[Chatham House Roundtable] North Korean Hacking Threat, The War Has Already Begun

▶Moderator = So Jong-seop, Political and Social Managing Editor

North Korea's Cyber Threats

North Korea ranks among the top five globally. Since it has little to protect, it focuses on offense. Its offensive capabilities are world-class. Typical examples include hacking cryptocurrency exchanges or extorting money through ransomware. It is said to have secured over $3 billion (about 3.98 trillion KRW) through hacking in the past five years. In June and July, it attacked cryptocurrency exchanges in Japan and India, stealing an enormous $550 million (about 730 billion KRW) within a week. These funds are used for nuclear and missile development.

Recently, attacks on defense contractors have become problematic. As South Korean weapons become more advanced and sophisticated, 'K-Defense' gains competitiveness, so North Korea likely feels the need to upgrade its weapon systems accordingly. Large corporations tend to have robust security, but partner companies have limitations. The presidential office recently held an emergency inspection meeting on how to assist small and medium-sized defense contractors that are frequently targeted.

Additionally, threats from fake news are a significant issue. Concerns about fake news were high not only during the upcoming U.S. presidential election in November but also during South Korea's last general election. At this year's UN Cybersecurity Conference, issues such as election interference through fake news, threats to democracy, attacks on critical social infrastructure, and attacks on cryptocurrency exchanges were raised. North Korea is proficient in all these attacks.

Official records often mention the July 7, 2009 DDoS incident (where major government agencies, portals, and bank sites in South Korea and the U.S. were attacked, temporarily disabling services), but in fact, records show North Korea created malicious files as early as 2003. Since the Kim Jong-il era, North Korea developed the concept of 'cyber warfare' and systematically nurtured young students.

Initially, North Korea was technically very weak. Malicious programs were simple and functionally easy to analyze. Now, they embed their own encryption algorithms in malicious programs. Examining their code reveals extensive use of 'substitution techniques' to conceal and hide their identity. They often disguise attacks as if conducted by China or Russia, engaging in deliberate deception. Comparing past and present, their technical growth is remarkable.

They invest heavily. The regime trains hackers systematically. From the Kim Jong-il to Kim Jong-un regimes, they have been educating systematically, especially selecting math, science, and computer prodigies and nurturing them internally, which is palpable.

On the 22nd, panelists are discussing at the Chatham House roundtable held at Asia Media Tower in Jung-gu, Seoul, on the topic of "Diagnosis of North Korea's Hacking Status and Tasks in the Field of Cybersecurity." (Clockwise from the bottom left) So Jong-seop, Managing Editor of Politics and Society at Asia Economy; Lee Jin, Director of the Cybersecurity Research Institute (NCSL); Moon Jong-hyun, Head of the Genieons Security Center; Yoon Min-woo, Professor of Police Security at Gachon University; Lim Jong-in, Special Cyber Advisor to the Presidential Office. Photo by Yoon Dong-ju doso7@

In the past, attacks focused particularly on military information. In the process, many North Korean expressions were accidentally discovered. Malicious programs planted by North Korea had document file collection functions, and keywords like 'ryeodan' (brigade) appeared, reflecting North Korea's unique language rules that do not use initial sound rules. During the March 20, 2013 network paralysis incident, even Pyongyang IP addresses were detected. Now, attackers consider tactics and disguises to avoid exposure.

Since the 2016 Bangladesh Bank hacking incident, they have focused on earning foreign currency through virtual asset (Bitcoin) exchanges. These funds are used for regime governance or to finance nuclear and missile development.

Actually, there was a nationwide attack early last year. Most citizens use representative public certification programs installed when accessing internet banking or the National Tax Service's Hometax. These were hacked, and their source codes stolen. Exploiting vulnerabilities in this software, eight major media websites were hacked. The fact that well-known media websites were hacked means random attacks were possible. This was the most surprising and frightening part when analyzing the incident. However, North Korea had set up all the infrastructure needed for nationwide attacks but filtered malicious code commands to target only specific defense contractors or IT companies. Without this filtering, a nationwide attack could have caused enormous chaos.

Such attacks can happen anytime. South Korea is highly dependent on the internet. Weapons like missiles are all computer-controlled. Attackers will plan how to use cyberspace in actual warfare. The concept of cyber security is invisible but already at a very dangerous level, and all citizens need to be vigilant.

The core organization is called the Reconnaissance General Bureau. Like South Korea's National Intelligence Service controls, the Reconnaissance General Bureau sets all policies and strategies for North Korea's offensive hacking, recruits and trains personnel, sends them abroad for study, or forms specific groups.

