clock menu more-arrow no yes mobile

Filed under:

How North Korean hackers stole 235 gigabytes of classified US and South Korean military plans

North Korea’s impressive cyber capabilities, explained.


In September 2016, North Korean intelligence services stole a huge batch of classified US and South Korean military plans — including a plan to assassinate North Korea’s dictator Kim Jong Un and other top government officials.

Yet this was not the stuff of an old-school John le Carré spy novel, with shady figures in trench coats exchanging documents at a dark rendezvous spot in the woods. North Korea’s data theft was done entirely through computer systems.

According to a South Korean politician, last fall North Korean hackers gained access to South Korea’s Defense Integrated Data Center and stole 235 gigabytes of classified military plans. Two plans in particular stand out: One was for how to respond to an attack on South Korea by North Korean commandos. The other was the plan for what’s called a “decapitation strike,” or an operation that would specifically target Kim and other key government officials loyal to the regime. But the full depth of what was stolen is still unknown.

The fact that we’re only just now learning of the extent of the burglary, more than a year after it happened, is a testament to North Korea’s immense cyber capabilities.

But wait a second — how did an impoverished country like North Korea end up with such impressive hacking abilities? And are they really that impressive? Or is our information just really easy to steal?

It turns out that while we’ve been (understandably) focused on North Korea’s nuclear weapons and ballistic missiles, the country has been quietly developing another powerful tool — a selection of malware and malicious code, a veritable cyberweapons cache.

How did North Korea pull it off?

North Korea is one of seven nations generally regarded as “cyberpowers” — countries with the ability to mess around in the information systems of other countries. (Besides North Korea, the major cyberpowers are the United States, Russia, China, the United Kingdom, Iran, and France.)

In 2014, North Korean hackers conducted a major operation against Sony in the United States in retaliation for the Sony Pictures film The Interview, a Seth Rogen and James Franco comedy depicting a fictional assassination of Kim Jong Un — a cyberattack that some political commentators labeled an act of war.

This latest hack of the military documents worked through human error. As the Wall Street Journal reports, the North Korean hackers first gained access to a South Korean company that makes the antivirus software used by the South Korean military. That compromised antivirus software provided a path for North Korean hackers into South Korean military computers.

Normally, the military database they hacked, working on a secured intranet, would be safe from compromise — but a contractor working at the data center left a cable in place that connected the military intranet to the internet, allowing the North Korean hackers to access the database of sensitive documents.

That connection remained in place for more than a year, and wasn’t detected until September 2016. North Korean state media has denied involvement in the attack, claiming instead that South Korea made up the whole thing.

How did a country like North Korea develop such impressive cyber capabilities?

Computer scientists are the key to creating and maintaining new cyberweapons, but there’s also a great deal of reverse-engineering that goes on. For instance, in 2012 Iran used cyber tools to wipe and render useless 35,000 computers at Saudi Aramco, one of the world’s biggest oil companies. The tools Iran used in the Saudi Aramco attack were largely modifications of tools that had attacked Iran, now redesigned for different targets.

“[For] everybody, once your code gets out on the internet, it’s possible that someone else can intercept copy and modify for their own use,” says Bob Gourley, co-founder of the security consultancy firm Cognitio and veteran of the intelligence community.

“North Koreans might be borrowing code they saw in a Russian attack,” Gourley says, but that “doesn’t mean Russians and North Koreans are collaborating. [It] just means they saw that code and modified it, or they may be modifying code of some hacker or some criminal groups.”

“Everyone starts to build upon other people’s exploits,” he adds.

But North Korea has the smallest economy of all the cyberpowers, with a GDP estimated at somewhere between that of Vermont and Wyoming. How, then, can it so effectively fund the kinds of computer scientists needed to maintain such a potent cyber capability?

Part of the answer has to do with the nature of the North Korean economy itself. The North has what’s known as a “command economy,” which means that the central government basically controls every single aspect of the economy, including the production and distribution of goods and services.

As a result, the regime is able to direct as many resources as it wants toward military programs within the country, like its nuclear project and its cyber program, even in the face of strict foreign sanctions.

The other reason is that North Korea’s cyber division actually makes a lot of money on its own, thanks to the country’s willingness to have its military programmers engage in straight-up crime.

“There are remarkable similarities between North Korea and an organized crime group,” says William Carter, deputy director of the technology policy program at the Center for Strategic and International Security, a Washington think tank.

For instance, Carter says, North Korea’s cyber division “used a pretty sophisticated scheme to send false payment orders through the Swiss [banking] network and got hundreds of millions of dollars transferred out of the banks of Bangladesh, the Philippines, Vietnam, Ecuador, and others and into accounts controlled by North Korean government.”

When your hackers are bringing in that kind of cash, paying their salaries becomes a whole lot easier.

Why would North Korea launch cyberattacks?

While North Korean attacks and intrusions make headlines, it’s safe to assume that all countries with the capability to do so are actively watching and tracking and spying on the cyber capabilities of other countries. So it’s not the use of cyber itself that sets North Korea apart from other nations.

“The challenge is that North Korea's objectives are a lot about being able to lash out,” says Michael Sulmeyer, director of the Cyber Security Project at Harvard’s Belfer Center, “and they’re also limited in other ways they could insert themselves, cut off from so much of the global economy.”

With an army focused on the South, a navy that is limited in reach, and an air force oriented toward defense, North Korea’s main ways to threaten countries beyond its immediate borders are with missiles or with cyber intrusions.

Having a robust hacking capability means that Pyongyang can attack those who make both fictional depictions of Kim Jong Un’s assassination and actual military plans for such an event. Kim inherited not just his father’s nuclear program but his grandfather’s intense paranoia, and the whole orientation of the regime is built around ensuring his survival.

Kelsey Atherton is a defense technology journalist based in Albuquerque, New Mexico. Find him on Twitter @athertonkd.

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.