A major cyber attack on South Korea is usually not a stop-the-presses global news item; it’s fairly routine for North Korea and China to make attempts. The recent reveal of an October 2018 incursion by “unknown hackers” is an exception for two reasons – South Korea’s refusal to name the attackers, and the manner in which this high-level military data was stolen.
The hackers were able to steal data from at least 10 computers at the Defense Acquisition Program Administration (DAPA). The stolen documents were related to arms procurement, specifically the country’s next-generation fighter aircraft.
It’s an interesting point of political note that South Korea has not opted to name North Korea as the responsible party, even though they are the most likely culprits. South Korea has wasted no time naming and shaming their neighbors in the past, but it would appear that the road to rapprochement the countries have set out upon includes significant tolerance for cyber attacks.
That part of it is political trivia, however. The really interesting bit is the details of how these “mystery hackers” broke into the defense agency and the organizational failures that this cyber attack highlights.
How the South Korea cyber attack happened
The attackers targeted an app called “Data Storage Prevention Solution” that is a required install on nearly all South Korean government computers. Ironically, this is a security app that prevents users from downloading and saving documents locally.
The hackers were able to gain administrative access to the app, allowing them to simply download any files that were on the agency’s internet-connected workstations. The cyber attack was detected by the country’s National Intelligence Service in late October (about a week after it occurred), which conducted an investigation and prepared a report before revealing the attack to the public in January 2019.
When data loss prevention goes wrong
The worrying element of this hack is the ease by which the hackers were able to get admin access in an element of a technologically advanced government’s internal data loss prevention (DLP) software. Though the specific nature of the malicious code used was not revealed by South Korea, techniques for unauthorized access by way of cross-site scripting and request forgery attacks have been used in the wild since at least 2014.
DLP software is a natural target for a cyber attack as it usually comes with high-level administrative access. Because of this, and because there are usually a number of ways for a determined local user to bypass it if they really want to get documents off of the computer, there is debate among cybersecurity professionals as to whether the use of it should be considered a best practice.
However, even if DLP software is in use and is breached, there are further failsafe elements that one would expect the computers of a governmental defense department agency to have in place.
As Pravin Kothari, CipherCloud CEO observed: “The hack of a South Korean database that contains weapons and munitions data for the country’s military is not much of a surprise. Likely, even in times of detente, you would expect both China and North Korea to be vigorously banging on the cyber front door in South Korea. What’s surprising is that the South Korean data was so easily stolen and that the attackers were able to escalate permissions to administrator level access.
“In today’s environment for commercial business, let alone government security and defense agencies, the de rigueur approach for cyber security necessarily includes end-to-end encryption, single sign-on, and two-factor authentication, at minimum. End-to-end encrypted data, otherwise known as “edge” or Zero Trust encryption, expects an attacker to penetrate the networks over time, but protects the data by encrypting it at all times. That is, the data is protected with encryption while in the database, file stores, in use, in transit, through middleware and through database and application API’s.
“Finally, administrator access can be managed through ticketing systems that deeply authenticate the administrator, and then issue a one-time token for them to use to access the systems that require their attention. So each time an admin wants to use the power of their position, they are required to re-authenticate. Unfortunately, none of these cyber defense best practices were in place in the South Korean defense department.”
The importance of administrator authentication
Two-step authentication is a vital measure of protection against not just DLP attacks, but any similar cyber attack that targets vulnerable programs and apps with high-level administrative access.
Dana Tamir, VP of Market Strategy at Israeli enterprise-focused cybersecurity company Silverfort, expands upon the importance of multi-factor authentication in business settings:
“Protecting privileged access to sensitive systems and resources is critical to organizations. If privileged accounts, credentials or secrets become compromised, an adversary may gain unfettered access to the organization’s crown jewels. Requiring administrators to authenticate with second authentication factor (MFA) can prevent unauthorized access by hacker. Until today it was difficult to add MFA for privileged access, but a new generation of agentless MFA solutions can now seamlessly secure any access to any sensitive systems, including administrative console, SSH, RDP and session managers.”
Institutional culture and network security
As Dana Tamir points out, it is now possible to implement MFA even with legacy networks for which it previously would not have been viable. The only real stumbling block is institutional rigidity.
Colin Bastable, CEO of Lucy Security, aptly points out how the South Korean military structure may have been a prime example of organizational rigidity getting in the way of best security practices:
“Hackers taking control of DLP (Data Leakage Prevention) software is sub-optimal, to say the least. We must assume that the damage is far more severe, pervasive and extensive than stealing some purchase orders. The Koreans have not yet found out how bad it is.
“South Korea is the front line of the second Cold War: it is a highly centralized, fully wired, very advanced cyber-aware society with a strong top-down culture; this makes them especially vulnerable to cyber attacks. There’s a fundamental problem with military organizations and cybersecurity – there are few rewards for questioning security of systems, and lots of career downside. No one gets promoted for exposing the failings of a senior officer. In such cases, the first instinct of the military is to close ranks, get rid of the troublemaker and promote the incompetents out of the way.
“Obeying orders and countering cyber attacks do not go hand in hand, which is why hackers, whether state actors or schoolkids in their rooms, will always find a way in.”
The military is an extreme example, but certain elements of this are not uncommon to entrenched corporate cultures. For example, a culture in which members feel it is not safe to share opinions on or information about cybersecurity, or a very rigid culture in which a non-tech-savvy CEO makes relevant decisions on behalf of the entire C-suite with little input from below. Some companies prioritize sparing their members public embarrassment over implementing and maintaining proper cybersecurity policies, as was famously demonstrated when Uber paid off their attackers to cover up their high-profile 2016 data breach. And with other companies, it’s a case of looking at cybersecurity as another budget item (to be trimmed whenever possible) rather than a critical core component of everyday operations.
Not just for governments and enterprise businesses
The South Korea attack made national news because it penetrated a government agency, but government agencies and large corporations are not the only targets for attacks such as these. In fact, data indicates that hackers in general have an almost equal preference for small businesses as they view them as softer targets.
Does that mean your business will be attacked by Kim Jong-un and his North Korean hackers? It’s not all that likely … but it’s also far from impossible. Keep in mind that North Korea is widely believed to have been behind the “WannaCry” ransomware attacks of 2017 (according to the United States) that resulted in damages in the hundreds of millions of dollars across 150 countries. The North Korean regime is strapped for certain resources yet has high-level cybersecurity researchers working for it, so hacking easy targets for profit is clearly not out of the question.