Authors: Bobby Akart
Cyber Warfare (8 page)
The RGB is now responsible for extensive operational cyber missions that assist the government in achieving the objectives of its political provocations. The cyber units most frequently linked to RGB are
Unit 121
and
Lab 110
. The English translation—
Unit
or
Lab—
does not accurately reflect their importance within the North Korean military bureaucracy. There are four bureaus comprising the RGB—1st Operations Bureau, 2nd Reconnaissance Bureau, 3rd Foreign Intelligence Bureau, and 6th Technical Bureau.
Unit 121
and
Lab 110
would be subordinate to or synonymous with the 6th Technical Bureau. It is also likely that the 3rd Foreign Intelligence Bureau has a cyber espionage component as well.
Unit 121
has been typically linked to the
DarkSeoul
attack. In March of 2013, three South Korean broadcast networks, and a major bank suffered cyber attacks via malware known as
DarkSeoul
. The malware infected the computer systems so extensively, most had to be replaced and large volumes of data were lost. Because the attacks were routed through proxies located in China, attribution to the North Koreans was not possible.
Lab 110
has been accused of using a bogus information technology company in Shenyang to sell malicious software to South Korean customers. The exact operational relationship between Unit 121 and Lab 110 is not known. There is a possibility that offensive cyber operations could be easily combined with human intelligence or covert operations capability for military purposes.
In North Korea, the General Staff Department (GSD) of the Korean People’s Army (KPA) is broadly comparable to the U.S. Joint Chiefs of Staff and oversees the operational aspects of the entire KPA. As such, it has authority over numerous operational cyber units, including units tasked with political subversion, cyber warfare, and operations such as network defense. North Korea is in the process of assembling these units into an overarching cyber command and control structure. Currently, the GSD’s Operations Bureau has been attributed with conducting cyber operations, but intelligence information about the scope of these activities, as well as the various units conducting them, has been spotty.
Kim Jong-un directly oversees the GSD’s position in government. Analysts surmise that the bulk of North Korea’s offensive cyber operations is housed in RGB, a black operations organization. Because its GSD missions stem from electronic warfare, this portends strong implications for what the North Koreans tend to target, what type of attack they rely on, and what mission they hope to achieve via cyber warfare.
Pursuant to the claims of people who have escaped into South Korea, their primary target is Western critical infrastructure. The cyber army on Unit 121 is trained and operates for this primary purpose.
It is widely known that North Korea has the highest percentage of military personnel in relation to population—roughly forty enlisted soldiers per thousand people.
In 2013, a defector declared that North Korea was increasing its cyber warfare unit to staff eight thousand people, and it was undertaking a massive training program for its young prodigies to become proficient in cyber warfare.
Last year, new revelations on the cyber capabilities of North Korea confirmed that the government of Pyongyang doubled the number of the units of its cyber army. According to reports, the number of cyber warriors of the North Korea has also established overseas bases for hacking attacks.
North Korea wants to demonstrate its cyber capabilities to the rest of the world. According to reports, a Stuxnet-style attack designed to destroy a city has been prepared by North Korea and is a feasible threat to the smart grids of the United States.
According to intelligence agencies, North Korean hackers are responsible for numerous cyber attacks worldwide, including the clamorous Sony hack and a targeted offensive on South Korea Hydro and Nuclear Power Plant. Although the nuclear plant was not compromised by the attack, if the computer system controlling the nuclear reactor were compromised, the consequences could be unimaginably severe and cause extensive casualties.
Clearly, if North Korea continues to escalate its cyber attacks on a critical infrastructure, it’s only a matter of time before significant loss of life occurs.
SYRIAN ELECTRONIC ARMY
The Syrian Electronic Army (commonly known as the "SEA") is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, Western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. According to U.S. intelligence agencies, the SEA has become the first Arab country to have a state-sponsored
internet army
hosted on its national networks to openly launch cyber attacks on its enemies.
The SEA has focused its cyber activities in four key areas:
Use of website defacement and electronic surveillance against its adversaries
—namely the Syrian rebels. The SEA has carried out surveillance to discover the identities and location of Syrian rebels, using malware, phishing, and denial of service attacks.
Defacement attacks against Western media websites
based on the belief these sites spread news adverse to the interests of the Syrian government. Targeted companies include news websites such as BBC News, the Associated Press, National Public Radio, CBC News, Al Jazeera, Financial Times, The Daily Telegraph, The Washington Post, Syrian satellite broadcaster Orient TV, and Dubai-based al-Arabia TV, as well as rights organizations such as Human Rights Watch.
Spamming popular Facebook pages
with pro-regime comments. The Facebook pages of President Barack Obama and former French President Nicolas Sarkozy have been targeted by SEA spam campaigns.
Global cyber espionage
is another function of the SEA. Technology and media companies, allied military procurement officers, US defense contractors, and foreign attaches and embassies have all fallen victim to the SEA’s cyber vandalism.
The SEA's tone and style vary from the serious and openly political to ironic statements intended as critical or pointed humor. For example, the SEA tweeted from the Twitter account of 60 Minutes the following:
Exclusive: Terror is striking the #USA and #Obama is Shamelessly in Bed with Al-Qaeda
. In July 2012, the SEA posted from Al Jazeera's Twitter account:
Do you think Saudi and Qatar should keep funding armed gangs in Syria in order to topple the government
? In another attack, members of SEA used the BBC Weather Channel Twitter account to post the headline:
Saudi weather station down due to head on-collision with a camel
.
U.S. analysts rank Syria well behind the top four of China, Russia, Iran and North Korea in its cyber capabilities. They are considered at the vandalism level. But the recent interjection of Russia into the Syrian crisis in 2015 leads many to believe that the government of Bashar al-Assad will receive a boost in its cyber programs courtesy of advanced Russian technologies.
