North Koreans Steal OPLAN Because Someone Left an Unclassified Computer Plugged Into Its Secret Network

Here is how the North Koreans were able to get access to OPLAN 5015:

A South Korea lawmaker recently disclosed that hackers suspected to be North Korean gained access to Seoul’s highly secured military intranet in September 2016 and made off with the US and South Korea’s secret war plans.

“It’s a ridiculous mistake,” the lawmaker, Rhee Cheol-hee, told The Wall Street Journal.

North Korean personnel reportedly attacked a South Korean cybersecurity firm and embedded themselves in the software. South Korea’s military used the software on its military computers, but the North Koreans still shouldn’t have been able to get in because Seoul keeps its internet, or outwardly connected network, separate from its intranet, or private network.

But it took only one computer plugged into both the internet and the intranet for the North Koreans to break in, The Journal reported.

“They should have removed the connector jack immediately after maintenance work,” Rhee said.

As a result, North Korea reportedly got ahold of Operation Plan 5015, the US and South Korea’s secret war plan to kill the North Korean leader Kim Jong Un.  [Business Insider]

Maybe someone with IT experience can tell me why an unclassified networked computers needs to be plugged into a classified network for maintenance reasons?

GIKorea

GIKorea

I am a US military veteran that has served all over the world to include in Iraq, Afghanistan, and Korea. I have been blogging about Korea, Northeast Asia, and the US military for over 10 years.

Leave a Reply

7 Comments on "North Koreans Steal OPLAN Because Someone Left an Unclassified Computer Plugged Into Its Secret Network"

Notify of
avatar
  
smilegrinwinkmrgreenneutraltwistedarrowshockunamusedcooleviloopsrazzrollcryeeklolmadsadexclamationquestionideahmmbegwhewchucklesillyenvyshutmouth
Sort by:   newest | oldest | most voted
bmw
Guest
Member
bmw

I couldn’t read the whole article and I do not know if the terminology used in the excerpt is accurate, or just the medias’ laymen understanding of the situation.
But if I could speculate, which I like to do….
1: They were cutting corners.
2: They have poor security in place that did not automatically terminate the connection.
I remember of an incidence a while back in which SECRE.T/RO.K US information was emailed back and forth to various Korean national contractors personal Naver accounts. And I imagine every instance of this happening goes unreported 100/1. Koreans do not hold the same standards of OPSEC as the US, so I imagine NK knows a lot by just having a few South Korean imbeds.

bmw
Guest
Member
bmw

But when I read this a week ago I was curious about.
Why are the sharing this with everybody?
It vary well could be a fake plan that they let NK take via a honeypot to gather information on the attack.
Then they advertise to the world how it was stolen, so NK thinks they got the real thing.
Thoughts?

guitard
Guest
Member
guitard

Maybe someone with IT experience can tell me why an unclassified network computer needs to be plugged into a classified network for maintenance reasons?

For the US side, there are no scenarios that allow for an unclassified computer to be connected to a classified network, and then remain being an unclassified computer. Once an unclassified computer is plugged into a classified network, from that moment forward, it forever becomes a classified computer.

I assume the ROKs have the same policy. But I wouldn’t bet more than a cup of coffee on that.

Maui
Member
Member
Newbie
Maui

RoK has close to the same security policy, but it’s their lack of implementation, discipline and adherence to standards that causes the issue. You can buy only so much technology but it’s still how it’s utilized that makes or breaks you.

JoeC
Guest
Member
JoeC

Guitard is right. That computer should have had a classified label stuck on it as soon as it was connected to a classified network and not again allowed to connect to an unclassified network.

When I first heard this story I knew it was another instance of the media playing loose with the term “hacking.” We imagine the evil genius from the movies at a remote computer sending commands to tear into our most secure networks. That’s probably never happened to truly classified networks. The incidents that have happened have been against government and commercial computers with direct connections to the Internet. The hacking in this incident, if any actually did, would have occurred after a major human screwup.

BTW, season 3 of Mr. Robot just started. That show is recognized for having the most realistic depictions of how hacking is done. In season 1 episode 5, the hackers are brainstorming how to get to the data on servers in a super secure facility. The lead hacker says, “All we need is one security flaw” while viewing a monitor showing the outside of the facility. Then he says, “I see six right there” as six employees enter the building.

Bob Smith
Member
Member
Newbie

You can transfer files from NIPR (unclassified) to SIPR (classified) without using a CD. There’s a DOD website that verifies the file and forwards it to your SIPR account.

As for plugging in NIPR to SIPR or vice versa, I’ve always wondered why SIPR and NIPR have the same CAT 5 connection. One would think the Army could pay someone (me) a ton of money to invent a different connection type for the two.

wpDiscuz