Professional Documents
Culture Documents
Steve Sin i
May 2009
Acknowledgement. Thanks to Mrs. Hwa-young Sin (ABD) of Seoul National University and Dr.
Horace Jeffery Hodges of Ewha Womans University for wonderful recommendations and sharp
critiques that contributed greatly to the improvement of this paper.
Abstract:
Recent cyber attacks on the US and the Republic of Korea’s government agencies, research
institutes, private companies, and infrastructure have created significant cause for concern
among the government officials and the computer security experts of both countries. Located
in the heart of Northeast Asia, the proving ground for cyber-warfare (CW), computer networks of
the United States Forces Korea (USFK) are ripe targets for the region’s CW organizations. The
Yonhap News Agency reported on May 5th that the US military, after years of tracking which
countries accessed them the most, has found that users inside North Korea logged onto US
military websites and networks most frequently. This paper explores the CW capabilities and
developments of North Korea and China in an effort to ascertain possible threats posed against
Keywords: cyber-warfare, CW, cyber attack, US Forces Korea, Republic of Korea, North Korea,
i
Steve Sin is a Major in the US Army currently assigned as the Senior Analyst of Open Source
Intelligence Branch, Directorate of Intelligence, US Forces Korea. The views expressed in this paper are
those of the author and do not necessarily reflect the official policy or position of the US Forces Korea, the
Department of the Army, the Department of Defense, or the US Government.
1
The April 21st edition of the Wall Street Journal carried
infrastructure, as well as what was revealed in the US-China Economic and Security Review
2008, have created significant cause for concern among the US government officials and the
computer security experts. The most recent cyber attacks use strains of computer viruses,
logic bombs, and other advanced techniques that can paralyze computer and communications
networks.
Located in the heart of Northeast Asia, the proving ground for cyber-warfare CW, computer
networks of the USFK are ripe targets for the region’s CW organizations. The Yonhap News
Agency reported on May 5th that the US military, after years of tracking which countries
accessed them the most, has found that users inside North Korea logged onto US military
websites and networks most frequently. This paper explores the CW capabilities and
developments of North Korea and China in an effort to ascertain possible threats posed against
2
Cyber-Warfare Developments of Potential Adversaries in the Region. No one should
assume that adversaries lack the sophistication to take advantage of software vulnerabilities.
Asia has emerged as the proving ground for CW. This is especially the case in Northeast Asia,
where CW have become commonplace. As shown in the matrix below, two ii of the six potential
adversaries of the US are located in Northeast Asia – China (ranked number 1) and North Korea
(ranked number 4). There have been numerous open source reports on the CW capabilities
and developments of these two countries – the latest of which was a report that Chinese
hackers have stolen information about the F-35 Lightening II Fighter Program from the
Technolytics, with support from Intelomics and Spy-Ops iii , created a cyber threat matrix in 2007. It measured intent
ii
Although Russia is within the area of interest for USFK, this paper will only address the two Northeast
Asian countries that are within USFK’s theater of operations.
iii
The Technolytics Institute (Technolytics) was established in 2000 as an independent executive think tank.
The institute consults for the US government, as well as governments of other nations, on information
security and information security management. Intelomics and Spy-Ops are also security management
consulting organizations for the US government.
3
Democratic People’s Republic of Korea (North Korea). North Korea reportedly set up a
CW unit in the late 1980s. Open source reports refer to two different organizations – the
State Security Agency’s electronic communications monitoring and computer hacking unit,
reportedly located at the Korea Computer Center in Pyongyang; 6 and the North Korean
Ministry of People’s Armed Forces’ (MPAF) iv CW unit, known as Unit 121 (reportedly created
directly subordinate to the General Staff Department of the MPAF. In the past, Unit 121’s
staff was reported to be anywhere between 500 to more than 1,000 hackers, but the latest
report from the South Korean (ROK) Yonhap News Agency is that the unit has roughly 100
hackers. vi The unit’s reported capabilities include moderately advanced Distributed Denial
of Service (DDoS) capability and moderate virus and malicious code capabilities. 7
iv
The Ministry of People's Armed Forces is organizationally subordinate to the state structure but is
controlled by the Korean Workers Party. The ministry is responsible for management and operational
control of the armed forces. Prior to 1992, it was under the direct control of the president, with guidance
from the National Defense Commission and the KWP Military Affairs Department. The 1992 state
constitution shifts its control to the National Defense Commission (GlobalSecurity.org).
