Return to

Dec. 25, 2014
Notes from the Pentagon

Four-star spymaster behind North Korean hacking
U.S. intelligence agencies have identified the military officer orchestrating North Korea’s state-sponsored hacking attacks, such as the one on Sony Pictures Entertainment. He is Gen. Kim Yong-chol, director of the espionage and clandestine operations service known as the Reconnaissance General Bureau, or RGB.

The RGB was formed in 2009 when the Korean People’s Army, the communist state’s military, combined its Reconnaissance Bureau with the ruling Workers’ Party of Korea Central Committee Operations Department.

The combined intelligence and military special operations force is under the control of North Korean supreme leader Kim Jong-un. Both military and party organizations have a long history of deadly covert operations and nefarious foreign espionage operations, such as the 1970s operations to kidnap foreign nationals for use in intelligence training in North Korea.

U.S. and South Korean intelligence agencies have been tracking Gen. Kim since he emerged as a member of the Central Military Commission in September 2010. The four-star general also was part of the funeral committee for Kim Jong-il, who died in 2011, a key indicator of his place in the hierarchy of the secretive North Korean power structure. His promotion to full general was announced in February 2012.

Gen. Kim, who is also deputy chief of the military’s general staff, has headed the RGB since 2009, but his career has not been without bumps. He was demoted to two-star rank in November 2012 following the arrest of a number of North Korean spies in South Korea. By February of 2013, however, Gen. Kim had regained the lost two stars.

His role as head of the RGB remained secret until March 29, 2013, when Pyongyang’s state-controlled media for the first time confirmed the existence of the organization blamed for the sinking of South Korea’s Cheonan warship in 2010. Earlier RGB operations included the terrorist bombing in Yangon, Myanmar, that killed three visiting South Korean government ministers and a commando raid on the South Korean Blue House presidential residence in 1968.

A report by the Center for Strategic and International Studies made public last week said North Korea employs around 5,900 cyberwarfare specialists.

“The act against Sony is the first of its kind by North Korea, in terms of both the target and the sophistication of the hack,” wrote CSIS researchers Jenny Jun, Scott LaFoy and Ethan Sohn.

The RGB “is now credited with significant operational cyber capabilities and missions that are, effectively, another means of achieving the objectives of previous provocations,” the report said.

Several groups of hackers within the organization have been identified. They include Unit 121 and Lab 110, cover names for shadowy cyberattack operations groups.

Unit 121 has been identified by U.S. and South Korean intelligence as the RGB’s main offensive cyberwarfare group. It is reported that cyberwarfare experts from the group operated out of the Chilbosan Hotel in Shenyang, China. The Sony hack was carried out from a hotel in Thailand, according to an intelligence source. Unit 121 also was blamed for the so-called DarkSeoul cyberattacks last year that were traced to North Korean hackers.

Those attacks against South Korean banks, television broadcasters and news outlets were very similar, in terms of malicious software used and other attack methodology, to the Sony hack. Against the movie network, the North Koreans used a layered cyberattack involving careful pre-attack reconnaissance, data theft for the attack and then data destruction on hard drives and other storage media through the use of “wiper” malware.

South Korea’s government, which cooperated with the FBI in investigating the Sony cyberattack, has linked the 2013 cyberattacks to Internet Protocol addresses belonging to the Pyongyang government’s Korea Post and Telecommunications Corporation, which is part of the Ministry of Post and Telecommunications.

A report produced in August by HP Security Research stated that “North Korean hackers have successfully penetrated U.S. defense networks more frequently than any other country that has targeted U.S. defense assets.”

The HP security report identified RGB Unit 204 as involved in cyberoperations. If true, that unit would also be a likely perpetrator of the Sony hack that successfully dissuaded the $8 billion entertainment giant to cancel its widespread Dec. 25 rollout of the movie “The Interview,” a comedy involving a fictitious plot to assassinate Kim Jong-un. Sony agreed to limited distribution after a backlash against the cancellation.

