Cyber Secret Sources Finally Met a Snowden Leak to Love!

The NYT has a story describing the rise of the North Korean 6,000-strong hacking unit, which (the story explains) the NSA has been watching closely since 2010.

Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

It goes on to explain why, in spite of having beacons throughout North Korea’s network, it didn’t warn Sony.

The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials.

But those attacks did not look unusual. Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.

It even suggests that Clapper knew about North Korea’s “capabilities” even as he was having dinner with the guy in charge of it (though it does not say whether he knew about this hack).

“Because of the sensitivities surrounding the effort” to win the Americans’ release, Mr. Hale said, “the D.N.I. was focused on the task and did not want to derail any progress by discussing other matters.” But he said General Clapper was acutely aware of the North’s growing capabilities.

For the moment, I’ll set aside whether this is convincing (parts of the story — such as that North Korea’s hackers trained in China and now target China) don’t add up.

But I did want to point out two things. First, NYT relies on a document liberated by Snowden to bolster its case. It’s not clear how well it actually does bolster the case: it shows the NSA piggybacking on South Korean efforts in 2007, and then setting its own beacons. It provides a different timeline and doesn’t say how extensively the US has infiltrated North Korea. In any case, though, it is a Snowden document the secret cyber sources finally love, one that backs their immediate claims.

Finally, note what else this says: this is another example where we have intelligence but aren’t using it not because of information sharing rules, but because we’re too inattentive to make use of it. This will be useful when Congress tries to pass CISPA because of Sony.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

6 replies
  1. jerryy says:

    I think someone in what is left of the traditional news media needs to get their flashcards out and take some notes before the next press conference, er, … stenography session. Here are some pointers to consider.
    .
    Only Congress can declare war. Cyber-operations have been termed ‘an act of war’. (Hacking as a term became passé a while back, it was expedient to consider it something else). Governmental agencies are supposed to be subject to Congressional oversight. Not even the most xenophobic critters in congress have been publicly blood-lusting after North Korean resources and lands and cheap labor.
    .
    When was war declared against NK? And Why?
    .

    • Anon says:

      When was war declared against NK? And Why?

      Technically it never ended.

      The armistice was signed on July 27, 1953, and was designed to “insure a complete cessation of hostilities and of all acts of armed force in Korea until a final peaceful settlement is achieved.”[2] No “final peaceful settlement” has been achieved yet.

      http://en.wikipedia.org/wiki/Korean_Armistice_Agreement

        • Anon says:

          Fair point. Clearly the Korean War wasn’t quite a “War” in the legal sense. But then again it didn’t end in a “Peace” either. Snark aside I suspect that this was authorized under EO12333 or one of the other presidential findings that gives blanket coverage of all clandestine acts anywhere. This clear contradiction between the constitutional understanding of war and what the NSA operates under was cited by Snowden as one of his motivations and in the released e-mails that is the specific thing he is shown as complaining about.
          .
          The hacking is “Legal” because the War was not a “War” but was still ok because Congress authorized 12 billion for it, and it never ended. Although we’ve probably spent that 12 billion by now.

  2. gmoke says:

    Was at Harvard’s Berkman Center last week and the consensus there seems to be that the Sony hack was NOT North Korea. Will be interesting to see whether that consensus holds up at the security conference with Bruce Schneier and Edward Snowden this Friday. Wonder if I’ll see Ms Emptywheel there too.

  3. Anon says:

    such as that North Korea’s hackers trained in China and now target China

    While I question much of the storyline I don’t actually doubt this part.
    .
    Consider this: the U.S. literally keeps Israel alive by sustaining its economy, dutifully blocking any action against it internationally, and sharing many of our most useful weapons (and Iron Dome). Yet Israel spies on us. Indeed the spies were so blatant and brazen that George W. Bush was compelled to bring charges.
    .
    If that is how Israel treats us I have no difficulty seeing the same behavior from the Kim regime.
    .
    Consider also that North Korea’s nuclear testing field is in the mountain ranges near China. This despite China’s public opposition to testing. Clearly North Korea does not feel compelled to play nice with China and, given that, would do well to keep an eye on their weary patron.

Comments are closed.