v
The Reconnaissance Bureau is subordinate to the General Staff Department of the Ministry of People’s
Armed Forces and is responsible for collecting strategic, operational, and tactical intelligence for the
Ministry of the People's Armed Forces. It is also responsible for infiltrating intelligence personnel into
South Korea though tunnels under the demilitarized zone and seaborne insertion (GlobalSecurity.org).
vi
The Yonhap News Agency reported on May 5, 2009, that “the General Staff of the North Korean
People’s Army has been operating for years a ‘technology reconnaissance team,’ which is exclusively in
charge of collecting information and disrupting military computer networks in South Korea and the US.”
Although this report did not specifically identify the “technology reconnaissance team” as Unit 121, the
mission, capability, and the subordination of this team suggest they are one in the same. It appears that a
hacker unit of 100 is much more reasonable than 500-1,000. An April 20, 2009 JoongAng Ilbo article
states that a ROK NIS official said, “We understand that North Korea has human resources specializing in
hacking that number around 500-600 people.” It appears this report also points to the conclusion that
rather than the Unit 121 having 500-1,000 hackers, it is more likely that 500-1,000 (or 500-600 as noted in
the JoongAng Ilbo article) is the total estimated number of hackers that North Korea has in its CW
“inventory.”
4
According to a North Korean defector who defected in 2004 and claims to have been an
officer within Unit 121, the unit conducts some of its operations from a North Korean
Reportedly, the hackers of Unit 121 work in teams, specializing in specific targets (e.g.,
In May 04, the ROK media reported that the Defense Security Command (DSC) confirmed,
for the first time, that North Korea does have a unit dedicated to hacking, and has been
acquiring information from the ROK government agencies and research labs for quite some
time. 9 At the ROK Defense Information Security Conference held in Jun 06, Byun Kae-
jong, a researcher at the ROK Agency for Defense Development (ADD), claimed North
Korea’s hacking capabilities equals that of the US CIA vii . Byun also claimed that test
vii
The ROK’s claim that North Korea’s CW capability is comparable to that of the US CIA has been
5
results, based on modeling, showed North Korea possesses CW capabilities that could
inflict damage the military networks of the US Pacific Command as well as those located in
the continental US. 10 According to a media report released in Oct 05, the ROK military
confirmed that in 2004, North Korea “tapped” into 33 out of 80 military wireless
communications networks used by 14 different ROK units during the Corps level field
exercises and the ROK-US combined Ulchi-Focus Lens exercise. 11 In Jul 06, A ROK
military official stated that North Korea’s Unit 121 “has hacked into the South Korean and
US Defense Department" and caused much damage to the ROK, but the military official did
In Oct 07, North Korea tested a logic bomb containing malicious code designed to be
executed should certain events occur or at some pre-determined time. The test led to a
United Nations Security Council resolution banning sales of mainframe computers and lap-
top personal computers to North Korea; however, the resolution has not deterred the North
disputed by US experts. According to some US experts, although online attacks from North Korea could
pose a threat, the ROK's assessment of North Korea’s cyber warfare capability may be an overestimate.
John Pike, director of GlobalSecurity.org, which maintains an online guide to North Korea's military, said
in an e-mail interview with The Korea Times in Jun 04 that he would be surprised if the North did not
operate a contingent of hackers. “It is an obvious thing to do and is not that hard to do,'' Pike said.
