Category Archives: China

Due to N Korea, Hawaii Goes to Nuclear Warning Systems

Posted on by

Image result for north korea ballistic missile test

photo

TOKYO/WASHINGTON (Reuters) – Japan has detected radio signals suggesting North Korea may be preparing for another ballistic missile launch, although such signals are not unusual and satellite images did not show fresh activity, a Japanese government source said on Tuesday.

After firing missiles at a pace of about two or three a month since April, North Korean missile launches paused in September, after Pyongyang fired a rocket that passed over Japan’s northern Hokkaido island.

“This is not enough to determine (if a launch is likely soon),” the source told Reuters.

Japan’s Kyodo news agency reported late on Monday that the Japanese government was on alert after catching such radio signals, suggesting a launch could come in a few days. The report also said the signals might be related to winter military training by the North Korean military.

South Korea’s Yonhap news agency, citing a South Korean government source, also reported that intelligence officials of the United States, South Korea and Japan had recently detected signs of a possible missile launch and have been on higher alert.

Image result for hi-ema photo

Hawaii reinstates Cold War-era nuclear attack warning signal amid North Korea tension

Hawaii is reinstating a statewide nuclear attack warning signal in December to prepare for a potential attack from North Korea.

The alarm, which has not been used since the Cold War, will be reinstated on Dec. 1 as part of a ballistic missile preparedness program, according to the Hawaii Emergency Management Agency (HI-EMA).

The agency instructed residents to immediately “Get inside, stay inside and stay tuned” if they hear the siren. Alerts will be sent to resident’s phones and broadcast on television and radio. “When [HI-EMA] started this campaign, there were concerns we would scare the public. What we are putting out is information based on the best science that we have on what would happen if that weapon hit Honolulu or the assumed targets,” said HI-EMA Administrator Vern Miyagi during an emergency preparedness presentation.

Since officials would have only 15 minutes or less of warning time before a North Korean missile’s impact, Hawaii residents are advised to have a designated place to go for shelter. “There will be no time to call our loved ones, pick up our kids and find a designated shelter. We should all prepare and exercise a plan ahead of time so we can take some comfort in knowing what our loved ones are doing,” said Miyagi in an interview with The Honolulu Star Advertiser.

Although the U.S. has conducted successful missile interception tests, there is no guarantee that the Navy would detect and intercept a target, the HI-EMA warns.

An HI-EMA fact sheet explains that, based on the estimated yield of North Korean missiles, there could be anywhere from 50,000 to 120,000 burn casualties and nearly 18,000 fatalities if an attack occurs.

After an attack, residents would have to stay sheltered in place until the HI-EMA has fully assessed the radiation and fallout, which could take a few hours or as long as 14 days, the agency says on its website.

State officials have been holding town halls to answer questions from residents.

3 Chinese Nationals Charged with Hacking, Stealing Intellectual Property

Posted on by

Indictment found here.

Wonder if President Trump has called President Xi….The U.S. Treasury should at least sanction Guangzhou Bo Yu Information Technology Company Limited….

Pittsburgh:

The Justice Department on Monday unsealed an indictment against three Chinese nationals in connection with cyberhacks and the alleged theft of intellectual property of three companies, according to US officials briefed on the investigation.

But the Trump administration is stopping short of publicly confronting the Chinese government about its role in the breach. The hacks occurred during both the Obama and Trump administrations.
The charges being brought in Pittsburgh allege that the hackers stole intellectual property from several companies, including Trimble, a maker of navigation systems; Siemens, a German technology company with major operations in the US; and Moody’s Analytics.
US investigators have concluded that the three charged by the US attorney in Pittsburgh were working for a Chinese intelligence contractor, the sources briefed on the investigation say. But missing from court documents filed in the case is any explicit mention that the thefts were state-sponsored.
A 2015 deal between then-President Barack Obama and Chinese President Xi Jinping prohibits the US and China from stealing intellectual property for the purpose of giving advantage to domestic companies.
In recent months some US intelligence agencies have concluded that China is breaking the agreement, sources briefed on the matter say. But there’s debate among intelligence officials about whether there’s sufficient evidence to publicly reveal the Chinese government’s role in the infractions, these people say.
Obama administration officials had touted the Obama-Xi agreement, as well as 2014 Justice Department charges against members of the Chinese People’s Liberation Army for commercial espionage, for reducing some of the Chinese cyberactivity against companies in the US.
But the 2015 Obama-Xi deal was met with skepticism inside the US agencies whose job it is to guard against Chinese cyberactivity targeting US companies. Some now say there was only a brief drop in the number of cyberspying incidents, if at all.
In the waning months of the Obama administration, intelligence officials briefed senior White House officials on information showing that the Chinese cyberattacks were back to levels previously seen, sources familiar with the matter told CNN. Early in the Trump administration, US intelligence officials briefed senior officials, including the President and vice president, as well as advisers Jared Kushner and Steve Bannon. More here.
***

Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.

The most serious charge, wire fraud, carries a sentence of up 20 years in federal prison. Each conspiracy charge has a possible sentence of up to 10 years and the identity theft carries a sentence of up to two years.

The indictment alleged that Wu, Dong and Xia worked with Guangzhou Bo Yu Information Technology Company Limited, a Chinese cybersecurity firm in Guangzhou, but used their skills to launch attacks on corporations in the U.S.

Between 2011 and May 2017, the trio stole files containing documents and data pertaining to a new technology under development by Trimble, along with employee usernames and passwords and 407 gigabytes of proprietary data concerning Siemens’ energy, technology and transportation efforts, according to the indictment. The trio gained access to the internal email server at Moody’s Analytics and forwarded all emails sent to an “influential economist” working for the firm, the indictment stated. Those emails contained proprietary and confidential economic analyses, findings and opinions. The economist was not named in the indictment.

A Siemens spokesperson said that the company “rigorously” monitors and protects its infrastructure and continually detects and hunts for breaches. The company did not comment on the alleged breach by the Chinese hackers and declined to comment on internal security measures.

Michael Adler, a spokesman for Moody’s Analytics, said that to the company’s knowledge no confidential consumer data or other personal employee information was exposed in the alleged hack.

“We take information security very seriously and continuously review and enhance our cybersecurity defenses to safeguard the integrity of our data and systems,” Adler wrote in an email to the Tribune-Review.

Trimble, in a statement sent to the Trib, wrote that no client data was breached. The company concluded that the attack had no meaningful impact on its business.

Song, however, said the loss to the companies targeted was considerable.

“The fruit of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies,” Song said.

Wu, Dong and Xia used “spearphish” emails to gain access to computers, spread malware to infect networks and covered their tracks by exploiting other computers known as “hop points.”

Hop points allow users to hide their identities and locations by routing themselves through third-party computer networks.

“But there were missteps that led our investigators right to them,” said FBI Special Agent in Charge Bob Johnson of the Pittsburgh office.

Johnson would not elaborate on the missteps the accused hackers took, claiming doing so could jeopardize future investigations.

The U.S. Attorney’s Office led the investigation and was assisted by the FBI’s Pittsburgh Division, the Navy Criminal Investigative Service Cyber Operations Field Office and the Air Force Office of Special Investigations.

Counterfeit Operations, Iran and North Korea

Posted on by

Image result for counterfeit operations irgc

photo

It is a globally business and a nasty one.

U.S. officials have long accused Iran of supplying arms to rebel Houthi forces battling for control of Yemen. But Monday’s sanctions help highlight the scope of what Western officials commonly describe as the IRGC’s far-reaching and malign activities.

“Iran itself, together with its proxy, Lebanese Hezbollah, is knee-deep and has been knee-deep in the counterfeit business for quite some time,” said Matthew Levitt with the Washington Institute for Near East Policy. “Exposing this is kind of a two-for one, both exposing the organization’s terrorist activity and also exposing the nature of the criminal activity that it engages in.” More here.

Image result for counterfeit money yemen photo

Treasury Designates Large-Scale IRGC-QF Counterfeiting Ring

11/20/2017

Iranian Network Prints Counterfeit Yemeni Bank Notes for IRGC-Qods Force

WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated a network of individuals and entities involved in a large-scale scheme to help Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF) counterfeit currency to support its destabilizing activities.  This network employed deceptive measures to circumvent European export control restrictions and procured advanced equipment and materials to print counterfeit Yemeni bank notes potentially worth hundreds of millions of dollars for the IRGC-QF.  The IRGC-QF was designated pursuant to the global terrorism Executive Order (E.O.) 13224.

