Saturday, 11 November 2017

India in the web of North Korean cyberwar

 Around one-fifth of North Korea’s cyber attacks originate from India, and this should set alarm bells ringing in the corridors of security establishments as well as the strategic community, explains Prabha Rao




According to studies conducted by Recorded Future, a US based cyber security firm, and Kaspersky, a multinational, cyber-security, anti-virus software firm based in Moscow, around one-fifth of North Korea’s cyber attacks originate from India. This is a matter which needs to set alarm bells not just ringing, but clanging, in the corridors of security establishments and the strategic community. North Koreans are not the minnows of the hacking world, and have, over the past decade, demonstrated cutting edge skills in cyber attacks.

Seoul asserts that North Korea now has a functioning cyber army of over 7,000 hackers for its cyberwarfare operations, and that many of them may have been trained by the Chinese PLA’s hacking unit 61398, which specialises in advance persistent threats (APT). The DPRK’s Cyber Warriors have been focussed on the tri-pronged objectives of salvaging the image of the leader; bolstering its weakening economy and outsmarting international trade sanctions; and countering the US — South Korea’s security plans for the region — an objective which has Beijing’s active support.

The DPRK’s cyber hacking adventures started in the mid-1990s during the regime of Kim Jong-il, the father of the current dictator. Kim, like the Chinese, was initially apprehensive about the Internet, which could challenge his regime’s ironclad control over information, but realised its potential after North Korean computer scientists, who returned from travel abroad, proposed using the web to spy on and attack ‘enemies’ like the United States and South Korea. In 2003, Kim Jong-il told his military: “If warfare was about bullets and oil until now, warfare in the 21st century is about information.” The DPRK then began sending promising students for special training to China’s top computer science programmes; the US was another destination, and also India, which has around 60 students in various institutes around the country.

When Kim Jong-un succeeded his father in 2011, he changed the DPRK’s cyber strategy beyond espionage to include theft, harassment, and settling political vendettas. According to Suh Hoon, the Director of South Korean intelligence in 2011, Kim Jong-un had told his military that “cyberwarfare, along with nuclear weapons and missiles, is an all-purpose sword that guarantees our military’s capability to strike relentlessly”.

His encouragement has witnessed a burgeoning of attacks by the North Korean cyber warriors. To list a few — a hackers’ group called The Guardians of Peace hacked into the Sony Entertainment Company in 2014, ostensibly to punish it for making a film lampooning Kim Jong-un. The hacking code destroyed 70 per cent of Sony Pictures’ laptops and computers. In August 2014, an affiliated group targeted a British broadcaster, Channel Four, which had planned a television series about a British nuclear scientist kidnapped in Pyongyang. The producers were intimidated and dropped the project.

In February 2016, hackers siphoned off $81 million from the Bangladesh Central Bank in the US. The spectacular feature of the attack was that it went beyond the

traditional exploit of stealing the login credentials of bank account holders and used the SWIFT (Society for Worldwide Interbank Financial Telecommunications) credentials of the Bangladesh Central Bank employees to send over 36 fraudulent money transfer requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka, and other parts of Asia. Around $81 million was deposited into four accounts at a Rizal branch in Manila, which had been opened a few weeks earlier with only $500 as a deposit. Other withdrawals were stalled due to a spelling mistake that raised an alarm — not because of any fault in the technique.

The incident sent shock waves in the banking system as the SWIFT is a consortium that operates a global closed computer network between member banks around the world. The SWIFT platform has over 11,000 users, including financial institutions and brokerage houses that route over 25 million money transfers in a day. Information started trickling in about other banks which had their SWIFT codes compromised, and usage of advanced hacking techniques which led to the theft of millions of Bitcoins and other crypto currencies.

The Bangladesh Central Bank heist had been preceded by two other attacks: In the Bank of Philippines in October 2015 and the Tien Phong Bank in Vietnam in December 2015. The cyber security firm Symantec opined that “it was the first time a state had used a cyberattack not for espionage or war, but to finance the country’s operations”.

The DPRK hackers also mastered what is termed as the ‘watering hole attack’. In February 2016, just before the Bangladesh heist, the hackers infected the website of Poland’s financial regulator, which infected all visitors with malware from which banking details were gleaned. This was used both for larceny and to move around stolen currency.

Given the hackers’ unquestionable expertise, banks all over the world are apprehensive about another round of hacking sprees from North Korea as a reaction to the slew of current international sanctions against Pyongyang. Dmitri Alperovitch, the chief technology officer at the well-known cybersecurity firm CrowdStrike in the US, confirmed in May 2017 that North Korean hackers had stolen hundreds of millions of dollars from banks during the past three years, and that banks are concerned that Pyongyang’s hackers are using the Wiper virus and its variants not only for heists but to disrupt the banking networks, which can have major international financial implications. The Wiper virus used by the North Koreans is similar to the one used by Iran in 2012 against Saudi Arabia’s main oil company Aramco, wherein the malware was infiltrated into 30,000 Aramco computers and 10,000 servers that destroyed data, causing tremendous damage.

