North Korean hackers stole US-South Korean war plans, says lawmaker
SEOUL — North Korean hackers stole a vast cache of data, including classified wartime contingency plans jointly drawn by Washington and Seoul, when they breached the computer network of the South Korean military last year, a South Korean lawmaker said on Tuesday (Oct 10).
One of the contingency plans contained the South Korean military’s plan to remove the North Korean leader Kim Jong Un, referred to as the “decapitation” plan, should war break out on the Korean Peninsula, the lawmaker, Mr Rhee Cheol-hee, told reporters.
Mr Rhee, a member of the governing Democratic Party who serves on the defense committee of the National Assembly, said he only recently learned of the scale of the North Korean hacking attack, which was first discovered in September last year.
It was not known whether any of the military’s top secrets were leaked, although Rhee said that nearly 300 lower-classification confidential documents were stolen. The military is still unable to catalog nearly 80 percent of the leaked data, he said.
A Defense Ministry spokesman, Mr Moon Sang-gyun, refused to comment on Mr Rhee’s disclosure.
When the hacking attack was found out last year, the ministry blamed North Korea. But it has acknowledged only that “some classified information” was stolen, saying that revealing more details would only benefit its enemies.
Some South Korean news media, citing anonymous sources, had earlier reported that the leaked data included wartime contingency plans. But Mr Rhee is the first member of the parliamentary committee that oversees the military to disclose similar details.
It remained unclear how much the hacking has undermined the joint preparedness of the South Korean and US militaries, with South Korean officials simply saying that they have been redressing whatever damage was caused by the cyberattack.
Under their mutual defense treaty, the United States takes operational control of South Korean troops in the event of war on the divided Korean Peninsula. The two sides hone their war plans through annual joint military exercises. The plan containing the so-called decapitation operation, Operations Plan 5015, had been updated in 2015 to reflect the growing nuclear and missile threat from North Korea. Its details remain classified.
As Kim, the North Korean leader, has accelerated his nuclear missile program in recent years, South Korean defense officials have publicly discussed pre-emptive strikes at critical missile and nuclear sites in North Korea and a decapitation operation.
After North Korea’s sixth — and by far most powerful — nuclear test last month, the South Korean defense minister, Mr Song Young-moo, told lawmakers in Seoul that a special forces unit with a task of removing Kim would be established by the end of the year.
Last month, US strategic bombers and fighter jets also flew deep to the north along the east coast of North Korea in what some South Korean defense analysts said was an exercise to target the North Korean leadership in the event of conflict.
North Korea bristles at any threat to Kim, and a war of words has escalated between North Korea and the Trump administration. North Korea claimed a right to shoot down U.S. warplanes flying in international airspace if they came near the country. When US President Donald Trump threatened to “totally destroy” North Korea last month, Mr Kim vowed to “tame the mentally deranged US dotard with fire.”
Mr Kim was desperate to get hold of South Korea’s decapitation plan, South Korean intelligence officials told lawmakers in June. He had also begun using his deputies’ cars as decoys to move from place to place, they said.
North Korea runs an army of hackers trained to disrupt enemy computer networks and steal cash and sensitive data. In the past decade, it has been blamed for numerous cyberheists and other hacking attacks in South Korea and elsewhere.
In the attack in September last year, later code-named “Desert Wolf” by anti-hacking security officials, North Korean hackers infected 3,200 computers, including 700 connected to the South Korean military’s internal network, which is normally cut off from the internet. The attack even affected a computer used by the defense minister.
Investigators later learned that the hackers first infiltrated the network of a company providing a computer vaccine service to the ministry’s computer network in 2015. They said the hackers operated out of IP addresses originating in Shenyang, a city in northeast China that had long been cited as an operating ground for North Korean hackers.
The intruders used the vaccine server to infect internet-connected computers of the military with malicious codes in August last year, the investigators said. They could also infiltrate the malware into intranet computers when the military’s closed internal network was mistakenly linked to the internet during maintenance. THE NEW YORK TIMES