“This scheme exposes the deep levels of deception the IRGC-Qods Force is willing to employ against companies in Europe, governments in the Gulf, and the rest of the world to support its destabilizing activities.  Counterfeiting strikes at the heart of the international financial system, and the fact that elements of the government of Iran are involved in this behavior is completely unacceptable,” said Treasury Secretary Steven Mnuchin.  “This counterfeiting scheme exposes the serious risks faced by anyone doing business with Iran, as the IRGC continues to obscure its involvement in Iran’s economy and hide behind the façade of legitimate businesses to perpetrate its nefarious objectives.”

Reza Heidari and Pardazesh Tasvir Rayan Co.

Reza Heidari (Heidari) is being designated today for having acted for or on behalf of the IRGC-QF and having assisted in, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, the IRGC-QF.

Pardavesh Tasvir Rayan Co. (Rayan Printing) is being designated today for being controlled by Heidari; for having acted for or on behalf of the IRGC-QF; having assisted, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, the IRGC-QF; and being owned by Tejarat Almas Mobin Holding, another Iranian company also being designated today.

Heidari played a key role in procuring secure printing equipment and materials for the IRGC-QF in support of the group’s currency counterfeiting scheme.  Heidari served as the managing director of Iran-based Rayan Printing, a company involved in printing counterfeit Yemeni rial bank notes potentially worth hundreds of millions of dollars for the IRGC-QF, as of late 2016.  Heidari used front companies to obfuscate the actual end user and facilitate deceptive transactions when dealing with European suppliers of secure printing equipment and materials.

ForEnt Technik and Printing Trade Center

ForEnt Technik GmbH is being designated today for being owned or controlled by Heidari, while Printing Trade Center GmbH (PTC) is being designated for having acted for or on behalf of, and assisted in, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, Heidari.

Heidari used German-based ForEnt Technik GmbH and PTC as front companies to deceive European suppliers, circumvent export restrictions, and acquire advanced printing machinery, security printing machinery, and raw materials in support of the IRGC-QF’s counterfeit currency capabilities.  These raw materials included watermarked paper and specialty inks from European suppliers.  Heidari is the Managing Director and sole shareholder of ForEnt Technik Gmbh.

Mahmoud Seif and Tejarat Almas Mobin

Mahmoud Seif is being designated today for having assisted, sponsored, or provided financial, material, or technological support for, or other services to or in support of, the IRGC-QF.  Tejarat Almas Mobin Holding is being designated today for being controlled by Seif.

Seif is the managing director of Tejarat Almas Mobin, the parent company of Rayan Printing.  Heidari and Seif coordinated on the procurement of raw supplies and equipment that enabled the IRGC-QF counterfeiting capabilities.  Seif was involved with the logistics of importing materials for the counterfeiting project into Iran.  Additionally, Seif has previously been involved in the procurement of weapons for the IRGC-QF.

For identifying information on the individuals and entities listed today, click here: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20171120.aspx

*** So, did Iran teach North Korea to counterfeit or was it the other way around? North Korea has been counterfeiting and participating in illicit activities going back decades. North Korea is not especially fretful over the newly applied sanctions or being listed again as a terror state by President Trump. While it should be done, the regime has proven methods to finesse the system.

Ri Jong Ho had simply had enough. He’d seen too many executions.

Ri, a high-profile North Korean defector, spent years working for what is essentially a slush fund for one of the most notorious regimes on the planet, Kim Jong Un and his compatriots.
Life was good. Ri helped bring in somewhere between $50 million and $100 million for North Korean elites, and was handsomely rewarded with luxuries most North Koreans couldn’t dream of in years past: a car, a color TV and some extra cash on the side, once rarities in the communist state but more commonplace now in the capital, Pyongyang.
But he watched the regime kill his peers and their families, even children.
“It was not just high level officers, officials, but their families, their children (and) their followers,” Ri told CNN in his first interview to a major US broadcast network. “It was not just once or twice a year — it was ongoing throughout the year, thousands of people being executed or purged.”
Ri said the final straw came in late 2013, when Kim Jong Un executed his own uncle, Jang Song Thaek, with an anti-aircraft gun.
“It was a cruel and crude method of execution,” he said. “After all these years living in the socialist system, I never witnessed anything like that.”
Ri was living in China at the time, and in 2014 was able to safely defect with his family.
And just like that, Kim lost one of his top money makers.

