South Korea blames North Korea for hacking nuke plants

Let the conspiracy theories commence at Naver, Minjok Tongshin, and MissyUSA, in 3, 2, 1 ….

South Korean prosecutors on Tuesday blamed North Korea for cyber attacks against the country’s nuclear reactor operator last December, based upon its investigation into Internet addresses used in the hacking.

The conclusion comes less than a week after a hacker believed to be behind the cyber attacks on Korea Hydro and Nuclear Power Co Ltd released more files on Twitter that are believed to have been taken in December. The investigation included last week’s leak of a blueprint and test data.

“The malicious codes used for the nuclear operator hacking were the same in composition and working methods as the so-called ‘kimsuky’ that North Korean hackers use,” a statement from Seoul central prosecutors’ office said. [Reuters]

President Bush removed North Korea from the list of state sponsors of terrorism on October 11, 2008. The Obama Administration’s official view is that North Korea is “not known to have sponsored any terrorist acts since the bombing of a Korean Airlines flight in 1987.” Discuss among yourselves.

Ironically, this story has received little attention thus far because when it came out last December, the Sony hacks crowded it off page one. According to the initial reports at that time, the hackers used malware, possibly introduced through social engineering attacks, to gain access to the systems of South Korea’s Korea Hydro and Nuclear Power Corporation.

According to the The Joongang Ilbo, “The hackers’ group threatened that the three nuclear reactors in Gori and Wolseong must be shut down by Christmas or they would reveal more files and carry out a second attack,” and threatened that “[i]t will be a Fukushima.”

The hackers, posing as anti-nuclear hacktivists, then released blueprints for multiple South Korean nuclear power plants online. Korea Hydro has said that the attacks did not affect the plants’ operating systems.

South Korean government investigators traced the attack to Shenyang, a wretched hive of scum and villainy favored by North Korean hackers, but which is not otherwise renowned for its feisty tradition of pushing the boundaries of free expression.

At the time, Justice Minister Hwang Kyo-Ahn told the South Korean National Assembly that authorities were investigating suspicions that North Korea may have been behind the attack, but an official from the investigation team said, “We cannot confirm nor deny the North’s involvement in the case.”

After this, the story went cold again for months. Then, on March 12th, the hackers had made a fresh demand for extortion money:

Using an account under the name of the president of an anti-nuclear group in Hawaii, the hacker posted additional files on Twitter, which reportedly included documents concerning the country’s indigenous advanced power reactor 1400.

“Need money. Only need to meet some demands… Many countries from Northern Europe, Southeast Asia and South America are saying they will buy nuclear reactor information. Fear selling the entire information will undermine President Park (Geun-hye)’s efforts to export nuclear reactors,” the posting said.

The hacker did not say how much money he wanted but warned that South Korea will end up losing much more if it tries to save a few hundreds of millions of dollars. [Yonhap]

The circumstances would suggest that this latest communication provided new evidence of the North’s involvement, although the reports do not say so.

Now, armed with evidence of North Korea’s culpability, let’s parse the definition of terrorism in the Foreign Relations Authorization Act (you can parse other definitions here and here). That statute defines “terrorism” as “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents.” Premeditated? Obviously. Politically motivated? Although the ostensible purposes of the attacks were to disrupt infrastructure, get ransom money, and generally scare the soondae out of South Korea’s civilian population, the very fact of North Korea’s culpability suggests a political motivation. The link to President Park and export revenue is also evidence of one, as is the group’s release of “the transcript of a telephone conversation between President Park and the U.N. chief, Ban Ki-moon, on Jan. 1.” Korea Hydro is a noncombatant target, and the attack was perpetrated by Unit 121, which reports to the Reconnaissance General Bureau, a clandestine agency.

The main problem with calling this terrorism is the absence of an act of violence. Still, there is ample precedent for the State Department considering threats of violence (“It will be a Fukushima”) to be acts of terrorism in its annual Country Reports on Terrorism. For example, State’s 2013 “Country Reports” cites a threat by an anarchist group to poison soft drinks, the conviction by a Norwegian court of an Ansar-al-Islam leader for “issuing threats and intimidating witnesses,” a bomb threat by Aum Shinrikyo, a death threat by Harakat-al-Mujaheddin, a threat by Jaish-e-Mohammed against an Indian politician, and threats by the Jewish extremist organization Kahane Chai.

The State Department has also cited threats by state actors, including a threat by Iran against Saudi Arabia (1989), Iraqi threats against Saudi interests (1990), Iranian threats that participants in the Middle East peace process would “suffer the wrath of nation” (1991), Libyan threats to support extremists in neighboring countries (1993), Libyan threats against dissidents abroad (1994, 1997, and 1998), and alleged attempts by the former Iraqi regime to intimidate dissidents abroad (2000 and 2002).

The Immigration and Nationality Act’s definition of “terrorist activity” includes threats, and the Criminal Code’s chapter on terrorism also makes threats punishable. Thus, the omission of threats from the FRAA definition appears to be a drafting oversight, and State treats it accordingly. Although the cyberattacks against Korea Hydro, by themselves, probably do not qualify as terrorism, the threat to make the plants “like Fukushima” would meet the standard, to the same extent as the threats against audiences for “The Interview” would.

For more information on what re-listing North Korea as a state sponsor of terrorism would actually do, see this post.

It’s concerning to see North Korea’s threats escalate to this level. Much like the attacks of 2010, hacking nuclear power plants goes a step beyond what I’d have thought even North Korea to be capable of. It’s more evidence of Kim Jong Un’s impulsive and violent nature. It’s more evidence that ignoring North Korea isn’t working. Just as clearly, appeasing them didn’t work, either. Four months after President Obama promised a “proportional” response to North Korea’s terrorist threats against American moviegoers, he has still failed to deliver on that promise. North Korea has drawn the obvious conclusion.

~ ~ ~

Update: Yonhap’s take, and North Korea’s predictable reaction.