The Increasing Complexity of Cyberwar: North Korean Hackers Stole Joint U.S.-South Korea War Plans


South Korean ruling party lawmaker Lee Cheol-hee yesterday announced that North Korean hackers stole 235 GB of data last year from South Korea's Defense Integrated Data Center in September of 2016, including operational plans drawn up by Seoul and Washington for all-out war with North Korea, Yonhap News reports.

Lee said the data includes detailed plans for "decapitating" the North Korean leadership in case of war, as well as contingency plans for South Korea's special forces, reports to allies' top commanders, and information on key military facilities and power plants.

Still, Lee said, almost 80 percent of the stolen documents haven't yet been identified. "The Ministry of National Defense has yet to find out about the content of 182 GB of the total [stolen] data," he said.

Pentagon spokesman Colonel Rob Manning told Yonhap that he couldn't confirm whether there was a breach, but that all key information remains secure. "I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea," he said.

"We'll continue to work closely with our partners in the international community in identifying, tracking and countering any cyber threats," Manning added.

Increasing Pressure

AlienVault threat engineer Chris Doman told eSecurity Planet by email that the hacker group responsible for the attacks is likely a subgroup of the attackers behind WannaCry, the Sony breach, and the SWIFT hacks. "They are very active, and I continue to see new malware samples from them every week," he said.

Comodo senior research scientist Kenneth Geers said by email that as the U.S. and North Korea exchange threats on Twitter, the pressure is increasing on their intelligence agencies to conduct cyber espionage.

"In Ukraine, the number of cyber attacks, and their level of sophistication, rose with fighting on the ground," he said. "The threat of sudden decapitation via cyber and traditional strikes may force Kim Jong-un into making desperate moves."

"Cyber is more unpredictable than traditional weaponry, because you may lose control of your assets before you know it," Geers added. "Given that the risk is international nuclear war, there are no limits on what both sides might do in cyberspace to prepare the battlespace, in an effort to improve the prospects of victory for their side."

It's likely, Geers said, that North Korean hackers are already active in various parts of the U.S., planning sabotage operations in case of war. "It is possible that North Korea might receive cyber help from Russia and/or China, who may perceive an interest in undermining U.S. geopolitical goals, as well as testing national cyber capabilities," he said.

Hacking Back

It's becoming increasingly challenging to anticipate and respond to these types of threats. Last week, German intelligence official Hans-Georg Maassen told Germany's parliamentary oversight committee that the country's intelligence agencies need legal authority to "hack back" in response to state-sponsored cyber attacks, Reuters reports.

Maassen, president of Germany's domestic intelligence agency, said it should be possible to "infect" foreign servers with software that would enable monitoring of any operations against German targets. "In the real world, it would be like turning a foreign intelligence agent and getting them to work for us. ... Something like this should be possible in the cyber world too," he said.

"These are 'hack back' instruments, but they are below the threshold of destroying or incapacitating a foreign server," Maassen added.

Bruno Kahl, head of Germany's foreign intelligence agency, told the committee that his agency already has the ability to destroy foreign servers, but not the legal authority to do so.

Still, High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet that this could easily prove to be a slippery slope. "At first glance, a hack back concept sounds fair and reasonable," he said, but he noted that attribution is always a challenge.

Since it's already possible to purchase access to hacked systems of governments and law enforcement agencies on the Dark Web, Kolochenko said, nation-state actors could just buy compromised systems in order to frame them for an attack. "Legal questions intertwined with the hack back are much less complicated compared to practical problems we may face," he said.