Office 39

Ri said he worked for decades in what’s known as “Office 39.”
The office is in charge of bringing in hard currency for the regime. Ri calls it a “slush fund for the leader and the leadership.”
Ri told CNN “Office 39” is not engaged in illicit activities, but the US Treasury Department says otherwise.
The US government accused the office of engaging in “illicit economic activities” to support the North Korean government. It has branches throughout the nation that raise and manage funds and is responsible for earning foreign currency for North Korea’s Korean Workers’ Party senior leadership through illicit activities such as narcotics trafficking.
North Korea has been accused of crimes like hacking banks, counterfeiting currency, dealing drugs and even trafficking endangered species.
Workers who help bring in cash for the regime are granted access to the outside world — especially China — in order to establish networks that are crucial to making money, analysts say. They often have diplomatic privileges that allow them to evade their host country’s domestic laws, experts say.
Ri said he was not involved in illegal activities and that they were not under the purview of Office 39, but did not deny they occurred. He said much of North Korea’s hard cash is earned through exporting labor — the country sends workers across the globe and collects much of their pay, according to the UN — and exporting natural resources like coal, which China used to buy but has since stopped.
Illicit activities make a lot of money, though. The Congressional Research Service estimated in 2008 that North Korea could earn anywhere from $500 million to $1 billion from these types of illicit activities.
That money helps fund the lavish lifestyles of the North Korean elites while sanctions limit the country’s ability to make money. That keeps North Korea’s leadership happy and helps Kim prevent coup attempts, analysts say.
“They (North Korean leaders) are focused on maintaining their ruling power, and they are working on making this dynasty-like system lasting for a long time,” Ri said. “So instead of focusing on their economic development or better life, they are more focused on maintaining their system.
Some of Office 39’s profits also go to the country’s nuclear and missile programs, which crossed an important threshold this month with the testing of two intercontinental ballistic missiles, weapons that experts say likely put the United States homeland in North Korea’s range.
CNN reached out to the North Korean mission at the United Nations for a response to the interview with Ri. An official at the mission said Ri was lying to “make money and save his own life.”

‘Hundreds of fishing boats’

Analysts say Office 39 is likely now in the cross hairs of US President Donald Trump’s administration.
The Trump team has made it clear that one of the ways it plans to deal with North Korea is to squeeze its revenue streams across the globe in order to pressure them into negotiations over their weapons programs.
Who speaks for the United States on North Korea? Contradictions emerge
Ri is not sure if the tactic will work, as he says it’s easy to side-step sanctions and believes the international community has made strategic mistakes that could come back to bite them.
North Korean companies can just change their names once sanctioned, he says. North Korean leaders don’t keep much money abroad, so the sanctions against them are pointless, according to Ri. Smugglers are difficult to catch.
“Smuggling is conducted by any and every means you could imagine. Mostly larger items are done using ships, for example by filing a cargo list … where what’s written on the (list) is different from what is really being shipped,” he said. “On the open sea, the Yellow Sea, there are hundreds of fishing boats — both from China and North Korea — and all the smuggling is done by these so-called fishing boats.

Going after China

Ri believes that secondary sanctions — targeting those who do business with North Korea, like the United States did to China’s Bank of Dandong in June — is the way to go, especially in China.
Beijing accounts for about 85% of North Korean imports in 2015, according to UN data, though Ri revealed that Pyongyang does import some oil from Russia.
North Korean economist Ri Gi Song told CNN in February that China accounts for 70% of trade and that trade with Russia is increasing. More here from CNN.

Tillerson: Child Soldiers Conscription Violations

Posted on by

Image result for child soldiers

photo

The United Nations has a list of shame, fine but it is merely a list and a gesture.

Child soldiers are children (under 18) who are used for military purposes.

Some child soldiers are used for fighting – they’re forced to take part in wars and conflicts, forced to kill, and commit other acts of violence. Some are forced to act as suicide bombers. Some join ‘voluntarily’, driven by poverty, sense of duty, or circumstance.

