How South Korea Is Fighting North Korea's Cyber Threats

고려대학교정보보호대학원
마스터 제목 스타일 편집
How South Korea Is Fighting
North Korea's Cyber Threats
1
Presented at Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats,
Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.

◼ 2000 : Founded Graduate School of
Information Security in Korea for the first
time
◼ 2009 & 2010 : Successively won DC3
Digital Forensic Challenge 2009 & 2010
◼ 2012 : Established Undergraduate Dept.
of Cyber Defense
◼ 2015 & 2018 : Won DEFCON CTF 2015 &
2018
Brief History of Korea University
2

3
Current Status of Korea

◼ In Korea, cyber warfare has become real,
not a virtual one. North Korea continues
to expand its cyber warfare capabilities.
1,350,000
Current Status of Cyber Threats in KR
4
(As of March 2018)

◼ South Korean government groups and
agencies experience more than 1.35
million hacking attempts a day
according to South Korean National
Intelligence Service (NIS, Korean CIA).
5

◼ South Korean government groups and
agencies experience more than 1.35
million hacking attempts a day
according to South Korean National
Intelligence Service (NIS, Korean CIA).
◼ From North Korea : 96% / China : 3% /
Russia : 1% / Iran and Pakistan : ↑
6

◼ Also, in recent years, there have been
more attacks mainly targeting private
companies rather than public institutions.
◼ The hacking damage is estimated at 86%
and 14% for the private and public,
respectively.
7

◼ Korean government believes that North
Korean General Bureau of
Reconnaissance (偵察總局), specifically
Unit 121, dedicates 6,000+ full-time
hackers who create malicious computer
codes.
◼ 1,700 are experts and 5,100 are supportive
members
North Korean Hacking Workforce
8

9
"Nation-State Moneymule’s Hunting Season - APT Attacks Targeting Financial Institutions -", Black Hat Asia 2018
Representative North Korean hacking groups include …

◼ Depending on the analysis company, North
Korean hacking groups are called differently.
For example,
◼ [Andariel = Silent Chollima] Acts against the
media and government agencies, primarily in
South Korea
◼ [Red Dot = Labyrinth Chollima] Focuses on
countering intelligence services
◼ [Red Eyes = Scarcruft = Group123 = APT37 =
Reaper = Ricochet Chollima] Engaged in
stealing user data
◼ [Bluenoroff = Stardust Chollima] Specializes in
commercial attacks
❖ ‘Chollima’ means a fine horse in Korean.
10

(Comm. of the ACM, August 2012)
North Korean students have a good foundation for computer science itself.
◼ NK's hacking skills are really good?
11

12

13
Students from Kim Il-Sung University in North Korea were ranked higher than
Stanford University in International Collegiate Programming Contest, ACM-ICPC.

14

15

16

◼ As seen before, North Korean hackers
have good hacking skills and good base
in computer science.
◼ But above all, they have very strong
motivation such as Kim Jung-un’s
encouragements.
◼ Furthermore, North Korean hackers are
state-sponsored soldiers. Thus they have
the solid knowledge of (military)
operation. As we can see in SWIFT
hacking, they can carry out very well
organized operation.
17

◼ Tracking North Korea's hacker attacks
is becoming increasingly difficult
because the level of training in North
Korea is growing, and the groups
themselves are scattered all over the
world, from Japan to the countries of the
Middle East.
◼ Thus ‘traditional’ methods for identifying
the organizers of attack (by IP, servers, or
‘linguistic traces’ within the code)
practically do not work very well any
more.
18

19
What kind of efforts is SK
doing to stop NK hacking?
- Ⅰ. Government Organizations -
19

◼ Blue House National Security Office as Control
Tower
◼ NIS (National Intelligence Service (Korean CIA))
for Public Sector
◼ NSR (National Security Research Institute) for Technical
Support
◼ MSIT (Ministry of Science and ICT) for Private
Sector
◼ KISA (Korea Internet & Security Agency) for Technical
Support
◼ Cyber Security Research Division of ETRI (Electronics and
Telecommunications Research Institute) for Development
of Fundamental Security Technologies
◼ PIPC (Personal Information Protection
Commission) for the Citizens’ Personal Information
Protection
Gov. Org. for Cyber Threat Response
20

