North may have hacked South’s cyber command

North Korea may have hacked into the South’s cyber command, which would be the first time it has been compromised, according to an official of the Ministry of National Defense on Tuesday.

“The Defense Ministry found traces that a server of the National Cyber Command was infected by malware in September,” said the official. “The ministry has been investigating and found out that a unit’s computer was connected to both the intranet and the internet and this was how the hackers were able to plant the malware in the military’s intranet.

“We have confirmed that the malware was transmitted from Shenyang [in northeast China’s Liaoning Province],” the official added.

“And given that the malware is similar in form to kinds made in North Korea, the ministry suspects that the North was likely behind the cyberattack.”

According to the ministry official, some military officials disobeyed regulations requiring them to disconnect a computer from the internet when handling confidential information. They also apparently saved confidential information on the computer.

The official did not identify which unit disobeyed the regulations, saying that the server may be targeted further if the unit is revealed.

“As of now it seems some military information has been leaked, including some confidential information,” said Moon Sang-gyun, a spokesman for the Defense Ministry.

The ministry did not specify what information has been compromised, though questions were raised as to whether it related to the U.S.-led Terminal High Altitude Area Defense antimissile defense system, given that discussions on where to locate the system were ongoing in September.

“The ministry cannot announce the extent of the cyberattack,” said the Defense Ministry official, “because that would in part send a message to the hackers that their attack was successful, and further compromise the military’s cybersecurity system.”

According to the ministry, the first time the malware was found on the server was Aug. 4.

The malware spread rapidly through the server by late September and the ministry suspects this is when hackers reportedly got hold of confidential military information.

“The hackers appear to have repeatedly searched for a weak point in the firewall through continued attacks,” the official added, “and when they found one, they planted the malware and took the confidential information.”

The hackers are suspected to have dismantled the server’s antivirus system and spread the malware. The ministry disconnected the military’s intranet from the antivirus system on Sept. 25 to prevent more computers from being infected.

While the ministry discovered the malware in August, it was not able to pinpoint when the unit’s computer was connected to both the internet and the intranet. That could date back to as far as two years ago, when the unit was reportedly established.

If confidential information is found to have been compromised by the North, the South might have to revamp many systems.

“While we do not know what information has been leaked,” said Shin Jong-woo, secretary general of the Korea Defense and Security Forum, “it is paramount that whatever has been leaked to the enemy must be changed completely.”

This is the first time that the intranet of South Korea’s military has been hacked.

The South Korean military uses the internet for general administrative work and the intranet for confidential operations. The ministry has assured the public that its internal network is disconnected from the internet and safe from cyberattacks.

The fact that a unit’s negligence might be responsible is raising questions. Suspicions that a spy may have deliberately left the intranet vulnerable to a cyberattack have also risen.

BY JUNG YONG-SOO [chung.juhee@joongang.co.kr]