Other children are used as cooks, porters, messengers, informants, spies or anything their commanders want them to do. Child soldiers are sometimes sexually abused.

Afghanistan, Central African Republic, Democratic Republic of Congo, India, Myanmar, the Occupied Palestinian Territory, Thailand, the UK and Yemen all use child soldiers, meaning on person under the age of 18. 

Image result for child soldiers afghanistan photo (attribution for photo removed due to malware alert)

Exclusive – State Dept. revolt: Tillerson accused of violating U.S. law on child soldiers

WASHINGTON (Reuters) – A group of about a dozen U.S. State Department officials have taken the unusual step of formally accusing Secretary of State Rex Tillerson of violating a federal law designed to stop foreign militaries from enlisting child soldiers, according to internal government documents reviewed by Reuters.

A confidential State Department “dissent” memo not previously reported said Tillerson breached the Child Soldiers Prevention Act when he decided in June to exclude Iraq, Myanmar, and Afghanistan from a U.S. list of offenders in the use of child soldiers. This was despite the department publicly acknowledging that children were being conscripted in those countries.[tmsnrt.rs/2jJ7pav]

Keeping the countries off the annual list makes it easier to provide them with U.S. military assistance. Iraq and Afghanistan are close allies in the fight against Islamist militants, while Myanmar is an emerging ally to offset China’s influence in Southeast Asia.

Documents reviewed by Reuters also show Tillerson’s decision was at odds with a unanimous recommendation by the heads of the State Department’s regional bureaus overseeing embassies in the Middle East and Asia, the U.S. envoy on Afghanistan and Pakistan, the department’s human rights office and its own in-house lawyers. [tmsnrt.rs/2Ah6tB4]

“Beyond contravening U.S. law, this decision risks marring the credibility of a broad range of State Department reports and analyses and has weakened one of the U.S. government’s primary diplomatic tools to deter governmental armed forces and government-supported armed groups from recruiting and using children in combat and support roles around the world,” said the July 28 memo.

Reuters reported in June that Tillerson had disregarded internal recommendations on Iraq, Myanmar and Afghanistan. The new documents reveal the scale of the opposition in the State Department, including the rare use of what is known as the “dissent channel,” which allows officials to object to policies without fear of reprisals.

The views expressed by the U.S. officials illustrate ongoing tensions between career diplomats and the former chief of Exxon Mobil Corp appointed by President Donald Trump to pursue an “America First” approach to diplomacy.

INTERPRETING THE LAW

The child soldiers law passed in 2008 states that the U.S. government must be satisfied that no children under the age of 18 “are recruited, conscripted or otherwise compelled to serve as child soldiers” for a country to be removed from the list. It currently includes the Democratic Republic of Congo, Nigeria, Somalia, South Sudan, Mali, Sudan, Syria and Yemen.

”The Secretary thoroughly reviewed all of the information presented to him and made a determination about whether the facts presented justified a listing pursuant to the law,” a State Department spokesperson said when asked about the officials’ allegation that he had violated the law.

In a written response to the dissent memo on Sept. 1, Tillerson adviser Brian Hook acknowledged that the three countries did use child soldiers. He said, however, it was necessary to distinguish between governments “making little or no effort to correct their child soldier violations … and those which are making sincere – if as yet incomplete – efforts.”

Hook made clear that America’s top diplomat used what he sees as his discretion to interpret the law.

‘A POWERFUL MESSAGE’

Foreign militaries on the list are prohibited from receiving aid, training and weapons from Washington unless the White House issues a waiver based on U.S. “national interest.” In 2016, under the Obama administration, both Iraq and Myanmar, as well as others such as Nigeria and Somalia, received waivers.

At times, the human rights community chided President Barack Obama for being too willing to issue waivers and exemptions, especially for governments that had security ties with Washington, instead of sanctioning more of those countries.

“Human Rights Watch frequently criticized President Barack Obama for giving too many countries waivers, but the law has made a real difference,” Jo Becker, advocacy director for the children’s rights division of Human Rights Watch, wrote in June in a critique of Tillerson’s decision.

The dissenting U.S. officials stressed that Tillerson’s decision to exclude Iraq, Afghanistan and Myanmar went a step further than the Obama administration’s waiver policy by contravening the law and effectively easing pressure on the countries to eradicate the use of child soldiers.

