A major cyber attack on South Korea is usually not a stop-the-presses global news item; it’s fairly routine for North Korea and China to make attempts. The recent reveal of an October 2018 incursion by “unknown hackers” is an exception for two reasons – South Korea’s refusal to name the attackers, and the manner in which this high-level military data was stolen.
The hackers were able to steal data from at least 10 computers at the Defense Acquisition Program Administration (DAPA). The stolen documents were related to arms procurement, specifically the country’s next-generation fighter aircraft.
It’s an interesting point of political note that South Korea has not opted to name North Korea as the responsible party, even though they are the most likely culprits. South Korea has wasted no time naming and shaming their neighbors in the past, but it would appear that the road to rapprochement the countries have set out upon includes significant tolerance for cyber attacks.
That part of it is political trivia, however. The really interesting bit is the details of how these “mystery hackers” broke into the defense agency and the organizational failures that this cyber attack highlights.
How the South Korea cyber attack happened
The attackers targeted an app called “Data Storage Prevention Solution” that is a required install on nearly all South Korean government computers. Ironically, this is a security app that prevents users from downloading and saving documents locally.
The hackers were able to gain administrative access to the app, allowing them to simply download any files that were on the agency’s internet-connected workstations. The cyber attack was detected by the country’s National Intelligence Service in late October (about a week after it occurred), which conducted an investigation and prepared a report before revealing the attack to the public in January 2019.
When data loss prevention goes wrong
The worrying element of this hack is the ease by which the hackers were able to get admin access in an element of a technologically advanced government’s internal data loss prevention (DLP) software. Though the specific nature of the malicious code used was not revealed by South Korea, techniques for unauthorized access by way of cross-site scripting and request forgery attacks have been used in the wild since at least 2014.
DLP software is a natural target for a cyber attack as it usually comes with high-level administrative access. Because of this, and because there are usually a number of ways for a determined local user to bypass it if they really want to get documents off of the computer, there is debate among cybersecurity professionals as to whether the use of it should be considered a best practice.
However, even if DLP software is in use and is breached, there are further failsafe elements that one would expect the computers of a governmental defense department agency to have in place.
As Pravin Kothari, CipherCloud CEO observed: “The hack of a South Korean database that contains weapons and munitions data for the country’s military is not much of a surprise. Likely, even in times of detente, you would expect both China and North Korea to be vigorously banging on the cyber front door in South Korea. What’s surprising is that the South Korean data was so easily stolen and that the attackers were able to escalate permissions to administrator level access.
“In today’s environment for commercial business, let alone government security and defense agencies, the de rigueur approach for cyber security necessarily includes end-to-end encryption, single sign-on, and two-factor authentication, at minimum. End-to-end encrypted data, otherwise known as “edge” or Zero Trust encryption, expects an attacker to penetrate the networks over time, but protects the data by encrypting it at all times. That is, the data is protected with encryption while in the database, file stores, in use, in transit, through middleware and through database and application API’s.
“Finally, administrator access can be managed through ticketing systems that deeply authenticate the administrator, and then issue a one-time token for them to use to access the systems that require their attention. So each time an admin wants to use the power of their position, they are required to re-authenticate. Unfortunately, none of these cyber defense best practices were in place in the South Korean defense department.”