Seungjoo Kim, "How South Korea Is Fighting North Korea's Cyber Threats", Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats, Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.
Roadmap to Membership of RICS - Pathways and Routes
How South Korea Is Fighting North Korea's Cyber Threats
1. 고려대학교정보보호대학원
마스터 제목 스타일 편집
How South Korea Is Fighting
North Korea's Cyber Threats
1
Presented at Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats,
Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.
2. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ 2000 : Founded Graduate School of
Information Security in Korea for the first
time
◼ 2009 & 2010 : Successively won DC3
Digital Forensic Challenge 2009 & 2010
◼ 2012 : Established Undergraduate Dept.
of Cyber Defense
◼ 2015 & 2018 : Won DEFCON CTF 2015 &
2018
Brief History of Korea University
2
4. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ In Korea, cyber warfare has become real,
not a virtual one. North Korea continues
to expand its cyber warfare capabilities.
1,350,000
Current Status of Cyber Threats in KR
4
(As of March 2018)
5. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ In Korea, cyber warfare has become real,
not a virtual one. North Korea continues
to expand its cyber warfare capabilities.
◼ South Korean government groups and
agencies experience more than 1.35
million hacking attempts a day
according to South Korean National
Intelligence Service (NIS, Korean CIA).
Current Status of Cyber Threats in KR
5
6. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ In Korea, cyber warfare has become real,
not a virtual one. North Korea continues
to expand its cyber warfare capabilities.
◼ South Korean government groups and
agencies experience more than 1.35
million hacking attempts a day
according to South Korean National
Intelligence Service (NIS, Korean CIA).
◼ From North Korea : 96% / China : 3% /
Russia : 1% / Iran and Pakistan : ↑
Current Status of Cyber Threats in KR
6
7. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Also, in recent years, there have been
more attacks mainly targeting private
companies rather than public institutions.
◼ The hacking damage is estimated at 86%
and 14% for the private and public,
respectively.
Current Status of Cyber Threats in KR
7
8. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Korean government believes that North
Korean General Bureau of
Reconnaissance (偵察總局), specifically
Unit 121, dedicates 6,000+ full-time
hackers who create malicious computer
codes.
◼ 1,700 are experts and 5,100 are supportive
members
North Korean Hacking Workforce
8
9. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
9
"Nation-State Moneymule’s Hunting Season - APT Attacks Targeting Financial Institutions -", Black Hat Asia 2018
Representative North Korean hacking groups include …
10. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Depending on the analysis company, North
Korean hacking groups are called differently.
For example,
◼ [Andariel = Silent Chollima] Acts against the
media and government agencies, primarily in
South Korea
◼ [Red Dot = Labyrinth Chollima] Focuses on
countering intelligence services
◼ [Red Eyes = Scarcruft = Group123 = APT37 =
Reaper = Ricochet Chollima] Engaged in
stealing user data
◼ [Bluenoroff = Stardust Chollima] Specializes in
commercial attacks
❖ ‘Chollima’ means a fine horse in Korean.
North Korean Hacking Workforce
10
11. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
(Comm. of the ACM, August 2012)
North Korean students have a good foundation for computer science itself.
◼ NK's hacking skills are really good?
11
12. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
◼ NK's hacking skills are really good?
12
13. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
◼ NK's hacking skills are really good?
13
Students from Kim Il-Sung University in North Korea were ranked higher than
Stanford University in International Collegiate Programming Contest, ACM-ICPC.
14. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
◼ NK's hacking skills are really good?
14
15. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
15
◼ NK's hacking skills are really good?
16. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
16
◼ NK's hacking skills are really good?
17. 고려대학교정보보호대학원
마스터 제목 스타일 편집
North Korean Hacking Workforce
◼ As seen before, North Korean hackers
have good hacking skills and good base
in computer science.
◼ But above all, they have very strong
motivation such as Kim Jung-un’s
encouragements.
◼ Furthermore, North Korean hackers are
state-sponsored soldiers. Thus they have
the solid knowledge of (military)
operation. As we can see in SWIFT
hacking, they can carry out very well
organized operation.
17
18. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Tracking North Korea's hacker attacks
is becoming increasingly difficult
because the level of training in North
Korea is growing, and the groups
themselves are scattered all over the
world, from Japan to the countries of the
Middle East.
◼ Thus ‘traditional’ methods for identifying
the organizers of attack (by IP, servers, or
‘linguistic traces’ within the code)
practically do not work very well any
more.
