Reliable Security Information
North Korea and McAfee: Threat or Menace?

Last week GlobalSecurity.Org was consulted by a reporter from the Associated Press over the Dark Seoul/Operation Troy report on recent cyberattacks in South Korea, issued by McAfee. I looked it over and talked with the journalist awhile on the subject.

Mostly, what I said (and it was not published) was that it was a straightforward analysis on the use of malware to get into South Korean networks. The final component in it, code that "wiped" the master boot record seemed childish, something that was normal for virus-writers to put in their creations 20 years ago. (The AP piece is here.)

In fact, naming conventions within the code -- and the hacking group names cited in the McAfee report -- were standard computer hacker and cyber-vandal stuff.

Typically, the news media has tried to make it into something a little more than what McAfee corporate was willing to put on paper in "Dissecting Operation Troy: Cyberespionage in South Korea."

And this is easily illustrated by comparing excerpts from the McAfee report on Dark Seoul/Operation Troy with a sample story today, taken from the Washington Times.

The WaTimes:

Highly trained, well-funded and very persistent computer hackers have been seeking to steal secrets from U.S. and South Korean military networks for at least four years, according to new data released by security researchers.

The hackers have all the characteristics of state-sponsored cyberattackers, said Ryan Sherstobitoff of the computer security firm McAfee Inc.

"The people behind this are highly trained, well-funded and very persistent," Mr. Sherstobitoff said. "They've been targeting the networks for years."

But behind the scenes, they were exploiting highly specialized and targeted cyberespionage tools to burrow into classified networks of the U.S. and South Korean military.

"The primary mission was to steal secret military data," Mr. Sherstobitoff said. "That's been in the shadows until now."

But what Ryan Sherstobitoff told the WaTimes isn't what he and the two other McAfee employees whose names are on the report actually wrote. There is no mention of the words fund, funding, financing, bankrolling, dollars or the North Korean Chosun Won in relation to the hacking operation in the report. And the "tactics" are deemed "not as sophisticated as what has been seen before." There is no discussion of the malware code involved as being the product of a "well-funded" operation. In fact, its conclusions are rather modest.

From the executive summary, "Dissecting Operation Troy: Cyberespionage in South Korea:"

Our analysis of this attack--known first as Dark Seoul and now as Operation Troy--has revealed that in addition to the data losses of the MBR wiping, the incident was more than cybervandalism. An analysis of malware samples dating back to 2009 suggests the ongoing attacks on South Korean targets were actually the conclusion of a covert espionage campaign ...

State sponsored or not, these attacks were crippling nonetheless. The overall tactics were not that sophisticated in comparison to what we have seen before. [Bold mine] The trend seems to be moving toward using the following techniques against targets:

• Stealing and holding data hostage and announcing the theft. Public news media have reported only that tens of thousands of computers had their MBRs wiped by the malware. But there is more to this story: The main group behind the attack claims that a vast amount of personal information has been stolen. This type of tactic is consistent with Anonymous operations and others that fall within the hacktivist category, in which they announce and leak portions of confidential information.

• Wiping the MBR to render systems unusable, creating an instant slowdown to operations within the target

An excerpt from the report's "Analysis" section:

What were the motives behind these attacks and why did the attackers chose certain targets? The attacks managed to create a significant disruption of ATM networks while denying access to funds. This wasn't the first time that this type of attack--in which destructive malware wiped the systems belonging to a financial institution--has occurred in South Korea. In 2011 the same financial institution was hit with destructive malware that caused a denial of service.

The attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies.

They also referenced destroying the data on a large number of machines (the MBR wiping) and left a message in the web pop-up identifying the group behind the attacks. The page title in Internet Explorer was "Hey, Everybody in Korea????"

The report goes on to explain the terminal part of the operation -- by two groups which were probably the same (the second being named the Whois Hacking Crew) -- was preceded by a period of a couple of years in which south Korean networks had been penetrated by the same malware and related offshoots. The function of it was to scan hard disks for military subject files, zip them into an archive, and pipe them off to the intruders.

However, was this search a sophisticated one, as described by the media?

Not really, from the evidence in McAfee's own report. Or, yes it was, because McAfee's lead author used media publicity to make claims absent from the original.

Here's the germane material from the McAfee paper:

Drive scanning locates classified information on target systems and gives the attacker an overall idea of what these military networks have. The malware searches the root disk, counts the number of interesting files, and determines the level of that system's importance to the attacker. The search criteria are primarily specific file extensions and keywords in document titles. The keywords are all military specific. Some refer to specific military units and programs that operate in South Korea.

[I've included a partial list of the search terms, which are elementary.
Really, anyone could come up with them and terms specific to South
Korea aren't their in abundance, certainly nothing an outsider wouldn't be expected to be aware of.

