Because of the ease with which a hacker can mis-direct the origins of a cyber-attack, it is impossible to attribute cyber-strike to a specific source. Therefore, any evidentiary claims that North Korea was responsible for the recent WannaCry or Petya attacks, or even the Sony Pictures “Interview” hack are bogus.
On the other hand, the “quacking duck” theory of circumstantial evidence leads us to the conclusion that the North Koreans are behind all of these, and more.
Why this matters is that it provides a peek into the capabilities of the North Korean cyber-warfare operations and in particular the special cell of the North Korean spy agency called Unit 180. If the Trump administration is seriously considering the launch of a cyber-barrage against the North, these are the folks with whom they will engage. And, they are formidable.
Unit 180, a part of the Reconnaissance General Bureau (RGB), is one of many specialized cyber-teams within the North Korean cyber-military organization, but they are considered to be the elite front line force; sort of combination Army Rangers, Navy Seals and Marine Force Recon in cyber-space.
These are the guys that the US InfoSec community believes are responsible for not just WannaCry, Petya, and Sony but also the 2016 $81 million cyber heist at the Bangladesh central bank. They are also blamed for a series of other online attacks, mostly on financial networks in the United States, South Korea and in a dozen other countries, including the Philippines, Vietnam and Poland.
The objectives of these attacks vary and range from the outright theft of hundreds of millions of sorely needed cash to the most recent and thinly disguised “ransomware” attacks which instead of being ransomware were in fact probes of varying defenses across industry sectors in multiple countries.
Anyone who has been paying attention now knows that while these attacks were initially reported as ransomware because they included messaging about a $300 ransom in Bitcoins in exchange from the victims. It was soon discovered that the channel for payment had been shut down and the data that was supposed to be returned was hopelessly destroyed instead of simply encrypted.
No, these attacks were clearly for the purposes of testing both the defensive technologies in play and response mechanisms in place. Both failed miserably. The attacks were widely successful and had they been targeted toward physical infrastructure in the US like dams, electrical grids, financial institutions and transportation hubs, they would have created disruption and destruction on a massive scale. It is similar to testing a long range ICBM but without the media fanfare.
One easily digestible example is the Petya virus embedded into the shipping system at Maersk, the largest global marine transportation company. The infestation affected almost every business unit, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers and then transferred itself into container management systems at Indian seaports where Maersk containers began unloading.
Similarly, approximately half of the financial institutions in the Ukraine use a tax accounting software package known as M.E.Doc which carried the infection into all of those systems and any system that was connected through third parties. The idea was to spread the infection in the same way as a cough would do in a crowded subway. And, it worked.
North Korea sends its cyber-army overseas under the cover of being employees of trading firms, overseas branches of North Korean companies, or joint ventures in China or Southeast Asia. These countries have better Internet connections and native IP addresses that make the job of false-flagging easier and in addition to China, include Eastern Europe and Malaysia. This would account for some of the allegations of the Petya and WannaCry strains originating in Russia or the Ukraine. Two IT firms in Malaysia are known to have links to North Korea’s RGB spy agency.
It is also known that North Korea hacked into more than 140,000 computers at 160 South Korean companies and government agencies last year, planting malicious code to lay the groundwork for a massive cyber-attack on its rival.
So while the media concentrates its coverage of North Korean aggression on the excessively theatrical testing of long range ICBMs sowing fear and uncertainty about a nuclear attack on a US city, the real threat is being conducted in cyber-space almost entirely under the radar.
If it is the Trump administration’s intent to strike Pyongyang with a cyber- invasion, we had better be prepared for a counter-attack of impressive proportion. While we may be capable of taking out the electronic infrastructure of the Kim regime, an all-out response against our energy grid is well within the realm of possibilities.
We have witnessed in the last week a relatively benign global cyber-attack on infrastructure targets that did all of the contained damage it intended with no response and almost no effective defense. It is one thing to plan a cyber-attack on the enemy with your cyber-defenses in place and tested against counter measures. It is entirely another when your cyber-defenses have proven themselves to be completely incapable of holding off adversaries intent on inflicting significant damage to U.S. private and government networks.
I am sure that someone in the Administration knows we have a lot of work to do before we line up these ducks for cyber-warfare. Getting beaten in our first cyber-skirmish would not be good.
But, the media coverage of the U.S. getting creamed by a puny, delusional lunatic dictator from a tiny starving nation might even be worse.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management