“The North can build atomic bombs and long-range missiles. Computer hacking is easier than (making)
an atomic bomb or a missile.'' Peter Hayes, executive director of the Nautilus Institute, which published
a study on North Korea's IT aspirations in 2002, echoed Pike's remarks. “Clearly, there is an excellent
programming capacity in the DPRK, including highly commercial and competitive capabilities,'' Hayes said
in another e-mail interview. “Obviously, the DPRK will be concerned both to counter cyber warfare
directed at their intra-nets and to take the cyber-offensive during wartime. Thus, it would be prudent to
assume that they have such a capacity.'' However, both experts rejected the claim by the ROK DSC that
North Korea’s hacking unit is comparable to that of the US CIA. “This is an exaggeration since North
Korea is a small and poor country,'' Pike said. Hayes also doubted that North Korea had such high-
powered capabilities due to its closed culture and its lack of technology, resources, and applied
experience. “In a net assessment, cyber-warfare capabilities must be linked as a multiplier to other
defensive and offensive capacities in which regard North Korea is inferior in almost all respects,'' Hayes
said.
6
In Sep 08, the ROK government accused of North Korea of attempting to conduct cyber-
espionage against the ROK military by sending an email to a ROK Army colonel tainted with
a Trojan horse virus. The ROK Ministry of National Defense (MND) announced that the
networks and classified information were not compromised. The spokesman for the
ministry stated “North Korea has attempted to hack the military system for quite a long
The ROK Prime Minister, Han Seung-Soo, told the ROK ministers in a cabinet meeting in
Oct 08 that the cyber threats from China and North Korea are very serious and called on the
cabinet to take appropriate action. The ROK National Intelligence Service (NIS) reportedly
told the Prime Minister, in one of its reports, that about 130,000 items of the ROK
government information had been hacked since 2004. The NIS stated that the
compromised items were extracts of government documents that were restricted but not
“highly confidential.” It did not mention, however, how many of the 130,000 items were
The ROK DSC confirmed in 2004 that North Korea also uses about 26 internet web sites,
run directly by the North Korean government or other pro-North Korean organizations, to
promote the regime and other political propaganda. The DSC also said through these
websites that North Korea sets forth guidelines for its espionage agents operating abroad. 16
People’s Republic of China (China). Among the six potential adversaries of the US (as
with the Technolytics Institute’s Cyber Threat Matrix), China has the most extensive and
most tested CW capabilities although the technical expertise is very uneven. China began
to implement a CW plan in 1995, and since 1997 has conducted several exercises in which
computer viruses have been used to interrupt military communications and public
7
broadcasting systems. In Apr 97, the Central Military Commission established a 100-
member unit to devise “ways of planting disabling computer viruses into American and other
US observers have called Net Force) designed to “wage combat through computer
networks to manipulate enemy information systems spanning things from spare parts
Although it is often very difficult to attribute activities originating in China to official agencies
or private netizens, Chinese CW units have been very active. Since 1999, there have
been periodic rounds of attacks against official websites in Taiwan, Japan, and the US.
These have typically involved fairly basic penetrations, such as defacing websites or
crashing servers using denial of service (DS) programs. More sophisticated Trojan horse
programs were used in 2002 to penetrate and steal information from the Dalai Lama’s
around the world. 20 Portable, large-capacity hard disks, often used by government
agencies, have been found to carry Trojan horses which automatically upload to Beijing
websites everything that the computer user saves on the hard disk. 21 Since the late 1990s,
the People’s Liberation Army (PLA) has conducted more than 100 military exercises
involving some aspect of CW although the practice has generally exposed substantial
shortfalls. 22
In Aug 99, following a spate of cross-Strait attacks against computer networks and official
websites in Taiwan, the Taiwanese MND in Taipei announced that the MND had established
a Military CW Strategy Policy Committee and noted that “we are able to defend ourselves in
an information war.” 23 In Jan 2000, the Director of the MND’s Communication Electronics
8
and Information Bureau announced that the Military CW Strategy Policy Committee had “the
ability to attack the PRC with 1,000 different computer viruses.” 24 In Aug 2000, Taiwan’s
Hankuang 16 defense exercise included training in CW, in which more than 2000 computer
viruses were tested. Two teams of cyber-warriors used the viruses in simulated attacks on
Taiwan’s computer networks. 25 In Dec 2000, the Taiwanese MND’s Military CW Strategy
Policy Committee was expanded and converted into a battalion-size center under the direct
command of the General Staff Headquarters, and with responsibilities for network
released in Jul 02, the MND for the first time included discussion of electronic and CW units.
