The South Korean government has two reasons for suspecting North Korean involvement. The first reason is technical: malicious code originating from North Korea has been discovered, and the attacks have been launched from IP addresses — both domestic and foreign — used by North Korea. However, these are not definitive indicators of guilt. Obfuscating or spoofing an IP address, or copying malicious code from other hackers who have shared it via hacking forums or from other sources, can be performed by the average teenage hacker.
The second reason is motivation. Most of the targets have been government agencies, and, even when financial institutions were attacked, hackers attempted to obtain sensitive or classified information rather than cash. The suspicion, unsurprisingly, has fallen on North Korea, which has a clear motivation for such espionage. But it is a mis-statement to say that the North Korean government is not interested in eCrime. Their government has regularly been involved in money laundering, counterfeiting and smuggling drugs to earn foreign currency. A principle operation of North Korean hackers belonging to the government hacking unit is to create tools for taking cash from online game websites and to be sold to Chinese and Korean criminals. They also hack personal information from commercial websites.
This focus on external threats has, however, ignored the threat from within. South Koreans are polarised by their attitudes towards North Korea, and this phenomenon extends to the virtual world. Anonymous — a hacking collective who have adopted Guy Fawkes masks as their symbol of resistance — have an anti-North Korea stance (targeting, in particular, media websites, with varying degrees of success). In line with this attitude, Anonymous announced their intention to carry out large-scale DDoS attacks on more than 20 North Korean websites on 25 July 2013, to mark the 60th anniversary of the Korean War.
Other hackers, however, take a different view. Notably, on 25 June, just hours before Anonymous launched their cyber assault on North Korean websites, the website of the South Korean president’s office was the target of a DDoS attack. Those accessing the website were confronted with text praising Kim Jong-un, purportedly written by ‘Anonymous South Korea’. The South Korean government were quick to officially blame North Korea.
But the attack was most likely carried out by a South Korean individual, for two reasons. First, the attack didn’t seem like a threat sponsored by a national government. The hacker’s other targets included USFK Classified, an automobile sales website. In another attack, the personal information of US soldiers the hacker claimed to reveal was likely created by a fake Social Security Number generator (given that his alleged source, DefenseTalk.com, would be unlikely to possess this kind of information). The 25 June DDoS attack also leaked material from the president’s office; however, this was not highly confidential government documents or profiles of officials but rather the basic information a website user is required to enter. Secondly, the hacker had exposed his identity on his Twitter account prior to the attack. The hacker’s Personally Identifiable Information (PII) was public knowledge, and had multiple conversations with other Twitter users about his plans.
In the face of internal cyber threats, the National Intelligence Service has also performed poorly, and there has been a lack of inter-agency responses. The National Intelligence Service has recently been criticised for information leaks, illegal interference, the former chief’s bribery and corruption scandal, and for waging a psychological campaign against a particular party. A hacking and cyber warfare unit exists in North Korea and it is definitely a threat to cyber security in South Korea. However, framing all attacks with anti-North Korean rhetoric only creates more confusion and interrupts proper responses to internal threats. What should be examined is not Kim Jong-un’s hacker unit but South Koreans themselves.
Soo-Kyung Koo is a freelance writer and associate at AVH, LLC, aWashington DC-based security reporting company.
A version of this article appeared here in The Diplomat.