North Korean Hacking Workforce
18
19. 고려대학교정보보호대학원
마스터 제목 스타일 편집
19
What kind of efforts is SK
doing to stop NK hacking?
- Ⅰ. Government Organizations -
19
20. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Blue House National Security Office as Control
Tower
◼ NIS (National Intelligence Service (Korean CIA))
for Public Sector
◼ NSR (National Security Research Institute) for Technical
Support
◼ MSIT (Ministry of Science and ICT) for Private
Sector
◼ KISA (Korea Internet & Security Agency) for Technical
Support
◼ Cyber Security Research Division of ETRI (Electronics and
Telecommunications Research Institute) for Development
of Fundamental Security Technologies
◼ PIPC (Personal Information Protection
Commission) for the Citizens’ Personal Information
Protection
Gov. Org. for Cyber Threat Response
20
21. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ MOI (Ministry of the Interior) for E-Gov.
◼ FSC (Financial Services Commission) & FSS
(Financial Supervisory Service) for Financial
Sector
◼ FSI (Financial Security Institute) for Technical
Support
◼ MND (Ministry of National Defense) &
Cyber Command for Military Sector
◼ ADD (Agency for Defense Development) for
Technical Support
◼ SPO (Supreme Prosecutors' Office) & NPA
(National Police Agency) for Cyber Crime
Gov. Org. for Cyber Threat Response
21
22. 고려대학교정보보호대학원
마스터 제목 스타일 편집
- Ⅱ. Very Strong Network Separation Policy -
22
What kind of efforts is SK
doing to stop NK hacking?
23. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ From 2007, South Korean government
(National Intelligence Service & Ministry of the Interior)
adopted the network separation policy.
◼ All the state agencies
◼ Government ministries & their affiliated
agencies
◼ Local governments & their affiliated
agencies
◼ Public enterprises
◼ Public institutions
Network Separation @ Public Sector
23
24. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ From August 2012, our government (Korea
Communications Commission) adopted network
separation policy also for the private
sector.
◼ ISP (Internet Service Providers)
◼ Big web portals with an average of more
than 1 million visitors a day
◼ Naver, Daum, etc.
◼ Recently, also for defense companies
Network Separation @ Private Sector
24
25. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ On 20 March 2013, the computer
networks of major television stations and
6 financial institutions went down by
cyberattack. ATMs and mobile payments
were also affected.
◼ After this attack, on July 2013, our
government (Financial Services Commission & Financial
Supervisory Service) extended their coverage to
the financial sector.
Network Separation @ Financial Sector
25
26. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Internet
Intranet
Korea vs. Other Countries – Korea –
Korea has a policy to completely disconnect the organization's intranet from the Internet.
26
27. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Internet
Intranet
Korea vs. Other Countries – Others –
Top Secret
Secret
Unclassified
On the other hand, foreign countries have a policy to separate networks according to the importance of
data, and to keep non-confidential business computer systems connected to the Internet at all times.27
28. 고려대학교정보보호대학원
마스터 제목 스타일 편집
- Ⅲ. Cyber Threat Information Sharing -
28
What kind of efforts is SK
doing to stop NK hacking?
29. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Today, information sharing is recognized as
a means to effectively prevent cyber attacks,
which are becoming more intelligent and
advanced, so that many countries such as
U.S., EU, UK, Japan, etc. are establishing
cyber threat information sharing system
at national level.
◼ In particular, the United States has enacted the
"Cyber Threat Information Sharing Act
(CISA)" in December 2015, and has been
promoting the establishment of a legal and
institutional basis for sharing threat information
and the implementation of the system.
29
Cyber Threat Information Sharing in KR
30. 고려대학교정보보호대학원
마스터 제목 스타일 편집
30
Cyber Threat Information Sharing in KR
◼ Korea is sharing cyber threat information
in public and private sectors mainly
through the NIS’s National Cyber
Security Center(NCSC) and the Korea
Internet & Security Agency(KISA).
◼ From 2014, KISA developed C-TAS(Cyber
Threat Analysis & Sharing) system to
profile and share not only the collected
malware but also the hacked hosts, used
vulnerabilities and even the attackers.
31. 고려대학교정보보호대학원
마스터 제목 스타일 편집
- Ⅳ. Investing in Human Resources -
31
What kind of efforts is SK
doing to stop NK hacking?
32. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Established in 2012 (Inspired by Israel's
Talpiot program)
◼ In 2016, we graduated 30 students for the first
time.