ISIS
Islamic terrorists have threatened an all-out cyber war against the United States, and experts say the warnings should be taken seriously.
Hackers claiming affiliation with the ISIS released a video in the spring of 2015 vowing an
electronic war
against the West and claiming access to
American leadership
online.
“Praise to Allah, today we extend on the land and on the Internet,” a faceless, hooded figure said in Arabic. “We send this message to America and Europe: We are the hackers of the Islamic State, and the electronic war has not yet begun.”
As hackers around the world become more sophisticated, terrorist groups are likely to emulate their activities. It’s only really a matter of time until terrorist organizations begin using cyber techniques in a more expanded way. As an organization like ISIS acquires more resources financially, they will be able to hire the talent they need or outsource to criminal organizations.
Military officials agree. Director of the National Security Agency, Admiral Michael Rogers, called the pending shift a great concern and something that the U.S. military and intelligence communities pay lots of attention to.
“At what point do they decide they need to move from viewing the Internet as a source of recruitment … [to] viewing it as a potential weapon system?” Rogers asked.
While ISIS has been widely recognized for its social media recruiting capabilities, the growing computer science talent of its recruits has mostly gone unnoticed. Some of the individuals that have recently joined the movement of ISIS are students of computer science in British schools and European universities. As a result, the cyber capabilities of ISIS are advancing dramatically. Even the man reportedly responsible for a number of the brutal ISIS beheadings, dubbed
Jihadi John
by his captives, has a computer science degree.
Part of the danger of the ISIS threat is the group’s ability to marshal attacks from its sympathizers, generating an unconnected network that is hard to track.
ISIS effectively uses the video threats as a
call to arms
meant to incite individuals to act on their own. It has added a new dimension to the terrorist threat that the U.S. counterterrorism approach is not intended or designed to pick up on. For example, ISIS supporters have focused on distributed denial-of-service attacks, spear phishing campaigns and the hijacking of legitimate websites to push malware, creating what are known as
watering holes
. In a watering hole attack, the attacker analyzes their victims browsing habits and affects those sites with malware. As the targeted victim frequents the site, their networks become infected.
For example, if you go to an ISIS friendly website and download their videos, you better recognize most of those websites are watering holes. ISIS installed malware will attack your network while you’re watching their video. Experts think radical hackers are likely to expand this tactic to mainstream websites and powerful companies’ websites as a way to gather information on targets.
ISIS is beginning to conduct more and more counterintelligence using this method. Their use of the internet has been described as unprecedented for a terrorist group, and lawmakers are growing increasingly concerned about U.S. attempts to counter its rhetoric online.
Most of ISIS’s current online power lies in its messaging; experts say, and not in its ability to hack real computer networks. But a handful of high-profile intrusions points toward its aspirations as a hacking group. The so-called
Cyber Caliphate
took over the Twitter and YouTube accounts for the U.S. Central Command in January 2015, and the Twitter account for Newsweek magazine in a month after that.
In March of 2015, the
Islamic State Hacking Division
of ISIS posted the personal details of hundreds of U.S. military personnel supposedly involved in attacks on ISIS in Iraq and Syria.
One such message read:
With the huge amount of data we have from various servers and databases, we have decided to leak 100 addresses so that our brothers in America can deal with you…Kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking that they are safe.
Within two months of the posting, a terrorist inspired gunman attacked military recruitment facilities in Chattanooga, Tennessee killing several service members.
In April of 2015, a French TV station was knocked offline in perhaps the best example of terrorists’ abilities. “It seemed to be on a broader scale than we had seen previously,” said a U. S. State Department official. “There were a number of facets to that attack, and they also took the station offline for quite a while. That seemed to me to be of a different magnitude.” The group managed to orchestrate a complete three-hour blackout of the French channel TV5Monde. They hacked into all 11 channels run by the company, along with its website and social media outlets. While the attack took place, the hackers placed documents on TV5Monde’s Facebook page, which they claimed were classified dossiers of relatives of French soldiers involved in fighting ISIS. The Islamic State Hacking Division again claimed responsibility.
As the cyber capabilities and successes of ISIS escalate, many analysts believe the next step is inevitable. There is evidence of an increase in ISIS activity on the
cyber arms bazaar
, the massive underground black hat web market based in Eastern Europe that traffics in almost every form of cyber sabotage imaginable. It is only a matter of time before we hear about significant attacks that were pulled off by sympathizers of ISIS.
The nature of ISIS’s online presence is intended to do three things. Firs, and most importantly for the longevity of its existence, it’s designed as a mechanism to attract and recruit members to its ranks. Second, it’s a means through which ISIS aims to strike fear into the hearts of all that come across its frequently gruesome propaganda. Both objectives are well documented. A third important dimension to the ISIS presence online is emerging. ISIS utilizes cyberspace for offensive purposes—to use the cyber domain to disrupt services, damage reputations and reveal sensitive data.
The cyber attacks of 2015 orchestrated by ISIS illustrate the group’s increased degree of sophistication. There had clearly been an amount of pre-attack planning, including a level of social engineering that had gone on to completely shut down the station's computer systems. ISIS, and those claiming to support the group are now looking to take their cyber offensive to the next level.
Should we be worried about the self-styled Cyber Caliphate and the potential for ISIS to launch highly sophisticated attacks against sensitive networks, similar to the STUXNET virus that was unleashed on Iran? At present, despite a clear elevation in capability, the answer may be
soon, but not yet
. Attacks of the magnitude of STUXNET require a level of financing, highly-skilled personnel and human intelligence gathering that an organization such as ISIS simply doesn’t possess. The more likely scenario is that websites will continue to be defaced and social media accounts hacked, to influence sympathetic supporters.
