unauthorized wireless communication devices, and numerous loopholes were found in the verification program. This means that actual marking results and sorting results could be altered. In particular, the sorter operation program was exposed on the internet, allowing hackers to obtain it in advance.
NIS: "CEMC did not conduct inspections despite being notified of North Korean hacking"
Previously, the NIS notified the CEMC of eight hacking attacks by North Korea. The CEMC was unaware of the damage before the NIS notification and subsequently neglected to investigate the cause of the hacking or confirm whether data had been leaked. They did not notify the affected parties of the damage nor take additional security measures, resulting in the same targets suffering repeated attacks by North Korea.
Upon investigating the damage, the inspection team found that attacks aimed at stealing CEMC email accounts were carried out by Kimsuky, a representative North Korean hacker group. Through CEMC staff accounts, they stole data stored in commercial emails and internet PCs, and numerous confidential documents were leaked to North Korea. During this process, it was also discovered that CEMC staff circulated work materials via personal commercial emails.
The problem is that the CEMC refused inspections of such vulnerable systems and rated their security level themselves as a 'perfect score.' The CEMC, which had refused on-site inspections by the NIS, submitted a self-assessment score of '100' last year. However, upon reevaluation, the actual score was only 31.5. This is less than half the average score of 81.9 among 119 institutions inspected for protective measures last year and even lower than the lowest score of 44.6 at that time.
In the reevaluation, the CEMC received '0 points' in nearly half of the 31 evaluation items, totaling 15 items. They falsely graded that the business network was separated when it was not, entrusted vulnerability analysis and evaluation to unqualified companies, and even granted administrator-level permissions to CEMC staff to contractors. It was also revealed that contractors leaked internal CEMC data through unauthorized USB devices.
NIS: "It is difficult to confirm past North Korean election manipulation"
However, the NIS pointed out that since the CEMC had already returned leased security equipment, it was not possible to confirm all issues through this inspection. While it was confirmed that North Korea could infiltrate and manipulate the system at any time, it is difficult to accurately determine whether there were attacks on the election network at any point in the past. This inspection only checked 317 out of approximately 6,400 devices, about 5% of the total equipment.
An NIS official who participated in the inspection criticized, "It was so sloppy that it is doubtful whether the CEMC actually conducted the inspection." Regarding the 'cases of repeated attacks by North Korea,' the official explained, "It was confirmed that a senior official at a local election commission was targeted after checking the hacking emails. It was not a random distribution of emails but a deliberate approach impersonating CEMC staff."
Baek Jong-wook, the NIS 3rd Deputy Director, said, "If manpower and sufficient time are guaranteed, more vulnerabilities can be uncovered through detailed inspections, but tracking past hacking incidents is difficult." When asked if hacking attacks were possible in the Gangseo District Office by-election, he explained, "We have completed removing contact points between computer networks as an immediate measure and have finished urgently needed measures such as supplementing online voting authentication bypass."
Meanwhile, the CEMC rebutted the NIS's announcement of the inspection results, stating, "It is practically impossible without the organized involvement of multiple internal collaborators." The CEMC emphasized, "The consulting results should be interpreted comprehensively considering legal and institutional measures," and stressed that "the technical possibility of hacking the election system does not directly lead to the possibility of actual election fraud."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