information and electronic warfare, and it ranked EW and CW ahead of air and sea defense
in terms of current MND focus. It specifically cited such threatening developments by the
PRC as “Internet viruses, killer satellites, and electromagnetic pulses that could fry
In Nov 08, The Financial Times reported that Chinese hackers have penetrated the White
House computer network on multiple occasions and obtained e-mails between government
officials. The US government information security experts suspect that the Chinese
government sponsored these attacks, which the Chinese government categorically denies.
The Chinese cyber attacks also targeted computers at the US base in Bagram, Afghanistan,
where a computer virus affected three quarters of the computers on base. US-China
Economic and Security Review 2008, submitted to the Congress, stated that China is
aggressively developing its power to wage cyber warfare and is now in a position to delay or
disrupt the deployment of America's military forces around the world, potentially giving it the
upper hand in any conflict. The report disclosed an alarming increase in incidents of
9
notes that China now has both the intent and capability to launch cyber attacks "anywhere
In March of this year, the Information Warfare Monitor, an internet research group, said a
10-month research project on cyber spy activities originating from China has revealed that,
over the period of the project, hackers based in China hacked into computer systems in 103
nations. These hackers gained access to 1,295 computer systems of foreign ministries
and embassies, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, The Philippines,
India, Pakistan, Germany Thailand, and South Korea. 29 The researchers said that this
particular group of hackers, which they named GhostNet, were focused on the governments
of South Asian and Southeast Asian nations. 30 Great Britain, Australia, the ROK, and the
US have all reported purported Chinese-based hacking activities against its government
Statistics on Cyber Attacks against the ROK and the ROK’s Defense against CW. The
number of attacks on South Korean commercial and government websites increased markedly
during 2000 and has been increasing steadily. Between Apr and Jun 04, computers at multiple
ROK government institutions came under a full-scale attack from China. A total of 314
computers – including 235 computers at national institutions, Korea Coast Guard, National
Assembly, Korea Atomic Energy Research Institute, Korea Institute for Defense Analyses,
Agency for Defense Development, Air Force University, (former) Ministry of Maritime Affairs and
Fisheries, Small and Medium Business Administration, and Education Center for Unification,
and 79 computers at private companies and universities – were hacked. The ROK MND is
presuming that this attack was an conducted by North Korean hacker unit operating from
China. 32
10
In 2008, a ROK government report stated the number of attacks on 25 science and technology
research centers under the ROK government was 1,632 in 2006, 1, 870 in 2007, and 1,277 in
2008 as of Jul 08. According to the report, attacks by foreign hackers accounted for 64.3-
percent of the total with 1,050 cases in 2006, 60.4-percent in 2007 with 1,129 cases. Between
Jan and Jul 08, the attacks from abroad accounted for 57.8 percent of the total – 738 cases. 33
On April 8th of this year, the Yonhap News Agency reported that hackers, apparently based in
China, had infiltrated the ROK Ministry of Finance’s intranet in February. The ROK official told
Yonhap that the investigation is ongoing and it is not known whether any information was
compromised. The official said the ROK NIS believes the hackers might be “working for the
Chinese government.” 34
The ROK MND and the NIS both reported in 2000 that the ROK’s armed forces should prepare
for CW in the future from enemy countries and that they should consider establishing specialist
units for CW. Four years after the reports, in 2004, the NIS began operating a fully functional
In 2007, the ROK, which operates similar weapon systems to that of the US, organized a 30-
member CW team to take part, for the first time, in a US-led international anti-hacking exercise.
