Hidden 'treasure' helps NIS crack spy's cache of secrets

One of four South Gyeongsang-based activists suspected of spying for North Korea arrives at the Seoul Central District Court in southern Seoul to attend his arrest warrant hearing on Jan. 31. [YONHAP]

For weeks, counterintelligence officials at South Korea's spy agency struggled to crack a tiny adversary — a locked USB stick that they believed was the key to proving that a South Korean labor activist followed orders from the North to foment unrest in the South.

The activist, identified by the National Intelligence Service (NIS) only by the surname Seok, was one of four activists from Changwon, South Gyeongsang, accused of operating an underground, pro-Pyongyang organization since 2016.

But he and the other accused activists refused to cooperate with investigators, who suspected they had taken their cues from the North when organizing protests against the South Korean government and the U.S. military presence in the South.

Although the NIS had confiscated Seok’s computer and other materials during a raid on his house in May, they initially failed to uncover the cipher typically used by the North to encrypt its orders abroad.

Such directives are usually embedded via steganography into images inside password-locked document files on USB sticks, which themselves also require a password to open.

But without the correct cipher, “it could take 10,000 years even for a supercomputer to land on the correct passwords to the document file and the USB stick,” said a NIS official who spoke to the JoongAng Ilbo on condition of anonymity.

The solution to this dilemma was randomly discovered by a NIS agent, who stumbled upon a string of gibberish written in the Latin alphabet that read, “rntmfdltjakfdlfkehRnpdjdiqhqoek,” in another data storage device owned by Seok.

When the NIS agent typed out Korean letters in the same locations on a computer keyboard as these Latin letters in the same order, they spelled out, “Even three sacks of pearls only turn into treasure if you weave them together.”

The Korean proverb proved key to uncovering the cipher officials needed to crack the USB and the word document inside it.

According to the NIS, the decrypted document contained approximately 114 directives from the North to Seok and the other suspects, including orders to gather diagrams of communication networks undergirding major government institutions, as well as classified information on power plants and port facilities near the U.S. military base in Pyeongtaek, Gyeonggi.

The NIS also said the North ordered the activists to stir up anti-Japanese sentiment by burning a Rising Sun flag at a rally and by organizing protests against Japan’s plan to release radioactive water from the ruined Fukushima Daiichi nuclear power plant.

Their alleged espionage activities were discovered after six years of monitoring by the NIS, which tracked the suspects’ overseas movements and contacts.

The four were arrested in late January.

According to the NIS and the state prosecution service, the four contacted the North’s intelligence agents in Cambodia and other Southeast Asian countries to receive directives and money from them.

During their meetings with North Korean agents, the South Korean activists allegedly discussed how to destroy data storage devices, such as USBs, in case they were caught, including swallowing them whole.

The activists are also accused of infiltrating civic groups or labor unions involving farmers and students to recruit new members.

The state prosecution service has described the group as a criminal spy ring dedicated to helping North Korean leader Kim Jong-un achieve a revolution within South Korea to overthrow the government in Seoul.

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]