"Key Resolve drill," for example, is just the name for a world publicized yearly joint exercise between the US and South Korea.]

Air force
U. S. Army
Joint Chiefs of Staff
Key Resolve drill

One could conclude it would have been almost as specific to have just copied off the entire data volume of the disks.

The McAfee paper puts forward no proof the files grabbed using this search procedure were classified. Some may have been. Perhaps all were. Or maybe few or none. There is no way to make an estimate.

In the Associated Press's piece on the matter, the McAfee researchers had this to say:

McAfee also said it listed only some of the keywords the malware searched for in its report. It said it withheld many other keywords that indicated the targeting of classified material, at the request of U.S. officials, due to the sensitivity of releasing specific names and programs.

"These included names of individuals, base locations, weapons systems and assets," said Sherstobitoff.

Perhaps. Or maybe not.

US base locations, weapons systems, assets -- even individuals (for example, commanders) are not secret in South Korea. Indeed, entire orders of battle and weapons systems are publicly available on the web. Rather notably, ahem, at GlobalSecurity.Org! For which I am a Senior Fellow! And which is a go to resource for thousands and thousands of American military men (civilian and enlisted) and those interested in global military affairs around the world!

Dear me, Ryan Sherstobitoff.

There is one extra matter worth noting, a big difference between news reporting on Dark Seoul and the McAfee white paper on it.

The McAfee white paper, Sherstobistoff et al, does not use the term "North Korea" even once.

Bluntly, McAfee corporate, being corporate, didn't formally publish any explanation that "North Korea" was the responsible party.

It employs only the weasel-term, "state sponsored," but did not -- in print -- even come down unequivocally on that.

In interviews, Sherstobitoff went well beyond what was actually published by McAfee, adding a variety of assertions and claims not put down on the digital paper.

Subsequently, every news piece came down with North Korea as the culprit.

Last week, I was asked what I thought.

I told the AP there was no way to tell from what what was in the report. Maybe, maybe not. Easy to blame on North Korea because it's a childish pariah, always doing stamp-your-feet stupid things . Or maybe a hacking gang. The wording included in the analysis, the destructive code "dropper" made it look childish and antique, like something virus writers did two decades back.

Whatever, I agreed with the assertion in the report that the tools and methods used, in the words of the McAfee authors, "were not that sophisticated in comparison to what we have seen before."

From the Washington Times today:

Analysts say that the revelations about these attacks ought to prompt U.S. officials to reassess North Korea's cybercapabilities.

Pyongyang's hackers now must be rated "as good as Iran," said James A. Lewis, a cybersecurity scholar at the Washington-based Center for Strategic and International Studies.

"The Iranians moved up quickly," Mr. Lewis said, noting the recent spate of "denial of service" attacks against U.S. banks laid at their door.

U.S. officials have said the greatest danger posed by cyberattacks is disruption of vital infrastructure, such as electric power transmission.

For the AP, Lewis was also quoted:

"I used to joke that it's hard for the North Koreans to have a cyber army because they don't have electricity, but it looks as if the regime has been investing heavily in this," said Lewis.

If so, opinions would vary on whether this constitutes getting your money's worth.

What actually happened during the North Korea imbroglio, though?

The Hermit Kingdom had a ritualized fit over the annual joint US/South Korean military exercise. It fueled its missiles, made silly videos, threatened that it would attack Guam, Hawaii or the west coast of America with a nuclear strike, shut down a joint business operation with South Korea and ... and ... and ...

Nothing. The Hermit Kingdom's ruler, the pudgy kid, had no cards to play.

But according to a news story, like many today, in the Washington Times, North Korea is punching above its weight (although never mentioned by McAfee) in cyberspace, as good as Iran.

Iran. Does it even matter?

Well, of course it matters to cybersecurity companies and the South Korean IT business workers who had to restore systems when master boot records were wiped, which would have taken time, but which was reversible.

The question unanswered is how critical was the loss of at least public (but not provably secret -- although the latter is a very broad term) information, from Internet-connected military networks, but not classified networks, according to the South Korean military?
Upon this matter no answer can be furnished.

We now live in a national security environment in which, almost weekly, corporations issue "reports" which are delivered as vital intel. Upon the generation of publicity, claims are made to the news which are not actually in the "reports." The embroidered private sector information product is used to influence national policy.

In summary, one travels from the NewRomanic Cyber Army and keyword searches for "artillery," "defense," "secret" and "air force" to North Korea as a cyberpower, to "disruption of vital infrastructure, such as electric power transmission."

Usually delivered in one thousand words or less. This is called putting your fingers on the scale.

Originally published at Dick Destiny blog. About the author, who has written on national security and cybersecurity issues for a quarter of a century.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed