North Koreans Steal OPLAN Because Someone Left an Unclassified Computer Plugged Into Its Secret Network

Here is how the North Koreans were able to get access to OPLAN 5015:

A South Korea lawmaker recently disclosed that hackers suspected to be North Korean gained access to Seoul’s highly secured military intranet in September 2016 and made off with the US and South Korea’s secret war plans.

“It’s a ridiculous mistake,” the lawmaker, Rhee Cheol-hee, told The Wall Street Journal.

North Korean personnel reportedly attacked a South Korean cybersecurity firm and embedded themselves in the software. South Korea’s military used the software on its military computers, but the North Koreans still shouldn’t have been able to get in because Seoul keeps its internet, or outwardly connected network, separate from its intranet, or private network.

But it took only one computer plugged into both the internet and the intranet for the North Koreans to break in, The Journal reported.

“They should have removed the connector jack immediately after maintenance work,” Rhee said.

As a result, North Korea reportedly got ahold of Operation Plan 5015, the US and South Korea’s secret war plan to kill the North Korean leader Kim Jong Un.  [Business Insider]

Maybe someone with IT experience can tell me why an unclassified networked computers needs to be plugged into a classified network for maintenance reasons?



I am a US military veteran that has served all over the world to include in Iraq, Afghanistan, and Korea. I have been blogging about Korea, Northeast Asia, and the US military for over 10 years.


  1. I couldn’t read the whole article and I do not know if the terminology used in the excerpt is accurate, or just the medias’ laymen understanding of the situation.
    But if I could speculate, which I like to do….
    1: They were cutting corners.
    2: They have poor security in place that did not automatically terminate the connection.
    I remember of an incidence a while back in which SECRE.T/RO.K US information was emailed back and forth to various Korean national contractors personal Naver accounts. And I imagine every instance of this happening goes unreported 100/1. Koreans do not hold the same standards of OPSEC as the US, so I imagine NK knows a lot by just having a few South Korean imbeds.

  2. But when I read this a week ago I was curious about.
    Why are the sharing this with everybody?
    It vary well could be a fake plan that they let NK take via a honeypot to gather information on the attack.
    Then they advertise to the world how it was stolen, so NK thinks they got the real thing.

  3. Maybe someone with IT experience can tell me why an unclassified network computer needs to be plugged into a classified network for maintenance reasons?

    For the US side, there are no scenarios that allow for an unclassified computer to be connected to a classified network, and then remain being an unclassified computer. Once an unclassified computer is plugged into a classified network, from that moment forward, it forever becomes a classified computer.

    I assume the ROKs have the same policy. But I wouldn’t bet more than a cup of coffee on that.

  4. RoK has close to the same security policy, but it’s their lack of implementation, discipline and adherence to standards that causes the issue. You can buy only so much technology but it’s still how it’s utilized that makes or breaks you.

  5. Guitard is right. That computer should have had a classified label stuck on it as soon as it was connected to a classified network and not again allowed to connect to an unclassified network.

    When I first heard this story I knew it was another instance of the media playing loose with the term “hacking.” We imagine the evil genius from the movies at a remote computer sending commands to tear into our most secure networks. That’s probably never happened to truly classified networks. The incidents that have happened have been against government and commercial computers with direct connections to the Internet. The hacking in this incident, if any actually did, would have occurred after a major human screwup.

    BTW, season 3 of Mr. Robot just started. That show is recognized for having the most realistic depictions of how hacking is done. In season 1 episode 5, the hackers are brainstorming how to get to the data on servers in a super secure facility. The lead hacker says, “All we need is one security flaw” while viewing a monitor showing the outside of the facility. Then he says, “I see six right there” as six employees enter the building.

  6. Everyone, thanks for the insights. It did not sound right to me that an unclassified computer was plugged into a classified network. It makes me wonder if whoever had the computer plugged into the classified network was trying to move files over more quickly instead of burning them on to a CD.

  7. You can transfer files from NIPR (unclassified) to SIPR (classified) without using a CD. There’s a DOD website that verifies the file and forwards it to your SIPR account.

    As for plugging in NIPR to SIPR or vice versa, I’ve always wondered why SIPR and NIPR have the same CAT 5 connection. One would think the Army could pay someone (me) a ton of money to invent a different connection type for the two.

Leave a Reply

Your email address will not be published. Required fields are marked *