Once again, Bureau 121 of North Korea can claim success. According to a report published in the Yonhap News outlet, Bureau 121 hackers penetrated classified computer systems in the South Korean Defense Integrated Data Center and stole the war plans for defending the South. The Operational war Plans (OPLAN) 5015 and 3100 taken by North Korean hackers are the most highly classified details for U.S. and South Korean planned military strikes and defense tactics in case of war with Pyongyang.
OPLAN 5015 is reportedly the most up to date war plan with North Korea, filled with tactical operations designed to “decapitate” the Pyongyang military and civilian leadership. In contrast, OPLAN 3100 is Seoul’s military operation plans for dealing with the North Korean “localized provocations”.
According to South Korean officials, 235 gigabytes of military documents were taken and nearly 80 percent of them have yet to be identified. Also included in the North Korean hacker breach were contingency plans for the South’s Special Forces units, reports to top allied commanders, detailed information on key military facilities and security data on South Korean power plants.
“The Ministry of National Defense has yet to find out about the content of 182 gigabytes of the total (stolen) data,” stated Democratic Party Rep. Lee Cheol-hee.
While the South Korean defense ministry originally claimed nothing of value was stolen by the hacking, the latest news indicates that the breach was more extensive and damaging that previously reported. The South Korean military and US military units stationed in South Korea have been the frequent target of hackers employed by the DPRK unit Bureau 121. According to South Korean officials, the ranks of Bureau 121 have swollen to over 6,000 hackers, some of which are no longer based inside the North. One of the suspected locations of a Bureau 121 cell is the Chilbosan Hotel in Shenyang, China.
Bureau 121 has engaged in more traditional cyber-warfare efforts directed at military assets. Seoul has repeatedly blamed Bureau 121 for conducting GPS jamming aimed at South Korea with the most recent case of jamming occurring on 1 April 2016.
Bureau 121 has also worked closely with its Chinese counter-parts in trying to hack US made THAAD missile defense systems deployed to South Korea. US based FireEye found Bureau 121 digital finger-prints showing that the attacks were staged by two groups connected to the Chinese military and North Korea. One of these attacking Chinese Army groups, named “Tonto Team”, operates from the same hotel in China as the North Korean Bureau 121, showing the close working collaboration between Beijing and Pyongyang.
“We have evidence that they targeted at least one party that has been associated with the missile placements,” stated John Hultquist, the director of cyber espionage analysis at FireEye.
DPRK Bureau 121 is also known on the street as the Lazarus Group, according to researchers at several anti-hacking companies. Bureau 121’s Lazarus Group is targeted mainly at financial crimes designed to bring in cash to support its operations and deliver money to feed the North Korean military. The Lazarus Group was recently been identified as the source of financial hacking in Ireland. Irish investigators now believe Bureau 121 attempted a $5 million hack carried out against Meath County Council in October 2016.
The Bureau 121 hackers impersonated the identity of chief executive Jackie Maguire, submitting a fake instruction to a junior council employee for funds to be transferred overseas. Fortunately, the funds were frozen in a bank account in Hong Kong just minutes before they were scheduled to be transferred to a Chinese bank directly associated with Pyongyang accounts. The Irish Garda Computer Crime Bureau is now working closely with Europol and Interpol on the crime.
CHARLES R. SMITH
42total visits,2visits today