As tensions with North Korea escalate into a full-on cold war, a cold cyberwar is playing out in tandem: Beneath the very public nuclear standoff, both the US and North Korea have privately ramped up their digital aggression, the Kim regime’s hackers rampaging through networks around the globe and the US answering with its own attacks on the systems used by those hackers.
But despite the US government’s dominating powers in the digital realm, security experts and former intelligence officials believe that battlefield favors North Korea. US hackers can take bites out of the edges of North Korea’s infrastructure. But getting to its core—and anywhere close to disrupting or even delaying its nuclear capabilities—will be extremely difficult, they say, if not impossible.
Last week, The Washington Post reported that US Cyber Command had hit computers used by North Korea’s Reconnaissance General Bureau (or RGB) and taken them offline at least temporarily, one element in a new, no-holds-barred directive to use all available tools to curtail the rogue state’s aggression. And in fact, security analysts say that what little of the Hermit Kingdom’s operations do connect to the internet are likely as vulnerable to US hacking operations as those of other adversaries, if not more so.
But even that successful RGB strike appears to have been a denial of service attack—in which junk traffic overwhelms a system—rather than a penetrating breach of North Korea’s computers. And the vast majority of North Korea’s overall infrastructure still remains disconnected, vastly reducing any footholds for hackers—and making the prospect of compromising its locked-down and air-gapped nuclear weapons systems all the more daunting.
American cyber operations against North Korea break down into two parts: Those designed to hamper North Korea’s own offensive hacking and intelligence capabilities, and those designed to disrupt physical infrastructure like its missile program, says Atlantic Council fellow Jason Healey. The US can manage the first type well enough, albeit with mostly limited, temporary consequences. But the latter—what Healey describes as a “left of boom” strategy—can be exceedingly tough against an adversary as disconnected as the Kim regime.
“You can imagine we want to throw off their warmaking capability, get in and mess with their rockets, ‘Stuxnet’ them in very specific ways,” says Healey, referring to the Stuxnet malware the NSA and Israeli intelligence used to sabotage Iranian enrichment facilities in 2009. “I think it would be incredibly, incredibly difficult.”
In fact, the US did attempt Stuxnet-style sabotage against North Korea in 2010, years before the Kim regime had the combined ability to create a nuclear weapon and launch it across the Pacific, according to a 2015 Reuters report. The attempt failed. America’s hackers simply couldn’t reach the deeply isolated core computers that controlled North Korea’s nuclear weapons program.
‘Most government and military networks are not directly connected to the internet and it would be quite difficult to access them.’
Priscilla Morluchi, Former NSA Analyst
Much more recently, The New York Times has reported that the US attempted supply-chain attacks that would corrupt the North Korean missile launches, perhaps by tainting software or hardware components. In recent years, those missile launches have had failure rates as high as 88 percent, perhaps a sign that those programs worked at least in part. But over the last several months, North Korea has had repeated successes in launching intercontinental ballistic missiles that could reach the United States. If supply-chain sabotage did work at some point, those tests suggest it may well have been overcome.
For years, US officials and analysts have warned that North Korea’s anachronistic separation from the internet would be transformed into an advantage in an age of state-sponsored hacking. In his 2010 book Cyberwar, former US counterterrorism czar Richard Clarke ranked countries by their cyber-conflict preparedness. He placed North Korea first, and the US dead last, based their diametrically opposed reliance on the internet.
Even today, the country’s connections remain extremely limited. Despite its new internet connection via Russia, North Korea has only about 1,500 available IP addresses, says Priscilla Morluchi, a researcher at security intelligence firm Recorded Future, and a former NSA analyst focused on East Asia. Of those, nearly half are used by known propaganda and informational websites, Morluchi says.
North Korea’s more offensive hacking operations, meanwhile, are generally hosted abroad, most commonly in China. All of that leaves very scarce footholds for the NSA or US Cyber Command’s hackers—much less targets that could lead to the most inner sanctum of the country’s weapons systems. “My best educated guess, based on that limited IP range, is that most government and military networks are not directly connected to the internet and it would be quite difficult to access them—although not impossible,” Morluchi says.
If US hackers could find an initial point of entry, they might find an appealing target in North Korea’s intranet, its own country-wide walled garden network known as Kwangmyong. The majority of that internal network runs on North Korea’s own homebrewed version of the Linux operating system, known as Red Star OS. And that operating system is likely deeply vulnerable to any skilled hacker that can reach it, says Matthew Hickey, a security researcher and founder of London-based security firm Hacker House.
Hickey has analyzed two older versions of the Red Star operating system for both desktop computers and servers. He says he’s found bountiful flaws: They include one “command injection” vulnerability that would allow anyone tricked into merely clicking on a link to have their computer fully taken over by a remote hacker, and an older Samba vulnerability that would allow a hacker to spread a malware infection from server to server. “I’m not the NSA,” he says. “If I can hack it, surely the NSA can.” He also points to a leaked document from the Italian intrusion-for-hire firm Hacking Team that revealed more than a dozen Red Star vulnerabilities for sale.
But North Korea’s government is careful not to offer any easy connection to that intranet from the outside world, says Will Scott, a security researcher at the University of Michigan who spent several months-long stints in North Korea teaching at one of its universities. He says he’s observed Red Star running on infrastructure ranging from computers at the country’s Science and Technology Exhibition Center to the library at Pyongyang’s Kim Il Sung University. But he found that organizations in North Korea were always careful to connect computers to either the country’s intranet or the internet—never both. Scott believes the most sensitive targets, like missile systems, likely aren’t connected to either the internet or the intranet, and run custom software built by foreign suppliers.
That kind of strict air gap, Scott says, means any successful attack—and particularly any attack that would offer feedback as to whether it had succeeded or not—would require a human agent working to manually sabotage target systems. “The networks themselves are air-gapped and isolated enough that it’s more about getting someone to work for you,” says Scott. “It’s going to come down to that relationship, not a purely external hack.”
High Risk Maneuvers
Planting a human agent in the heart of North Korea’s most sensitive military facilities would be about as hard as it sounds, says Columbia’s Healey, who also worked as the director for Cyber Infrastructure Protection under the Bush administration. And he suggests that even if that moonshot sabotage operation were successful, it might not have the intended effect. If North Korea believes its nuclear missile capacity is being threatened, he warns that the country could respond with a pre-emptive strike. “This stuff is ripe for miscalculation,” Healey says.
All of which means that no one should expect even the robust skills of the NSA or US Cyber Command to defuse the pressure cooker forming around North Korea’s nuclear weapons. Diplomacy with one of the world’s worst governments may not seem appealing. But facing a disconnected, isolated, sociopathic state backed into a corner, it may be a far better option than a Hail Mary hacker attack.