WASHINGTON — The problem with cyber attacks is that victims all too often face a complex maze when trying to find the source of the strike, leading to months of digging for few conclusive answers. But in the environment of grandiose nuclear threats and escalating hostilities on the Korean Peninsula, both sides seem to be trying a new tactic: blame first, figure it out later.
The less-than-thorough approach may provide consolation for those seeking an immediate target but could spell disaster for a pair of countries so close to full-on conflict, and plagued by cyber shenanigans, including those from hacktivists making political points.
In the past, difficulty attributing attacks to a state or specific group has stayed the hand of nations looking to respond and complicated diplomatic relations as those responsible hide behind the relative anonymity of connected networks. But in the case of North and South Korea, that uncertainty is providing cover for each party to blame the other for recent attacks that may not have been perpetrated by either.
A day after the attack that disabled 32,000 computers in South Korea on March 20, the country’s Korean Communications Commission pointed the finger at an IP address in China, a clear implication that the North Koreans were to blame, analysts said. North Korean groups have used Chinese IP addresses to conduct attacks in the past. The next day the commission retracted its statement, saying it had misidentified an IP address that was actually from one of the banks that was targeted.
The North Koreans, having experienced a series of distributed denial of service attacks (DDoS) throughout March, haven’t hesitated in placing blame either.
“It is as clear as a pikestaff who mounted the cyber attacks as it was timed to coincide with the nuclear war exercises staged by the U.S. and South Korean warmongers against the DPRK [Democratic People’s Republic of Korea],” the government-run Minju Joson newspaper published March 20.
In reality, the North Koreans have been beset by attacks from hacktivist groups, including the compromise of social media accounts April 4, and the exact source of the DDoS attacks is still unclear, although the group Anonymous has taken credit. And while the attack on South Korean computers bears a more-than-passing resemblance to the Shamoon virus that effectively took down thousands of systems at the Saudi state-owned oil company Aramco, the source is still unknown.
Both sides have experienced attacks for years, but the disruptions brought on by the March 20 incident marked a new high and came at a time when the North has threatened to restart a nuclear reactor and strike numerous cities with nuclear weapons.
“If you don’t like somebody, you tend to blame them,” said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. “The North Koreans are a good suspect.”
Lewis said none of the attacks thus far have been particularly sophisticated or destructive, but that capabilities are improving, especially for the North.
“What we’re going to see is North Korean abilities improve, and then they’ll be tempted to do things, then it will get really interesting,” he said. “The risk is that they inadvertently trip over some threshold that will be seen as the use of force or an act of war.”
That threshold has been broadly established in international law as requiring some combination of death and physical destruction to justify a war, a line which hasn’t been crossed on the Korean Peninsula. But North and South Korea technically are already at war, and in early March, North Korea tore up the 1953 armistice agreement that ended the Korean War.
Neither side needs a legal justification to act within the confines of international law, and with two countries eyeing each other across an increasingly heated border, the provocation of a cyber attack, correctly attributed or not, could lead to broader conflict.
Repeatedly named in the North’s accusations about cyber attacks, the U.S. largely has avoided responding. Instead, the U.S. is focused on helping countries learn to decipher the origin of an attack more effectively, State Department spokeswoman Victoria Nuland said.
“There are always difficulties in the context of cyber attacks, so this is something that we work on, not just in a Northeast Asia context but with countries around the world, to try to share best practices, et cetera, going forward, so that we all have a clear picture when something like this happens of what exactly has taken place and what the risks and threats are, not only to us nationally but to partners,” she said.
In the case of the Koreas, the actual cyber threat has thus far been minor. The attack against South Korea on March 20 removed part of the boot records for computers at banking, communications and security groups, but did not destroy the computers themselves. The North Korean websites that had been attacked were restored within hours.
“Most of the patriotic hacking has been crap, it’s not dangerous,” said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. “There’s no risk other than in headlines and in perception.”
Those headlines could exacerbate the situation in the Koreas, he said.
“It’s escalatory because the leaders misunderstand how dangerous this is,” he said. “We get ourselves so worked into a lather about a topic that we’re so angry to strike, that even a lower level type of hacking that shouldn’t have an impact starts to have a larger impact, where something that should be a sideshow becomes a bigger issue.”
Whether aggressive rhetoric about cyber attacks will actually spill over into conflict is unknown, but the North, true to form, has not been timid in its reaction to the South.
“The ceaseless ridiculous plots hatched by the puppet forces for a war of aggression against the DPRK would only bring into bolder relief their true colors and precipitate their self-destruction,” the state newspaper said.