Cyberwars on the Korean Peninsula

What Kim Jong-un’s regime fears most is the inability to sustain information control inside North Korea.

In addition to nuclear and ballistic missile programmes, N Korea has been developing cyber-related offensive military capabilities, writes Raska [AP]

For nearly six decades, South Korea’s (ROK) approach to security has focused on sustaining the status quo: Maintaining deterrence and a robust defence posture in order to prevent another major conflict on the Korean Peninsula.

Three mutually reinforcing strategic pillars – defensive deterrence, alliance with the US and forward active defence – have long defined South Korea’s conception of national security, its force structure and the operational conduct of its armed forces.

But since the late 1990s, South Korea’s security dilemmas have become progressively more “hybrid” and multi-faceted. Traditional conventional threats, scenarios and contingencies linked to high-intensity conventional wars vis-a-vis North Korea, have been converging with a range of asymmetric and non-linear security challenges, including nuclear threats, ballistic missiles and increasingly, information and cyber warfare.

Given its continuing political and socio-economic isolation, North Korea’s military has shifted its focus towards forms of asymmetric negation, probing any vulnerability in the US-ROK alliance in order to counter its qualitatively superior technological advantages. In addition to nuclear and ballistic missile programs, North Korea has been developing cyber-related offensive military capabilities.

Computer network cyber operations, both offensive and defensive, coupled with information warfare strategies and tactics provide new types of “force multipliers” for North Korea. They can be viewed as new “weapons of mass effectiveness”.

Operating against distant adversaries

This new “weapon” ranges from the ability to operate rapidly against distant adversaries without the commitment of combat personnel, through the ability to act in secret by minimising exposure, attribution, and subsequent risks of counterattacks, to the use of cyber weapons to disrupt, deny, destroy, or subvert key nodes of critical national infrastructures, including communications systems, banking and finance, logistics and transportation systems, national databases, and other vital information grids.

In this context, North Korea has engaged in three principal types of cyber operations vis-a-vis South Korea: First, cyber-espionage to obtain information and intelligence about US-ROK military means, capabilities, and strategies; second, computer network attacks aimed at denying, disrupting or destroying South Korea’s information infrastructure; and third, misinformation and deception operations to shape broader internal and external strategic communications, perceptions, and narratives.

In the cyber-espionage category, North Korea’s primary overseas intelligence gathering unit, operating under the State Security Agency (SSA), is believed to increasingly rely on cyber-related techniques for cyber-espionage to access information, steal sensitive data, and monitor foreign communications.

In the cyber-espionage category, North Korea’s primary overseas intelligence gathering unit, operating under the State Security Agency (SSA), is believed to increasingly rely on cyber-related techniques for cyber-espionage to access information, steal sensitive data, and monitor foreign communications. Among its elite military cyber units, North Korea’s cyber espionage is led by the hacker Unit 110, operating under the North Korean Army General Staff’s Reconnaissance Bureau.

In 2009, South Korean National Intelligence Service and the Defense Security Command reported that Unit 110 intercepted confidential defence strategy plans, including OPLAN 5027 detailing US-ROK responses to potential North Korean provocations.

In the same year, North Korean hackers reportedly stole information from the South Korean Chemical Accidents Response Information System developed by the National Institute of Environmental Research under the Ministry of Environment after infiltrating the ROK Third Army headquarters’ computer network and using a password to access CARIS’ Center for Chemical Safety Management.

In the category of computer network attacks, North Korea has attempted to disrupt South Korea’s sophisticated digital information infrastructure using cyber attacks to shut down major websites, disrupt online services of major banks, and probe South Korea’s readiness to mitigate cyber-attacks.

These include cases of distributed denial-of-service attacks against four dozen targets in South Korea and the US in 2009 as well as “Ten Days of Rain” DDoS attacks targeting South Korean government websites and networks of the US Forces Korea (USFK) lasting for 10 days in 2011.

The combination of clearly defined targets, highly destructive malware code, multiple encryption algorithms, and multi-tiered botnet architecture preconfigured for specific duration, has led to a conclusion that the attack was set up by North Korea to test and observe how rapidly the attack would be discovered, reverse engineered and mitigated.    

Classical deception

In the category of information warfare operations, North Korea has relied on classical deception to alter the perceptions of its strategic plans. Prior to its rocket launch in December 2012, and subsequent third nuclear test in February 2013, North Korea manipulated news stories as part of a deliberate deception campaign to hide its real intentions.

In case of the 2012 rocket launch, North Korea manipulated the timing of the launch so that US intelligence satellites would not be overhead. Pyongyang announced several days before the launch technical problems with the rocket. At that time, US spy satellites observed the North Koreans taking apart the three-stage rocket, and moving the parts away from the launch pad. North Korea, however, launched the rocket without any delay, catching US-ROK military and intelligence agencies off-guard.

As North Korea develops offensive cyber and information warfare capabilities, future conflicts on the Korean Peninsula will be linked with confrontations in and out of cyberspace, cyber attacks on physical systems and processes controlling critical information infrastructure, information operations and various forms of cyber-espionage.

Deterring North Korea’s “hybrid” threats, whether nuclear or cyber-related, will be increasingly challenging. While South Korea has established a new cyberwarfare command designed to counter North Korean cyber threats, South Korea must show greater adaptability in its defence planning.

This means a comprehensive strategy to engage instruments of both soft power of diplomacy and hard power of military force to shape conditions for change in North Korea. South Korea’s military lines of action should intensify the use of information operations to provide North Koreans with outside news and information that can alter their internal socio-political and economic narrative.

North Korea may try to use nuclear and cyber threats to instigate fear in the outside world, what the Kim Jong-un regime fears most, however, is the inability to sustain information control inside North Korea.

Michael Raska is a Research Fellow at the Institute of Defense and Strategic Studies, a constituent unit of the S Rajaratnam School of International Studies (RSIS), Nanyang Technological University in Singapore.