◼ Joint educational programs with Korea
Army (Cyber Command)
◼ Full Scholarship over Guaranteed Employment
◼ Upon graduation, they are to be commissioned as
second lieutenants and must serve in the military for
seven years
◼ Accept top 0.4%~0.6% of students in the
national college entrance exam
Dept. of Cyber Defense @ Korea Univ.
32
33. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ Public Sector & Government-Run Cyber
Security Education Programs
◼ Education and Training for Public Officers
◼ NSR’s CSTEC(Cyber Security Training and Exercise
Center), KISA Academy, etc.
◼ Education and Training for Non-Officers
◼ KISA’s K-Shield
◼ KITRI’s BoB(Best of the Best) Program :
Running strong peer-to-peer mentoring style
of education. And so far, it has made so may
pretty good results.
◼ Private Sector-Run Cyber Security
Education Programs
Other Education Programs
33
34. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – Network Separation Policy :
1. Strong network separation policy of Korea
conflicts with other policies such as smart
work, cloud service, cross-border private
data transfers, etc. Furthermore, wrong
belief on network separation usually
weakens the security mind or security
awareness of people.
◼ In the coming industry 4.0 era, it will be worse
and worse.
34
Remaining Problems to Solve Ⅰ
35. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – Tracking Hackers :
1. Recently, OSINT companies have been in
the spotlight. However, as cyber threat
intelligence companies are competitively
disclosing threat profiling information
for promotional purposes, it is becoming
more difficult to track hackers.
2. If there are no legal issues, private
companies tend not to try to analyze the
causes of hacking incidents. This makes
tracking the source of the hack more
difficult.
35
Remaining Problems to Solve Ⅱ
36. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – Tracking Hackers :
3. It is possible to freely move the hacking
tool development base by using the
cloud or docker (like submarine-launched
ballistic missile or road-mobile missiles).
4. Furthermore, hacking groups start to share
their exploit code and use it. This makes
tracking more difficult.
36
Remaining Problems to Solve Ⅱ
37. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – Tracking Hackers :
1. As can be seen from the COVID-19
situation, countries around the world have
begun to intensify competition for
technological hegemony.
◼ This creates a situation where today's friend
may become tomorrow's enemy. i.e., This
makes it more difficult to distinguish enemies.
37
Remaining Problems to Solve Ⅱ
38. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – HRD :
1. A Hacker is not a panacea!
◼ Compared to North Korea, South Korea is very
dependent on the Internet. Thus, it is important
to cultivate vulnerability analysis experts, but it is
equally important to train advanced S/W
development experts.
◼ However, students tend to bias their studies
because they think vulnerability analysts are
more attractive than developers. ⇒⇒⇒ Need
more emphasis on ‘security engineering’ such as
security architecture development, RMF
documentation, etc.
38
Remaining Problems to Solve Ⅲ
39. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – HRD :
2. Offer a meaningful internship program.
◼ Students who graduated from medical school
must go through internship (a.k.a. Medical
intern).
◼ The same goes for security. No matter how
good a student is, field experience is essential.
◼ However, COVID-19 makes it very difficult for
companies to operate internship programs.
39
Remaining Problems to Solve Ⅲ
40. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – HRD :
3. Don't appeal to patriotism anymore!
◼ Most countries tend to appeal to patriotism in
fostering their national hacking workforce, which
should be avoided.
◼ Need to give clear future direction to the
workforce like lawyer, doctor, etc. :
◼ Good salary?
◼ Good working environment?
◼ Talented company colleagues?
◼ Experience that others can not? ((e.g.) Access to secret)
40
Remaining Problems to Solve Ⅲ
41. 고려대학교정보보호대학원
마스터 제목 스타일 편집
◼ However, there are still problems to be
improved. – Sanction :
1. Since North Korea is less dependent on the
Internet, “an eye for an eye” style is
meaningless. i.e., retaliation through cyber attacks
is meaningless.
◼ Therefore, proportional response is important.
◼ However, it is difficult to do this without the
participation of many countries around the world.
2. Some experts say that North Korea's exports
of cyber weapons should be banned, but this
could lead to controversy over cyber
espionage between countries.
41
Remaining Problems to Solve Ⅳ
43. 고려대학교정보보호대학원
마스터 제목 스타일 편집
How South Korea Is Fighting
North Korea's Cyber Threats
43
Presented at Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats,
Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.