By Ross Rustici,cybereason
On September 30, 2017, The Washington Post reported that President Trump signed a presidential directive against North Korea.
According to the article, the directive authorized a DDoSing campaign against “hackers in North Korea’s Reconnaissance General Bureau, DPRK’s military spy agency, by barraging their computer servers with traffic that choked off Internet access.” The article goes on to stress that the actions “were temporary and not destructive.” Finally, there was a note of self-congratulations with “North Korean hackers griped that lack of access to the Internet was interfering with their work.”
These three statements provide significant insight into the dysfunction that is the U.S. Cyber Command and the enormous loss of intelligence capabilities that the administration is willing to sacrifice for the appearance of action.
When your operations are decided by committee and the goal is simply to do something rather than achieve a legitimate outcome, you’re left with floundering in 1990’s capabilities, needlessly burning intelligence capabilities, while declaring a victory without first auditing what the enemy has to say about the action.
UNITED STATES CYBER COMMAND’S FOLLY
This operation, if conducted in the manner portrayed by The Washington Post’s sources is tantamount to burning down intelligence for the sake of action. If they targeted actors and not the headquarters that means that U.S. Cyber Command (USCC) did five remarkably foolish things:
- They revealed to cyber actors that their logical positions were known by the adversary which allows them to build completely new infrastructure in the dark that the U.S. IC and Military has no idea about.
- Most DPRK actors are known to be located outside of North Korea due to several reasons that include survivability, better technical infrastructure, and deniability. This means that USCC DDoS’d Internet infrastructure that was located in countries outside of Korea.
- Acknowledging that actors griped about the “success” of the operation highlights collection methods and demonstrates that whomever was providing intelligence support to the actors has access to something beyond the IPs from where they’re operating. Given that these operators are most likely not in the DPRK in the rush to prove capability in the media USCC likely just burned a collection source for more than just the cyber actors.
- If they were successful in taking the computers offline, they were essentially committing fratricide. By taking computers offline it is impossible to conduct other network activities against them. This course of action is only acceptable if there was no other way to operate against the target-and if this is the case the world learned something valuable about the vitality of USCC’s capabilities.
- This is tantamount to a declaration of war. We just witnessed a military organization conduct a computer network attack against military networks of a hostile foreign power under the auspices of title 10 authority. Despite being reversible, this fits the US military definition of an attack. This is a line that even the North Koreans themselves have not yet crossed. Complicating this is the fact that the infrastructure that was attacked likely was situated in a third party meaning that technically the United States attacked at least two countries with this operation.
THE FIRST FULL MEASURE
DDoSing your enemy on this scale is the equivalent of a petulant child throwing an extended temper tantrum. Unless you’re using it to keep a target offline for a very specific and temporary purpose, all you are doing is wasting packets. Going forward, the U.S. government should focus on two distinct areas. If the goal is to interrupt the DPRK cyber operations then they should go after the code repositories and staging servers for the malicious tools. If the goal is some form of obfuscated deterrence, then the government should go after the regimes’ Cryptocurrency wallets. In both cases, all operations from USCC should cease and be moved under a covert action finding, unless we’re going to implant a giant waving American flag in each piece of malware used to ensure that the actors know that it is the U.S. and we are using these actions to demonstrate escalation dominance.
If the goal is to take the DPRK cyber program out of the game for a significant period of time, opportunistically neutering tools will sow discord in the program and for a structural adjustment to how they conduct their operations. This type of attack does not require a 100 percent success rate, but rather has to interfere with enough operations that have high value to the regime that questions become unavoidable. If the program is forced to stand down and audit all of their code and repair or rebuild tools that greatly degrade their operating capacity and also has the potential to decapitate leadership if Kim Jong Un gets personally involved in the mounting failures.
SANCTIONING DECENTRALIZED NETWORKS
One of the main advantages that the North Korean regime sees in Bitcoin is that no institution can cut off their supply to the money. After North Korea’s third nuclear test, China took the unprecedented step of actually freezing DPRK bank accounts. This taught them not to rely on traditional institutions that were beyond their control. With Bitcoin, the money is almost impossible to freeze or sanction with the traditional powers afforded to the United States or the United Nations. If the government cannot use the Treasury Department to sanction this source of capital, perhaps it is time to make some incredibly generous donations to aid organizations on behalf of the regime. The DPRK itself has demonstrated how easy it is to hijack Cryptocurrency wallets. A systematic campaign to take control and transfer these assets to a controllable space would not only further enforce legitimate sanctions, but it would also send a stark message to the regime that no money held outside of the country is truly safe.
WARRIOR MAVEN's Premium Offer - Free for US Military - Offers Q&A with US Military Leaders - PREMIUM CLICK HERE