Attrition: South Korea Counts Its Cyber War Losses


October 23, 2013: South Korea has come up with a number (over $800 million) for the cost of dealing with North Korean cyber attacks over the past four years. The list the government complied is quite detailed. The latest attacks (in March and June) accounted for 93 percent of the cost. South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the latest ones shows that the North Koreans are getting better and that South Korea is not keeping up.

But the South Koreans are making some progress. Earlier this year several teams of security researchers concluded that nearly all these attacks were the work of one group of 10-50 people called DarkSeoul. Given the extent of the attacks, the amount of work required to carry them out, and the lack of an economic component (no money was being stolen) it appeared that a national government was responsible. That coincides with earlier conclusions that North Korean, not Chinese, hackers were definitely responsible for several recent attacks on South Korean networks. The most compelling bit of evidence came from a March 20th incident where a North Korean hacker’s error briefly made it possible to trace back to where he was operating from. The location was in the North Korean capital at an IP address belonging to the North Korean government. Actually, very few North Korean IP addresses belong to private individuals and fewer still have access to anything outside North Korea.

Details of DarkSeoul were uncovered using pattern analysis of the hacker code left behind in damaged networks. There were patterns indicating the work of individual programmers and indications that there was only one organization involved in nearly all the attacks conducted since 2009. There was a lot of work involved in building all the software and assembling the resources (hacked South Korean PCs, as well as hardware and network time required by the DarkSeoul team), and all this had to be paid for by someone. The likely culprit was North Korea, which has threatened Cyber War attacks but not taken credit for them. This is typical of most North Korean attacks, both conventional and now over the Internet. 

Long believed to be nonexistent, North Korean cyberwarriors apparently do exist and are not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues for over 20 years, and their Mirim College program trained over a thousand Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit is increasingly active.

Since the late 1980s, Mirim College in North Korea has been known as a facility that specialized in training electronic warfare specialists. But by the late 1990s, the school was found to be teaching students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained 5 departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a 3 year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, North Korea has been providing programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But now there is the growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

The recently (2011) deceased North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects.




ad Help Keep Us Online!

We will not give in! Go to other sites on the World Wide Web and they look like the side of a stock car. Lots of ads and little content! But here is the deal we cannot keep our site relative ad free without your support. Each month we need your subscriptions or contributions plus what meager ad revenue we do receive to stay in business. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage. A contribution is not a donation that you can deduct at tax time, but a form of crowdfunding. We store none of your information when you contribute..

Drake appreciates any help you can give him.

Subscribe   Contribute   Close