A North Korean cyberwarfare unit in 2009 penetrated a military network in Seoul, stole a computer password and used it to obtain sensitive data about the location of toxic-chemical manufacturers, said Lim Jong-in, dean of the Center for Information Security Technologies at Korea University, which trains the military in cyberdefense. He said the South has since hardened its military computer networks, but the North’s capabilities also are improving.
Cyberwarfare is the latest example of North Korea’s growing asymmetric capabilities, said Gordon Flake, executive director of the Mansfield Foundation, a think tank. He said that North Korea, “by most counts a failed state, is able to demand the attention of its much more successful neighbor to the south as well as other regions in the world” by developing programs in nuclear, chemical and biological weapons.
North Korea has trained at least 3,000 hackers in five years, said former North Korean computer science professor Kim Heung-kwang. Experts say the nation uses methods learned from the Chinese, who in their operations infiltrate as many systems as possible, in what is sometimes called the “thousand grains of sand” approach.
Kim, who taught hacking skills before defecting to South Korea, said North Korea identifies top math students in elementary school to allow for years of training, including classes on the finer points of code-breaking at one of four universities. Kim, whose account could not be independently verified, said that system produces about 50 recruits each year for the elite cyberwarfare Unit 121. They are then sent to China or Russia for additional training, he said.
Richard A. Clarke, a former White House cybersecurity and counterterrorism official who co-authored the 2010 book “Cyber War,” said North Korea, though much less sophisticated in its cyberwarfare ability than China and some other nations, could someday target the United States. “While a cyberattack on the United States seems like an irrational act for any nation state, North Korea regularly does things that seem like irrational acts,” he said.
South Korea blamed agents from the North for a “denial of service” operation July 4, 2009, that blocked access to at least 35 South Korean and U.S. government Web sites. In the incident, an army of zombie computers repeatedly accessed the sites, overwhelming servers to the point that they crashed. Commercial Web sites, including The Washington Post’s, also were affected.
In March, 29 South Korean government and corporate Web sites — including ones for the president and the Defense Ministry — crashed in another denial-of-service assault. Again, South Korea blamed North Korea.
The incident lasted 10 days, and it involved more than 100,000 zombie computers whose users had unknowingly downloaded malicious software. The software in the zombie computers was programmed to self-destruct on the final day, crippling the operating systems of hundreds of computers.
Dmitri Alperovitch, vice president of threat research for McAfee Labs, which examined the incident, said North Korea may have been trying to probe South Korea’s ability to respond to such an assault.
South Korean prosecutors said the April bank attack — which was more sophisticated than the denial-of-service operations because it required penetration of secure systems and deletion of data to disable servers — was staged from China, a common tactic because it allows North Korean hackers to avoid leaving a digital trail back to their nation.
“The bank attack was like shelling an island to create terror without attacking a high-value military target,” said McAfee’s Wicherski, in a reference to North Korea’s artillery attack on South Korea’s Yeonpyeong island in November.
Philip Kim, the chief executive and president of AhnLab, South Korea’s largest cybersecurity firm, said, “These days, the big pieces of South Korean society are all connected, and it’s very difficult to know which boundaries you have to protect. It’s an open war.”
Special correspondent Yoonjung Seo contributed to this report.