The officials acknowledged in the documents reviewed by Reuters that those three countries had made progress. But in their reading of the law, they said that was not enough to be kept off a list that has been used to shame governments into completely eradicating the use of child soldiers.

‘UNCONSCIONABLE ACTIONS’

Ben Cardin, ranking Democrat on the U.S. Senate Foreign Relations Committee, wrote to Tillerson on Friday saying there were “serious concerns that the State Department may not be complying” with the law and that the secretary’s decision “sent a powerful message to these countries that they were receiving a pass on their unconscionable actions.”

The memo was among a series of previously unreported documents sent this month to the Senate Foreign Relations Committee and the State Department’s independent inspector general’s office that relate to allegations that Tillerson violated the child soldiers law.

Legal scholars say that because of the executive branch’s latitude in foreign policy there is little legal recourse to counter Tillerson’s decision.

Herman Schwartz, a constitutional law professor at American University in Washington, said U.S. courts would be unlikely to accept any challenge to Tillerson’s interpretation of the child soldiers law as allowing him to remove a country from the list on his own discretion.

The signatories to the document were largely senior policy experts with years of involvement in the issues, said an official familiar with the matter. Reuters saw a copy of the document that did not include the names of those who signed it.

Tillerson’s decision to remove Iraq and Myanmar, formerly known as Burma, from the list and reject a recommendation by U.S. officials to add Afghanistan was announced in the release of the government’s annual human trafficking report on June 27.

Six days earlier, a previously unreported memo emailed to Tillerson from a range of senior diplomats said the three countries violated the law based on evidence gathered by U.S. officials in 2016 and recommended that he approve them for the new list.

It noted that in Iraq, the United Nations and non-governmental organizations “reported that some Sunni tribal forces … recruited and used persons younger than the age of 18, including instances of children taking a direct part in hostilities.”

Ali Kareem, who heads Iraq’s High Committee for Human Rights, denied the country’s military or state-backed militias use child soldiers. ”We can say today with full confidence that we have a clean slate on child recruitment issues,” he said.

The memo also said “two confirmed cases of child recruitment” by the Myanmar military “were documented during the reporting period.” Human rights advocates have estimated that dozens of children are still conscripted there.

Myanmar government spokesman Zaw Htay challenged accusers to provide details of where and how child soldiers are being used. He noted that in the latest State Department report on human trafficking, “they already recognized (Myanmar) for reducing of child soldiers” – though the report also made clear some children were still conscripted.

The memo said further there was “credible evidence” that a government-supported militia in Afghanistan “recruited and used a child,” meeting the minimum threshold of a single confirmed case that the State Department had previously used as the legal basis for putting a country on the list.

The Afghan defense and interior ministries both denied there were any child soldiers in Afghan national security forces, an assertion that contradicts the State Department’s reports and human rights activists.

A Wide Look at North Korea’s WMD Operations

Posted on by

Image result for north korea defector shot

photo

Primer:

South Korean surgeons operating on a North Korean defector who escaped across the Demilitarized Zone between the two countries under a hail of gunfire on Nov. 13 have found a parasite in the man’s stomach unlike any other they had seen.

The defector, who was shot five times, remained in critical condition after hours in two rounds of surgery, according to an article in the Korea Biomedical Review published on Nov. 15.

North Korean Cyber Operations: Weapons of Mass Disruption

Over the past 10 years, the escapades of various nation-state actors in the cyber realm have exploded onto the pages of top-tier media, and into prime time network news.

Russian espionage against political targets during the 2016 US presidential election, wide reaching Chinese espionage against Western commercial targets, disruptive attacks against the US financial sector associated with Iran, and the destructive attacks against Sony Pictures Entertainment (SPE) are some of the premier examples of mainstream coverage of ‘cyber.’

Behind every single offensive cyber action conducted in the interest of the capable nation-states is a doctrine,[1] and North Korea, like many other nation-states, has incorporated cyber operations within their own broader military doctrine and has conducted numerous offensive operations in the furtherance of their national agenda. What is particularly alarming about DPRK operations is their willingness to initiate escalatory actions, such as their likely connections to the now infamous WannaCry ransomware, and their targeting of the global financial system.

North Korea’s disregard for the consequences of its actions sets them apart from other nation-states, and is particularly dangerous.