In 2013, North Korean hackers, operating from computers inside China, used the same techniques against computer networks at three major South Korean banks and two largest broadcasters, which erased data and paralysed business operations. This raises the uncomfortable question — would North Korea raise the bogey of destructive attacks on banks if it has serious concerns about a US and South Korean attack?

Moreover, the North Korean hackers’ expertise has advanced to a level where they have been able to seriously compromise South Korea’s security. On October 31 this year, hackers from the DPRK infiltrated computer systems at Daewoo Shipbuilding & Marine Engineering (DSME), South Korea, and made off with sensitive information on warships and submarines, including on the destroyer Yulgok Yi I, a vessel that carries the US Navy’s Aegis Combat System. As per the South Korean intelligence, around 60 classified military documents with information on construction technology, blueprints of ships and submarines, weapons systems and evaluations of the same have been compromised along with some 40,000 other documents.

In September 2016, in what was considered  a technical feat, North Korean hackers infected around 3,200 computers, including 700 connected to the South Korean military’s internal network, which is normally disconnected from the Internet, including a computer used by the Defence Minister. The hackers first infiltrated the network of a company providing a computer vaccine service to the ministry’s computer network in 2015, and used the vaccine server to infect Internet-connected computers of the military with malicious codes in August 2016. They then infiltrated the malware into intranet computers, during maintenance. According to the US agencies, the hackers used an IP addresses in Shenyang, China, which is an area where North Korean hackers are often trained and operate from. The attacks on South Korea’s military networks resulted in the theft of 235 gigabytes of data. The stolen data reportedly had details of three secret plans, including one about a potential “decapitation strike”, which had been codenamed Operations Plan 5015 — an operation that would target Kim Jong-un in the event of actual combat given the growing nuclear and missile threat from North Korea. Unsurprisingly, the US Defence Secretary, Jim Mattis, recently announced that the military plans for dealing with North Korea have been rewritten as a reaction to its enhanced threats.

Why does this directly affect India’s security? I go back to my initial statement — one-fifth of all North Korean attacks were perpetrated from India. Data studied by firms dealing with cybersecurity demonstrate that there are significant physical and virtual North Korean presences in several nations — India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia — from where the DPRK is conducting its criminal activities. All these countries have weak cybersecurity ecosystems. A study of the impact of the WannaCry and Lazarus ransomware, which caused huge international losses, would show that India has not only been the unwitting platform for these hackers, but also a victim.

North Korean students are pursuing computer science in around seven universities in India. The knee-jerk reaction is to obliquely blame them for these illegal activities, but it is not yet clear if they were involved, or if they had support from other groups, including local elements. It needs to be mentioned here that intrusive activity through North Korean hackers targeting the Indian Space Research Organisation’s National Remote Sensing Centre, the Indian National Metallurgical Laboratory, has also come to light.

The control node for much of the North Korean activity appears to be in Shenyang, North China, and not from the DPRK mainland. A number of Internet access points are being provided by Chinese telecommunications companies. For instance, China Netcom, a state-run telecommunications company has given the range 210.52.109.0/24 to a North Korean domain under the netname ‘KPTC’ — Korea Posts and Telecommunications, Co.

Apart from this, Chinese services, such as Taobao and Aliyun, which offer mail services, and Youku, a video hosting site, are also being used by North Korean hackers. Also, they have used effective obfuscation technologies, which include a wide range of Virtual Private Networks (VPN) and Virtual Private Servers (VPS) services. Surprisingly, many of the providers are large and well-known Western companies, such as Sharktech, iWeb, Digital Ocean, Linode, Leaseweb USA, Telemax, Touch VPN, and others. It is not clear how these services were purchased and how they continue to be leveraged. Cyber security experts have opined that some North Korean espionage activities could also be directed by China, which has the advantage of deniability in this matter.

Which brings us to the point that the North Korean role in India underscores our cyber vulnerabilities and highlights the potential fiscal and security threats we face through malicious cyber exploits. The security of our UIDAI data, which is linked to all our banking and other financial activities, is under question, with periodic leaks surfacing. The prowess demonstrated by the DPRK in hacking into South Korean military networks is a matter of serious disquiet, especially as the possibility of some such hackers acting on Chinese or even Pakistani behest cannot be considered improbable. Our cyber deterrence needs an urgent makeover. Our security agencies were unable to detect malicious cyber activities until they were highlighted by Recorded Future, a US-based cyber security firm.

Cybercrime has emerged as a far more serious threat to the nation than online radicalisation. In this regard, the MHA’s plan to create a special division for cybersecurity and one for online radicalisation is to be welcomed. But time is not in our favour; China has far surpassed us in cyber technology, and the aggressive North Koreans have found us a somewhat soft target. We need to remedy matters fast. There is an imperative need for a unified metadata system and public-private partnership in this sphere. Workforce augmentation for cybersecurity is crucial and training in these skills should become a nodal programme for the Niti Aayog. Else, digital disaster could be the next challenge confronting us.

No comments:
Write comments