◼ MOI (Ministry of the Interior) for E-Gov.
◼ FSC (Financial Services Commission) & FSS
(Financial Supervisory Service) for Financial
Sector
◼ FSI (Financial Security Institute) for Technical
Support
◼ MND (Ministry of National Defense) &
Cyber Command for Military Sector
◼ ADD (Agency for Defense Development) for
Technical Support
◼ SPO (Supreme Prosecutors' Office) & NPA
(National Police Agency) for Cyber Crime
Gov. Org. for Cyber Threat Response
21

- Ⅱ. Very Strong Network Separation Policy -
22

◼ From 2007, South Korean government
(National Intelligence Service & Ministry of the Interior)
adopted the network separation policy.
◼ All the state agencies
◼ Government ministries & their affiliated
agencies
◼ Local governments & their affiliated
agencies
◼ Public enterprises
◼ Public institutions
Network Separation @ Public Sector
23

◼ From August 2012, our government (Korea
Communications Commission) adopted network
separation policy also for the private
sector.
◼ ISP (Internet Service Providers)
◼ Big web portals with an average of more
than 1 million visitors a day
◼ Naver, Daum, etc.
◼ Recently, also for defense companies
Network Separation @ Private Sector
24

◼ On 20 March 2013, the computer
networks of major television stations and
6 financial institutions went down by
cyberattack. ATMs and mobile payments
were also affected.
◼ After this attack, on July 2013, our
government (Financial Services Commission & Financial
Supervisory Service) extended their coverage to
the financial sector.
Network Separation @ Financial Sector
25

Internet
Intranet
Korea vs. Other Countries – Korea –
Korea has a policy to completely disconnect the organization's intranet from the Internet.
26

Internet
Intranet
Korea vs. Other Countries – Others –
Top Secret
Secret
Unclassified
On the other hand, foreign countries have a policy to separate networks according to the importance of
data, and to keep non-confidential business computer systems connected to the Internet at all times.27

- Ⅲ. Cyber Threat Information Sharing -
28

◼ Today, information sharing is recognized as
a means to effectively prevent cyber attacks,
which are becoming more intelligent and
advanced, so that many countries such as
U.S., EU, UK, Japan, etc. are establishing
cyber threat information sharing system
at national level.
◼ In particular, the United States has enacted the
"Cyber Threat Information Sharing Act
(CISA)" in December 2015, and has been
promoting the establishment of a legal and
institutional basis for sharing threat information
and the implementation of the system.
29
Cyber Threat Information Sharing in KR

30
Cyber Threat Information Sharing in KR
◼ Korea is sharing cyber threat information
in public and private sectors mainly
through the NIS’s National Cyber
Security Center(NCSC) and the Korea
Internet & Security Agency(KISA).
◼ From 2014, KISA developed C-TAS(Cyber
Threat Analysis & Sharing) system to
profile and share not only the collected
malware but also the hacked hosts, used
vulnerabilities and even the attackers.

- Ⅳ. Investing in Human Resources -
31

◼ Established in 2012 (Inspired by Israel's
Talpiot program)
◼ In 2016, we graduated 30 students for the first
time.
◼ Joint educational programs with Korea
Army (Cyber Command)
◼ Full Scholarship over Guaranteed Employment
◼ Upon graduation, they are to be commissioned as
second lieutenants and must serve in the military for
seven years
◼ Accept top 0.4%~0.6% of students in the
national college entrance exam
Dept. of Cyber Defense @ Korea Univ.
32

◼ Public Sector & Government-Run Cyber
Security Education Programs
◼ Education and Training for Public Officers
◼ NSR’s CSTEC(Cyber Security Training and Exercise
Center), KISA Academy, etc.
◼ Education and Training for Non-Officers
◼ KISA’s K-Shield
◼ KITRI’s BoB(Best of the Best) Program :
Running strong peer-to-peer mentoring style
of education. And so far, it has made so may
pretty good results.
◼ Private Sector-Run Cyber Security
Education Programs
Other Education Programs
33