Some hackers work normally at Chinese IT companies during the day but gather at night to hack for money. Their compensation is very good. Though I cannot disclose exact incentives, they earn amounts unattainable by ordinary Chinese workers, exceeding salaries of South Korean large corporations. They can also remit money to families in North Korea.

They can hack by targeting people or influence cognitive structures or command systems through hacking. Recently, patient personal information was stolen from a hospital in Daejeon. When asked why patient information was stolen, the hospital said many users were researchers from the Agency for Defense Development (ADD). Obtaining personal information helps identify whom to recruit. Family illnesses or other personal matters can become leverage for spy recruitment. While major facilities and bases have good security, insiders can be recruited to attack. The leak from the Republic of Korea Army Intelligence Command was also likely an insider act.

We must also consider how North Korea combines cyber warfare with conventional warfare. North Korea's war method is a traditional three-stage tactic based on Soviet-Russian tactics: air bombardment and missile fire strike the front, then tanks and mechanized infantry advance once the path opens. The basic strategy is to break through south of Seoul and Daejeon to control the overall situation. Now, a zero stage has emerged: cyber warfare and cognitive warfare. This appeared in the Russia-Ukraine war. Before physical firepower, large-scale cyber attacks and fake news flood in. When attackers cannot be identified, the government becomes isolated, the public unsettled, and critical infrastructure and bases can be attacked.

On the 22nd, Moon Jong-hyun, Head of the Genieon Security Center, spoke at the Chatham House roundtable held at Asia Media Tower in Jung-gu, Seoul, on the topic of "Diagnosis of North Korea's Hacking Status and Tasks in the Field of Cybersecurity." Photo by Yoon Dong-joo doso7@

In South Korea, hackers belong to various institutions, including academia. In North Korea, hackers are generally considered part of the military or government. Just as Huawei in China is linked to the People's Army, North Korean hackers are managed by the government.

The number of hackers is increasing. Including potential reserves, the number is much higher. Family stability is guaranteed, and economic incentives are excellent. From a very young age, math and science prodigies are selected and systematically trained by the state. There is information that 100 are selected annually and given 45-pyeong (about 1,500 sq ft) apartments in Pyongyang. Families move there, but they are essentially hostages.

Names like Lazarus, Andariel, and Kimsuky were mostly created by private security firms. When Sony Pictures was hacked in 2014, the attacker used fake accounts with the nickname 'Lazarus.' U.S. security experts cited that name in reports before conclusive evidence pointed to North Korea.

Kimsuky derives from the attacker's email name 'Kimsukyang.' Russian security firms cut off 'ang' and cited it as a Russian-style name ending in '-sky.' Lazarus and Andariel are actually characters from the online game 'Diablo.' Knowing this, these group names can be seen as a kind of comedy.

There was a kind of taboo in the past. Although technically it was possible to verify North Korea's involvement, political issues made it difficult to directly state North Korea was behind attacks. When reports on Lazarus came out, North Korea engaged in psychological warfare, saying, 'Look at the U.S. report; it says Lazarus, not us.' It would be better if the media directly referred to the Reconnaissance General Bureau or State Security Department. Clearly identifying North Korea's attacks would raise public awareness.

On the 22nd, at the Asia Media Tower in Jung-gu, Seoul, Professor Yoon Min-woo of the Department of Police Security Studies at Gachon University spoke at the Chatham House roundtable titled "Diagnosis of North Korea's Hacking Status and Challenges in the Field of Cybersecurity." Photo by Yoon Dong-joo doso7@

Unlike South Korean hackers, North Korean hackers are 'combat fighters.' They improve their skills through repeated practice. The U.S. underestimated North Korea until 2015 but has rated it highly since 2018.

North Korea is becoming more like Russia. Russia conducted influence operations during the 2016 U.S. election by leaking sensitive hacked information to WikiLeaks, integrating technical attacks and influence operations. In this context, it is concerning that the head of Russia's Foreign Intelligence Service (SVR) visited North Korea earlier this year. As military cooperation tightens, cyber exchanges may also occur. For Russia, transferring such cyber attack know-how is less burdensome than advanced technology.

Regarding exchanges between North Korea and Russia, 'providing bases' can be considered. Eastern European countries adjacent to Russia have mixed ethnicities, making it hard to distinguish a single ethnicity like in Korea. For example, in Kazakhstan, people look very similar to Koreans. It would be difficult to identify someone as North Korean. This makes identity laundering easy.

Hackers need internet access wherever they work. Bases are necessary, and China is the only place where North Koreans can operate under their own names. However, even if they launder their identity as Chinese, China itself is under scrutiny. Russia is different. Being adjacent to Europe, it can provide bases for operations targeting the West. These bases are not only for attacking South Korea but also serve as criminal networks shared among crime organizations. Bulgaria was a well-known location for such networks.