North Korean offensive cyber operations have been conducted to collect sensitive political and military intelligence information, to lash out at enemies who threaten their beliefs and interests, and most interestingly, to generate revenue.

This revenue generation aspect of North Korean operations was thrust into the international spotlight when, in early 2016, unauthorized transfers of funds from the Bangladesh Central Bank were issued using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network for global banking. The attempted transfers amounting to over $950 million USD sought to move funds to entities in locations such as Sri Lanka and the Philippines; ultimately $81 million USD in funds disappeared into the ether.

The subsequent investigation revealed that the perpetrators of the attack used tools to securely delete records from the SWIFT terminals that would alert Bangladesh Central Bank employees of the transfers. Commonly referred to as a “wiper,” this secure deletion tool contained code that was linked by many in the computer security industry to one used in attacks associated with North Korea, notably the attack on SPE through a US Computer Emergency Response Team (USCERT) alert. The revelation that a state would engage in such a flagrant violation of international norms came as a surprise to many in the information security arena. North Korea watchers were, of course, not surprised as the currency generation activities benefiting the Kim family and their isolated nation have been well understood for some time.

The 2016 SWIFT attacks associated with North Korea are part of the broader currency generation operations of DPRK cyber actors and intelligence organizations. Botnets associated with espionage activity targeting South Korea have been used to generate revenue through a variety of schemes for almost 10 years. Recent DPRK activity suggests an interest in obtaining cryptocurrency, such as bitcoin, through extortion and targeting of cryptocurrency exchanges.

In the third quarter of 2017, for instance, malicious emails containing weaponized documents were used to target international financial organizations, as well as bitcoin exchanges. The ultimate goal of these attacks, which were tracked by the information security community under names such as Stardust Chollima and BlueNoroff, is yet unknown, however theft and sabotage are likely.

Bitcoin provides attractive benefits to the isolated nation due to a lack of regulation and the ability to subvert international sanctions. In May 2017, ‘WannaCry’ exploded across the internet, encrypting sensitive material and holding the keys to decrypt the files for a ransom to be paid in bitcoin. This attack, too, had North Korean fingerprints embedded in the code used to execute the attack, as did the tools that were used to develop that code.

Attribution is a particularly sensitive subject in the cyber domain. Technical artifacts from the executable code that was used to conduct the WannaCry attack overlaps with code used in attacks against South Korean nuclear power plants and the SPE attack of 2014. While the technical artifacts can provide some measurable connections between the attacks, they require deep technical understanding to interpret. Other linkages, such as targeting and operational procedures, are the product of intelligence assessments and have been disputed by various parties muddying the water surrounding the assigning of attribution.

North Korea is an exception to the classical understanding of how most nations implement offensive cyber operations in that they incorporate espionage, disruptive/destructive attacks and financially motivated operations using the same computer code and infrastructure.

The value of cyber operations is likely recognized by North Korea’s most senior leadership through the State Affairs Commission (SAC), the General Staff of the Korean People’s Army, and Kim Jong Un himself. Subordinate units, notably the Reconnaissance General Bureau (RGB), Bureau 121, and the Command Automation Bureau (CAB), are likely responsible for executing the specific operations. The individual units may have a charter to self- finance their operations, or to contribute financial gains back to the regime, but it seems clear that various offensive operations are conducted by differing groups with their own approach and missions. For example, one group may have a primary focus on revenue generation, targeting South Korean banks and SWIFT and conducting extortive attacks, while another group might focus on intelligence collection, while a third conducts sabotage and destructive attacks.

Finally, the maturity of North Korean offensive cyber operations has been demonstrated through the integration of destructive attacks by cyber units during military exercises executed in the midst of escalating tension with South Korea. For instance, following the December 2012 launch of the Kwangmyongsong-3 satellite via the Unha-3 satellite launch vehicle, tensions on the Korean peninsula were high. That March, following the passing of UN Security Council Resolution (UNSCR 2087) and B-52 strategic bomber overflights in South Korea, North Korea responded with a particularly aggressive disruptive attack against South Korea.