China builds base near Senkakus
China’s military is setting up facilities on small islands off the coast of Zhejiang province, about 186 miles northwest of Japan’s Senkakus, islands that China claims as its territory and calls the Diaoyu.

Japan’s Kyodo news agency and Bloomberg news, quoting Chinese sources, said the military base will be used by the People’s Liberation Army to react quickly to potential military crises.

China increased tensions in the East China Sea last year by announcing it was setting up an air defense identification zone covering the Senkakus and threatening aircraft or ships that enter the zone, which includes large swaths of international airspace and sea lanes.

The initial military construction on the Nanji Islands includes several large radar and several landing strips.

Rick Fisher, a senior fellow at the International Assessment and Strategy Center, said the Nanji Island military buildup is an ominous development for both Japan and Taiwan.

“China’s construction of a military base on Nanji Island could put an effective People’s Liberation Army amphibious assault force within a four-hour ride of the Senkaku Islands,” Mr. Fisher told Inside the Ring.

“The real danger is that China is initiating an escalation cycle that could lead to war.”

The new base could prompt Japan to militarize the Senkakus to deter Chinese military attacks. “But if Tokyo puts troops on the islands, then China will be more likely to attack them,” Mr. Fisher said.

PLA control over the Senkakus also would give the Chinese military a much better position for an attack on Taiwan. China has said it is prepared to use force to reunite the island with the mainland.

Additionally, China could deploy some of its large, Ukrainian-made Zubr air-cushioned hovercraft on Nanji and use them to move troops and tanks to the Senkakus or in an assault against Taiwan.

CIA Spying 101
As if the CIA didn’t have enough bad publicity following the release of a critical Senate Democratic staff report on its terrorist interrogation tactics, the anti-secrecy group Wikileaks this week published two classified CIA documents used to train clandestine service officers on how to evade security screening at airports.

“Consistent, well-rehearsed, and plausible cover is important for avoiding secondary selection and critical for surviving it,” states one of the documents, a report called “Surviving Secondary: An Identity Threat Assessment Secondary Screening Procedures at International Airports.” The document is labeled “Secret/Orcon/Noforn,” the last two acronyms standing for “originator controlled” and not for distribution to foreign nationals.

The 15-page manual tells CIA officers to avoid looking suspicious to airport security screeners by having a well-learned cover story and being prepared to answer two basic primary screening questions: “Why are you here?” and “Where are you staying?”

Not having clear or convincing answers could lead to tough interrogation by security and intelligence officials at airports in countries with difficult entry procedures, such as those in Europe, the Middle East and Asia.

The report contains this classified no-brainer tip: “Travelers can minimize the possibility of secondary by knowing how to prepare for and navigate the primary inspection and by avoiding to the extent possible the various triggers for secondary,” like sweating or breathing heavily while being questioned.

The report concludes that under all circumstances, CIA officers should not reveal their true identities, “no mater what.”

“Even when the traveler does everything right, the best protection during secondary screening is to be well-prepared with a cover story, according to an experienced CIA traveler,” the report says.

One tip for spies: Wear a tie. During an early-morning incident at a European airport, a CIA officer was picked for secondary screening, probably because his casual dress did not match his profile as a diplomatic passport holder. The officer faced grilling after explosives residue was found on his bag.

“In response to questioning, the CIA officer gave the cover story that he had been in counterterrorism training in Washington, DC,” the report said. “Although language difficulties led the local security officials to conclude that the traveler was being evasive and had trained in a terrorist camp, the CIA officer consistently maintained his cover story. Eventually, the security officials allowed him to rebook his flight and continue on his way.

The report revealed how China trains its spies to avoid intensive U.S. screening. In May 2009 the FBI learned that “a Chinese network security company advises its employees in secondary to avoid appearing nervous, keep answers simple, and not volunteer additional information, such as details on U.S. contacts,” the report said.

  • Contact Bill Gertz on Twitter at @BillGertz.

  • Return to