In actual North Korean hacking attacks, Yandex (Russia's largest portal) emails and cloud services, as well as Bulgarian and Indian emails, have been found. Without using such infrastructure, attacks would be impossible. When analyzing North Korea's attacks, it was important to understand how they knew and used overseas email and cloud services in real attacks. They likely gained field experience through overseas assignments. Using Bulgarian emails to attack government agencies can serve as a disguise and diversion tactic.

On the 22nd, panelists are discussing at the Chatham House roundtable held at Asia Media Tower in Jung-gu, Seoul, on the topic of "Diagnosis of North Korea's Hacking Status and Challenges in the Field of Cybersecurity." Photo by Dongju Yoon doso7@

The Ukraine war shows AI technology and drones are used on the battlefield. As traditional warfare changes, cyber warfare has emerged as an important means. Nuclear weapons are essentially deterrents; currently, missiles and cyber attacks are the most effective war tools. North Korea likely believes it has an advantage over South Korea in these two areas. It is highly probable North Korea will continue to enhance these 'effective means.' South Korea has undergone dense digitalization and AI transformation (AX). North Korea's cyber attacks can now cause infrastructure paralysis, public unrest, and even war.

With new technologies and platforms like AI and satellites emerging, cyber security has become fundamental. Globally, skilled hackers have many opportunities like professional athletes, and competition for talent is fierce. From this perspective, North Korea's training programs for nuclear scientists and cyber personnel can be considered successful.

South Korea should benchmark these changes but has yet to transform systematically. Society is not fully prepared to accept this. The cyber security law, a task since 2006, is included in this government's agenda but remains unimplemented. It was also pursued during the Moon Jae-in administration, but the ruling party wants it while the opposition resists, causing repeated stalemates.

On the 22nd, at the Asia Media Tower in Jung-gu, Seoul, Lee Jin, director of the Cybersecurity Research Institute (NCSL), spoke at the Chatham House roundtable titled "Assessment of North Korea's Hacking Status and Challenges in the Field of Cybersecurity." Photo by Yoon Dong-joo doso7@

Our hackers perform well in competitions. However, they have never done 'real hacking' even in private companies. They have only experienced hacking within fixed frameworks and rules of competitions. Compared to North Korean hackers who have experienced nerve-wracking real hacking and huge financial stakes, there is naturally a gap in offensive capabilities.

Defense capabilities have been developed over a long time by the National Intelligence Service and Korea Internet & Security Agency (KISA). If people are not recruited by adversaries, systems are well-prepared enough that following principles prevents breaches. However, people often do not comply because it is inconvenient. Security awareness is low. Every year, security audits of government ministries find basic issues.

The previous panelist made an important point: hacking is a crime. Hacking inherently crosses rules and norms, but institutional education sets thinking to follow norms. The human brain excels within given frameworks but struggles to cross boundaries. North Korean hackers, based on real combat, employ (criminal) imagination. Western countries sometimes hire active hackers.

From a defensive perspective, offensive capabilities must be considered. Offensive defense is necessary. North Korean hackers have human vulnerabilities. Through influence operations, they can be induced to defect or whistleblow. If a North Korean hacker defects to our side, allowing them to keep hidden assets is a method. Aggressive responses that shake hackers are needed.

In cyberspace, the fastest defense is offense. There is a saying, 'Attack is the best defense.' However, in training security experts, 'ethics' has been emphasized. Cyberspace is under constant attack. We must attack to defend. Paradoxically, attacking as the best defense becomes legally problematic. Without institutional safeguards, crossing the line makes one a criminal.

Recently, the U.S. Department of Defense introduced the Defend Forward concept, an offensive defense strategy against cyber threats. South Korea is shifting toward proactive defense. Although unofficial illegal acts for national security have occurred, public discussion is only now happening. While the term 'cyber war' is not widely used, battles are ongoing in real time. It is no exaggeration to say war is happening in network space right now.

On the 22nd, at the Asia Media Tower in Jung-gu, Seoul, Lim Jong-in, Special Cyber Advisor to the Presidential Office, is speaking at the Chatham House roundtable titled "Assessment of North Korea's Hacking Status and Challenges in the Field of Cybersecurity." Photo by Yoon Dong-joo doso7@

As cybercrime severity grows, the 'Cybercrime Prevention Convention' was unanimously adopted at the UN Ad Hoc Committee meeting on the 8th (local time). It is expected to pass smoothly at the UN General Assembly in the fall. This is the first international convention on cybercrime. Ratifying it and enacting domestic laws accordingly will improve our cyber warfare response capabilities.