This massive wiper attack targeted South Korea’s financial and media sectors and coincided with provocations by North Korean military and escalating political rhetoric. This pairing allowed for maximum psychological impact, while demonstrating North Korea’s ability to integrate offensive cyber activities into well-developed military doctrine. During these attacks, the Korea Broadcasting System (KBS), Munhwa Broadcasting Corporation (MBC), Yonhap Television News (YTN) and several Korean financial institutions reported disruptions. With the threat of military escalation on the table, many in South Korea would have depended on the media outlets for breaking news. Disruption of ATM networks and financial institutions would further add to the chaos as word of media disruptions began to spread.

As tensions are once again escalating between North Korea and the international community, more attacks perpetrated by DPRK cyber actors are likely. The recent increase in financial sector targeting associated with these actors may illustrate the potential for disruptive attacks to demonstrate both the capability of the North Korean actors, as well to achieve objectives in line with their broader military doctrine. While North Korea’s isolation may be detrimental to its economy and international relations, it is an effective shield from which to launch offensive cyber operations against a connected and delicate global system.

  1. [1]

    In order to establish some common definitions, we can look to the United States Department of Defense, who established Computer Network Operations (CNO) as a component of the broader Information Operations (Information Warfare) arena. CNO is further categorized into Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defense (CND). Offensive cyber operations conducted by nation-states using this model would be considered CNE and CNA. The use of CNE can be roughly characterized as espionage, whereas CNA would be used to degrade, deny, disrupt, or destroy the network based systems of an adversary. This model can help provide a clear delineation of how various military, intelligence community, and law enforcement agencies with their authorities are able to conduct operations. China, Russia, Iran and virtually every nation-state in the world conduct CNE/CNA operations in accordance with their legal authorities and national interests.

    ***

    There are other weapons few discuss.

    Pyongyang has already achieved partial coverage of US territories. Last June, in a hearing before the US House Armed Services Committee, the head of the US Missile Defense Agency, Vice Admiral James Syring, said: “The advancement and demonstration of technology of ballistic missiles from North Korea in the last six months have caused great concern to me and others. It is incumbent on us to assume that North Korea today can range the US with an ICBM carrying a nuclear warhead.”

    This particular endeavor was likely assisted by Tehran. A February 2016 report by the Congressional Research Service concluded, “Iran has likely exceeded North Korea’s ability to develop, test, and build ballistic missiles.” Tehran might be, and probably is, helpful to Pyongyang with respect to technological aspects of the nuclear sphere as well.

    The nuclear component within the spectrum of North Korea’s weapons of mass destruction (WMDs) is evidently growing. The big question is whether the country’s despot, Kim Jong-un, will be the first person to use nuclear weapons since 1945.

    Quite recently, Kim elected to employ a highly lethal chemical weapon, the nerve agent VX, for a political assassination. This weapon was used last February by two female operatives, one Indonesian and the other Vietnamese, to murder Kim Jong-un’s estranged half-brother, Kim Jong-nam, in Malaysia. The victim died shortly after being assaulted by the two women, who wiped VX on his face as he prepared to board a flight to the Chinese territory of Macau. Traces of VX were revealed on swabs taken from his eyes and face.

    This deadly chemical agent was probably smuggled from North Korea to Malaysia, which in and of itself was an intriguing and risky move. Six of eight potential suspects were from Pyongyang’s Ministries of State Security and Foreign Affairs. The suspects flew from Kuala Lumpur on the day of the assassination, passing through Vladivostok on their way back to Pyongyang. South Korea’s request to detain four of the suspects was rejected by Russian officials on the grounds of lack of evidence.

    It can be assumed that Kim Jong-un was in on the plot from its inception. Symbolically, at least, this political assassination by VX can be regarded as an indication of Pyongyang’s chemical weapons (CW) capabilities. Whether the regime intended it to or not, the assassination signaled the readiness, usability, and deployability of North Korea’s VX, which can be used for guerrilla warfare, chemical terrorism, or wide-scale chemical attack.

    VX is also weaponized within warheads carried by ballistic missiles in Pyongyang’s  vast CW arsenal. The North Korean ballistic program constitutes the principal, though not the only, vehicle for all three WMD programs. The CW and biological weapons (BW) programs are fully matured and have marked operational offensive capabilities. Inadequate attention is being paid to Pyongyang’s large-scale offensive capacities in terms of CW and BW, but the VX political assassination incident was a wake-up call (if unintentional). More here.