Military computer network left exposed to malicious code for 46 days

Posted on : 2016-12-07 15:50 KST Modified on : 2019-10-19 20:29 KST
Investigation finds that network was not kept disconnected from the internet, resulting in leaks of confidential information
Vice Minister of National Defense Hwang In-moo presides over a meeting of the Cyber Security Committee
Vice Minister of National Defense Hwang In-moo presides over a meeting of the Cyber Security Committee

The first exclusive military computer network in the history of South Korea’s military was exposed to malicious code for at least 46 days in August and September, resulting in the leaking of a number of military secrets.

An investigation found the system’s vulnerabilities were exposed to external hacking after military authorities failed to observe the rule of keeping the defense network for confidential storage disconnected from the internet and running it separately.

“On Sep. 23, evidence was detected of malicious code having spread to the internet server used by the military by means of an anti-virus program,” a military official explained to reporters on Dec. 5, speaking on condition of anonymity. “On Sep. 30, a joint investigation team was put together, which found that some military materials had been leaked, including some confidential information.”

At the time of the incident, the Defense Ministry determined that defense network servers and PCs beyond those connected to the internet were not infected. In a parliamentary audit at the time, Republic of Korea Cyber Command commander Byeon Jae-sun responded to questions from Minjoo Party lawmaker Kim Jin-pyo by saying the “possibility of hacking or information leakage is low because the military computer network is kept separate from the internet.” But the latest investigation findings showed the defense network was also hacked, with a number of confidential materials there being leaked.

The defense network hack was found to have been the result of the computer network and internet not being kept properly separated. According to accounts from the Defense Ministry, the military computer network is divided into three systems: an internet network, national defense network, and electronic instrument network. The three systems are kept physically separated, preventing outsiders from entering the defense or electronic instrument networks in an internet-based hacking attack.

But the investigation results showed the internet and defense network to have been connected on a server operated by one military organization.

“An internet network card and defense network card were found to have been inserted together on a server operated by a unit under the Cyber Command,” explained a military source.

“The malicious code was transferred from the internet network to the defense network over this connection, and that‘s how the data were extracted,” the source added.

The Defense Ministry remains in the dark on when and under what circumstances the unit connected the internet and defense networks in violation of regulations.

“It hasn’t been determined whether the unit’s computer network was connected at the time of installation two years ago or after that,” a military source said.

Military authorities were also found to have been totally unaware of the defense network’s hacking for over a month and a half.

“The malicious code login on the military institution‘s server was found to have been on Aug. 4,” said a military source. As the Defense Ministry discovered evidence of the internet server’s infection with the code on Sep. 23, this means it was defenselessly exposed for at least 46 days. And with the Defense Ministry‘s confirmation of the defense network’s infection coming after the joint team’s establishment on Sep. 30 and subsequent investigation, this means they were unaware of it for more than 53 days counting back from that date.

The Defense Ministry declined to give specifics on which confidential documents stored on the defense network were leaked or how many servers were infected, calling them “security-related matters.”

The Defense Ministry suspected North Korea of being responsible for the hack.

“The IP address for the server used in the hack was based in Shenyang, China, and the malicious code methods were found to be similar to those frequently used by North Korea in the past,” said a military source.

By Park Byong-su, senior staff writer

Please direct questions or comments to [english@hani.co.kr]

 

button that move to original korean article (클릭시 원문으로 이동하는 버튼)

Related stories