Previously, there was the 2001 Budapest Convention adopted by the Council of Europe for rapid cooperation in cybercrime. South Korea only applied to join under this government. Previously, laws and systems were inadequate for participation. For example, during criminal investigations, real-time data sharing requires wiretapping capabilities. However, South Korea's Communications Privacy Protection Act lacks provisions for real-time wiretapping, only penalties. The military has established a Cyber Operations Command, but its mission is unclear. Frankly, our military remains at the level of 1968 when Kim Shin-jo infiltrated.

☞ Current law does not mandate telecommunications operators to equip mobile phone wiretapping facilities, making wiretapping practically impossible. The U.S. has the Communications Assistance for Law Enforcement Act (CALEA) since 1994, requiring government or telecoms to bear wiretapping costs. Germany, the UK, Australia, etc., have similar systems.

South Korea's reputation as an 'IT powerhouse' is a misconception. Despite many foreign tourists, South Korea is one of the few countries where 'Google Maps' does not work. 'Google Pay' and 'Apple Pay' are still unavailable in many places. To build capacity, laws and systems must be established first, then industry develops, followed by services. South Korea's industry is advanced, but services lag far behind. Many social systems are inadequate. Without legal and institutional changes, society cannot evolve.

'Cyber security' requires a strategic approach within the national framework in cyberspace, where inside and outside cannot be distinguished. When enacting cyber security laws, they should not be made from the perspective of punishment and surveillance like the old National Security Law. Such approaches do not work today. Political misuse fears and unresolved suspicions make passing laws difficult regardless of which party governs.

Looking at past bills regardless of political orientation, there is no clear principle for protecting personal information. For cyber security, if necessary, offensive measures including those infringing on individual privacy must be deployable.

Gaining public understanding, who must endure privacy invasions, is a matter of 'responsibility.' If an agency deems it necessary for investigation, it must access all information and means. However, all actions must be recorded. These records must not be deleted or altered. Even years later, it should be possible to see who accessed what information and why. For example, if past regimes politically abused data and were legally punished based on records, the public would understand.

North Korea's attacks have surpassed levels manageable by specific organizations. The National Intelligence Service and KISA have succeeded in many defenses, but detecting covert attacks targeting civilians is realistically limited. Like youth receiving training in the military, a 'civilian defense posture' is needed in cyberspace. For example, creating a 'cyber reserve force' including cybersecurity company workers and university students majoring in related fields, jointly researching and responding. Similar to defense industry civilian companies collaborating with government agencies, such qualifications and concepts should be introduced in cyber security. Comprehensive investment in civilian information protection companies comparable to defense industry would strengthen public-private cooperation.

System improvements are urgent. Recently, laws were amended to require information and communication service providers to report damage details and causes within 24 hours of recognizing a cyber incident. However, companies attacked by North Korea hesitate to share damage with authorities or disclose externally due to concerns over trust loss or stock price drops. North Korea's cyber attacks have become too advanced for individual companies to block. Companies should be relieved of burdens to share and respond quickly.

☞ 'Endpoint' refers to devices users use to access IT services, such as PCs, smartphones, and tablets. EDR (Endpoint Detection and Response) systems monitor endpoints for malware, hacking, or intrusion incidents and immediately respond by blocking networks according to predefined security policies. The Biden administration issued Executive Order 14028 in 2021, directing federal agencies to install EDR and promote information sharing to improve cyber incident detection in government networks.

Cyber security must be approached as a 'constant war.' Unlike the past, war and peace are viewed as a continuous spectrum. Before or after physical military force is deployed, non-physical means like cyber and cognitive warfare occur. Relying solely on the National Intelligence Service and military power to counter North Korean hacking has limits. In addition to government and military, a 'militia' must be developed.

To enable civilian experts to participate, a 'business ecosystem' must be built. For example, if officers and non-commissioned officers can build careers in the Cyber Command and then move to civilian security companies with guaranteed salaries, applications would surge. They could also move back to government positions or work as professors or researchers, creating a 'career path.'

The first step is to abolish the public recruitment system in the military and government agencies so they can hire necessary experts timely. In the U.S., a Marine captain who led cyber warfare in the Iraq war later worked in civilian security companies and then became NSA director. In South Korea, even experts cannot rejoin organizations after military discharge.

Legally, a different approach might help. Instead of packaging everything into a cyber security law, approach tasks incrementally like a salami tactic. List current threats and accumulate regulations addressing them behaviorally one by one. Cyber security law enactment faces risks of opposition from the opposition party, which could be either side. Recognizing mutual interests and addressing feasible tasks first is more rational.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.