Who Is “Whois”?

Another set of cyberattacks against the Republic of Korea and the first to be blamed is the DPRK. Computers at two major television networks stopped working and their websites were taken offline. A cable channel experienced similar problems. Three banks had trouble with ATMs and Internet- and mobile-banking applications. The attacks were targeted specifically at South Korea, and the malware used was programmed to erase data on the bank computers, similar to 2011 attacks on ROK banks that some attribute to North Korea.

We don’t know that North Korea is responsible, but it is a likely suspect. Cyber is the perfect weapon for a country that loves provocation, and the North has put money and time into building cyber-weapons. It is good at covert action, slipping agents across the border and engaging in black market activities around the world, such as counterfeiting and smuggling. Hacking is a natural fit for the secretive and belligerent Hermit Kingdom.

But the evidence is murky. Some cyberattacks leave obvious signs of who was responsible. Other times, the attack can be tracked back, particularly if it is "in progress" and the attackers are still connected. In some cases, the United States finds identifying evidence when it takes a close look at other countries’ networks. This has not been the case for these latest attacks, leaving us to wonder who did it.

One way to identify the source of an attack is to examine the intersection of capabilities and intent for likely culprits. A sophisticated cyberattack against Iran’s nuclear facilities, for example, points to only a few suspects. In this case, however, many state and non-state actors have the necessary attack capability. North Korea is only one of them. It began developing cyber capabilities in the 1990s, and although progress has been slow — the country is not particularly conducive to the development of a hacker culture — the North Koreans are dogged and willing to spend scarce resources to gain asymmetric advantages, as shown by their nuclear and missile programs.

Determining who is responsible for an attack often depends on asking "cui bono?" — who benefits? In attacks on South Korea, the North is always the lead suspect, but the target set for this attack apparently included no South Korean or U.S. government agencies. Most attacks focus on extracting money or valuable information, but that did not happen in this case. Nor did the attacker try to disrupt critical infrastructure and services. What is left is political motivation. Cyberattacks are a new and attractive form of protest and coercion. The Russians used them against Estonia; the Iranians used them against the United States. In such company, North Korea would feel right at home.

But governments are not the only ones to use these new tools. Political groups like Anonymous routinely hack websites or launch denial of service attacks (essentially, flooding the target network with traffic so that it is knocked offline). If North Korea is a suspect, so are political activists, perhaps hacktivists from China or South Korea’s thriving Internet community. At the same time, the fact that a new, unknown group calling itself "Whois Team" has claimed credit means little. They could be the authors of the attack, they could be an outside group that is simply taking credit, or they could be a cover for state-sponsored efforts.

The Chinese IP address that has been linked to the attack is hardly conclusive. Many Chinese networks use pirated software, making them inherently vulnerable to outside manipulation. A Chinese hacker group could have attacked South Korean sites as a protest, but such groups usually make bombastic, direct, and nationalistic threats. That was not done here. North Korea could have used China as a jumping off point for an attack, but doing so would have risked its relationship with its most important ally. The North may have been tweaking China because of its recent support for sanctions, or the Chinese may have decided to tolerate action against the South, but there is no evidence or precedent to support either hypothesis. We simply don’t know.

We do know North Korea’s national television network had threatened KBS and MBC — the South Korean networks — a year ago, saying that they "will come under fire in an unimaginable and unusual way." North Korea also charged last week that the United States had hacked into its networks — a charge that could have been made to justify a "counterattack" on an ally. And the North has often used its cyber skills to spread propaganda in the South. Its agents create false identities on South Korean websites to post comments favorable to the North or critical of the South, and the North also uses social media sites and YouTube to make its case against the West (a recent video used scenes from a video game showing Wall Street in ruins).

The exchange of accusations by North and South over cyber-activities shows increased cyber-activity that could point to the North as the author of the attacks. But it is hardly a smoking gun. And compared to, say, the evidence of China’s cyber-spying or Iran’s attacks on banks, it is very weak.

Regardless, it is not this specific attack that should concern us — it is the trajectory of North Korean cyber-activity that is most disturbing. The North is committed to getting cyberattack capabilities. It may already have them. The intent to attack the South by engaging in covert and disruptive action is there. If North Korea was responsible for this incident, with its plans for penetrating networks and erasing data, it may soon have the capability to launch a damaging attack whenever it decides it is in its interest to do so.

The North has committed no shortage of hostile acts, and it does not always take credit for them. It has jammed the GPS guidance systems on hundreds of commercial airliners landing in Seoul, using truck-mounted jamming devices located on the north side of the border. This was probably a test of a military capability the North would use in war — that the test might have caused hundreds of deaths does not seem to have been a worry.

Its latest action was to issue another round of nuclear threats, this time against U.S. Pacific bases. We need to ask how the cyberattacks fit with these latest threats from the North and the increased tensions on the Korean Peninsula. They may be an inept effort to increase pressure on the South, they may be a coincidence, or they may not be from North Korea at all. The North has a goal in making nuclear threats (probably to show defiance in the face of new sanctions), but it is hard to see how disrupting ATMs and television websites would contribute to that effort.

North Korea might be attracted by the relatively low cost of cyberattacks, by the high dependency of the South on the Internet (which creates numerous targets), by the difficulty of attribution for a quick attack, and by the ability to easily use cyber to make a political point. Strong cyberattack capabilities in either the South or the United States have no deterrent effect. A country that is not shy about using force in limited ways to make a negotiating or political point will be attracted to cyberattack.

From the North’s perspective, its decisions are rational, but we should not overestimate Pyongyang’s ability to correctly calculate the risks of its actions. The North is clearly willing to take greater risks than most nations, from sinking a South Korean patrol vessel to firing artillery at island villages. A cyberattack may not seem that risky from Pyongyang’s perspective. Whether or not North Korea was behind this latest incident, it seems unavoidable that it will develop further cyberattack capabilities and use them the way it uses covert action, limited military assault, and nuclear threats — as tools to
shape the international environment.