◼ However, there are still problems to be
improved. – Network Separation Policy :
1. Strong network separation policy of Korea
conflicts with other policies such as smart
work, cloud service, cross-border private
data transfers, etc. Furthermore, wrong
belief on network separation usually
weakens the security mind or security
awareness of people.
◼ In the coming industry 4.0 era, it will be worse
and worse.
34
Remaining Problems to Solve Ⅰ

improved. – Tracking Hackers :
1. Recently, OSINT companies have been in
the spotlight. However, as cyber threat
intelligence companies are competitively
disclosing threat profiling information
for promotional purposes, it is becoming
more difficult to track hackers.
2. If there are no legal issues, private
companies tend not to try to analyze the
causes of hacking incidents. This makes
tracking the source of the hack more
difficult.
35
Remaining Problems to Solve Ⅱ

3. It is possible to freely move the hacking
tool development base by using the
cloud or docker (like submarine-launched
ballistic missile or road-mobile missiles).
4. Furthermore, hacking groups start to share
their exploit code and use it. This makes
tracking more difficult.
36

1. As can be seen from the COVID-19
situation, countries around the world have
begun to intensify competition for
technological hegemony.
◼ This creates a situation where today's friend
may become tomorrow's enemy. i.e., This
makes it more difficult to distinguish enemies.
37

improved. – HRD :
1. A Hacker is not a panacea!
◼ Compared to North Korea, South Korea is very
dependent on the Internet. Thus, it is important
to cultivate vulnerability analysis experts, but it is
equally important to train advanced S/W
development experts.
◼ However, students tend to bias their studies
because they think vulnerability analysts are
more attractive than developers. ⇒⇒⇒ Need
more emphasis on ‘security engineering’ such as
security architecture development, RMF
documentation, etc.
38
Remaining Problems to Solve Ⅲ

improved. – HRD :
2. Offer a meaningful internship program.
◼ Students who graduated from medical school
must go through internship (a.k.a. Medical
intern).
◼ The same goes for security. No matter how
good a student is, field experience is essential.
◼ However, COVID-19 makes it very difficult for
companies to operate internship programs.
39

improved. – HRD :
3. Don't appeal to patriotism anymore!
◼ Most countries tend to appeal to patriotism in
fostering their national hacking workforce, which
should be avoided.
◼ Need to give clear future direction to the
workforce like lawyer, doctor, etc. :
◼ Good salary?
◼ Good working environment?
◼ Talented company colleagues?
◼ Experience that others can not? ((e.g.) Access to secret)
40

improved. – Sanction :
1. Since North Korea is less dependent on the
Internet, “an eye for an eye” style is
meaningless. i.e., retaliation through cyber attacks
is meaningless.
◼ Therefore, proportional response is important.
◼ However, it is difficult to do this without the
participation of many countries around the world.
2. Some experts say that North Korea's exports
of cyber weapons should be banned, but this
could lead to controversy over cyber
espionage between countries.
41
Remaining Problems to Solve Ⅳ

❖ ©2020 by Seungjoo Gabriel Kim. Permission to
make digital or hard copies of part or all of this
material is currently granted without fee
provided that copies are made only for personal
or classroom use, are not distributed for profit
or commercial advantage, and that new copies
bear this notice and the full citation.
42

How South Korea Is Fighting
North Korea's Cyber Threats
43
Presented at Asia Transnational Threats Forum - Virtual Roundtable on North Korean Cyber Threats,
Center for East Asia Policy Studies at BROOKINGS, October 15, 2020.

How South Korea Is Fighting North Korea's Cyber Threats

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à How South Korea Is Fighting North Korea's Cyber Threats

Similaire à How South Korea Is Fighting North Korea's Cyber Threats (20)

Plus de Seungjoo Kim

Plus de Seungjoo Kim (20)

Dernier

Dernier (20)

How South Korea Is Fighting North Korea's Cyber Threats