To further bolster CW cooperation between the two nations, the ROK and the US militaries
committed themselves to a tentative agreement to fight against cyber terrorism against their
defense networks on April 30th of this year. According to the MND, the agreement seeks to
11
Conclusion and Assessment. The CW threats of today and the future represent a new way
of thinking about conflict and warfare. CW attacks are particularly dangerous because of our
reliance on computers, networks, and technology. These computers control critical systems
that run power plants, telecommunications infrastructure, military command and control nodes,
and more. Even a cursory survey reveals that our potential adversaries in the Northeast Asian
region possess highly developed CW capabilities; continue to develop new and more
sophisticated CW arsenals; and have at least tested their capabilities if not already used them in
actual attacks against their adversaries. Therefore, it would be prudent for one to assume that
the networks of the USFK and other US government agencies in the ROK, as well as the
networks of out ROK counterparts, are under constant attack. There are open source reports
stating that North Korea and China have conducted CW attacks against US Department of
Defense networks, but these reports lack specifics of the incidents and do not specify that these
The US and ROK CW experts believe the recent attacks on their government networks were
information technology, and that CW can be carried out anonymously with a high probability of
success, state-sponsored CW attacks on our networks will continue to rise in frequency and
sophistication.
The April 30 memorandum of agreement will not only serve as the basis of future cooperation
between the two allies against the growing threat of CW in the region but throughout the world.
With this agreement, the ROK and the US have embarked on a new journey – into cyber-space
– to strengthen even further our already strong relationship. Alongside our ROK partners, USFK
stands ready to write a new chapter in the remarkable ROK-US blood-forged alliance.
12
Endnotes:
1. Siobhan Gorman, August Cole, and Yochi Dreazen, “Computer Spies Breach Fighter-Jet
Project,” Wall Street Journal, 21 April 2009.
2. Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies,” Wall Street Journal, 8 April
2009.
3. Op. Cit.
5. Kevin Coleman, “World War III: A Cyber War has Begun,” Technolytics, 30 September 2007.
6. John Larkin, “Preparing for Cyberwar,” Far Eastern Economic Review, 25 October 2001, p.
64.
7. “N. Korea Has Cyber Warfare Unit Targeting S. Korean, U.S. Military: Sources,” Yonhap
News Agency, 05 May 2009; Kevin Coleman, “Inside DPRK’s Unit 121,” DefenseTech.org. 24
December 2007; and “North Korean Hacking Unit Collects South Korean Intelligence
Confirmed,” NoCut News, 27 May 2004.
8. “Sisa Magazine 2580,” MBC, aired 29 October 2006, accessed 11 December 2008.
9. “North Korean Hacking Unit Collects South Korean Intelligence Confirmed for the First
Time,” NoCut News, 27 May 2004.
10. “North Korean Hacking Capability ‘Penetrating the CIA and the Pentagon is the Standard,”
Sisa Seoul, 21 October 2005.
12. “NKorea operates cyber warfare unit to disrupt SKorea's military command: official,” The
Sydney Morning Herald, 12 July 2006.
13. Kevin Coleman, “Inside DPRK’s Unit 121,” DefenseTech.org. 24 December 2007.
a
14. “South Korea suspects North of attempted hacking,” Reuters – India, 02 September 2008.
15. “South Korea PM Warns of Hacking Threat by North Korea, China,” AFP – Hong Kong, 14
October 2008; and “130,000 Gov't Documents Hacked,” Chosun Ilbo, 15 October 2008.
16. “NORTH KOREA: North Korea operating computer-hacking unit,” The Korea Herald, 28 May
2004.
17. Ivo Dawnay, “Beijing Launches Computer Virus War on the West,” Age (Melbourne), 16
June 1997, p. 8.
18. Jason Sherman, “Report: China Developing Force to Tackle Information Warfare,” Defense
News, 27 November 2000, pp. 1 and 19.
19. Christopher Bodeen, “Mainland Asks Taiwan to Stop Interference,” The Washington Times,
26 September 2002; and Doug Nairne, “State Hackers Spying on Us, Say Chinese
Dissidents,” South China Morning Post, 18 September 2002.
20. Michael Goldfarb, “Outrage in Berlin Over Chinese Cyber Attacks,” The Weekly Standard, 31
August 2007.
21. Yang Kuo-wen, Lin Ching-chuan and Rich Chang, “Bureau Warns on Tainted Discs,” The
Taipei Times, 11 November 2007, p. 2.
22 . I-Ling Tseng, Chinese Information Warfare (IW): Theory Versus Practice in Military
Exercises (1996–2005), MA Sub-thesis, Graduate Studies in Strategy and Defence,
Strategic and Defence Studies Centre, The Australian National University, Canberra, March
2005.
23. “MND Sets Up Information Warfare Committee,” ADJ News Roundup, August 1999, p. 14.
24. Francis Markus, “Taiwan’s Computer Virus Arsenal,” BBC News, 10 January 2000; and
Wendell Minnick, “Taiwan Upgrades Cyber Warfare,” Jane’s Defence Weekly, 20 December
2000, p. 12.
b
25. “Taiwan to Conduct Cyber Warfare Drills,” Jane’s Defence Weekly, 16 August 2000, p. 10;
Minnick, “Taiwan Upgrades Cyber Warfare,” p. 12; and Damon Bristow, “Asia: Grasping
Information Warfare?” Jane’s Intelligence Review, December 2000, p. 34.
26. Minnick, “Taiwan Upgrades Cyber Warfare,” p. 12.; and Darren Lake, “Taiwan Sets Up IW
Command,” Jane’s Defence Weekly, 10 January 2001, p. 17.
27. Ministry of National Defense, Republic of China, 2002 National Defense Report, Ministry of
National Defense, Taipei, July 2002; “Taiwan Prepares for Cyber Warfare,” CNN.Com, 29
July 2002; and “Taiwan Report Finds Cyber threat From China,” International Herald
Tribune, 30 July 2002.
28. “Chinese hack into White House network,” The Financial Times, 06 November 2008;
“Obama, McCain computers 'hacked' during election campaign,” The Guardian, 07
November 2008; “Computer Virus Hits U.S. Military Base in Afghanistan,” US News,
December 2008, 28 November 2008; and Ed Pilkington, “China winning cyber war,
Congress warned,” The Guardian, 20 November 2008.
29. “Chinese Hack Systems to Steal Dalai Lama’s Documents,” Indo-Asian News Service, 29
March 2009.
30. “Vast Cyber Spy Network ‘Operating from China,’” South China Morning Post, 30 March
2009.
31. “Spy Chief Fear Chinese Cyber Attack,” Sunday Times, 29 March 2009; “Chinese diplomat
dismisses Australian ‘cyber espionage’ claims,” The Australian, 7 April 2009; Gorman,
“Electricity Grid in U.S. Penetrated by Spies”; and Gorman, Cole, and Dreazen, “Computer
Spies Breach Fighter-Jet Project.”
32. “There is a ‘CIA-Class’ Hacker Group in North Korea’s Ministry of People’s Armed Forces –
the World is Currently at Cyber War,” JoongAng Ilbo, 20 April 2009.
33. Bristow, “Asia Grasping Information Warfare?” p. 35; and “More Than 1,500 Hacker Attacks
a Year on Korean Research,” Chosun Ilbo, 23 October 2008
c
34. “China-Based Hackers Access Finance Ministry Intranet: Sources,” Yonhap News Agency,
08 April 2009.
35. “North Korea Ready to Launch Cyber War: Report,” Computer Crime Research Center, 04
October 2004, accessed 03 December 2008.
36. Sam Kim, “S. Korea, U.S. Agree To Join Forces To Fight Cyber Terrorism,” Yonhap News
Agency, 04 May 2009.