More Shots Fired on the Cyber Front: Key Takeaways From Operation Troy

A report released this week by McAfee Labs revealed that a common hacker group is responsible for years of cyber attacks and espionage against South Korea. While McAfee did not name a culprit, the report -- combined with the results of previous investigations -- strongly suggests that North Korean military or intelligence operatives are responsible.

The attacks, which have been observed from 2009 through now, are highly consequential. They deny South Koreans access to their bank accounts, take down government and news services (including, early on, US government websites), and cause huge cleanup costs for financial institutions. A think tank analysis put the price tag of one of these attacks at many tens of millions of dollars to South Korean financial institutions.

The group responsible, "Operation Troy," also tried to steal national security information, including details of joint US-ROK contingency planning for war on the Korean peninsula.

Operation Troy is a fascinating case of a prolonged cyber warfare campaign that differs from mainstream examples, such as the Estonia 2007 and Georgia 2008 incidents. The attacks teach us a great deal about what to expect from future conflicts, and highlight policy opportunities to prevent these kinds of attacks and reduce their consequences.

Perhaps the most important lesson is that low-capability cyber actors are capable of imposing large costs. Governments don't need Stuxnet-level skills to be able to successfully penetrate sensitive computer networks and degrade or deny their services.

McAfee's technical report shows that the Troy coders are less talented than their counterparts in South Korea and other advanced economies. They were successful, however, because they were willing to patiently wait for users to click links or open attachments that they shouldn't have, or to browse to websites tainted with malicious code. This approach usually works because any large organization will have a small number of users who eventually make mistakes or are simply incompetent. Troy shows that the true list of significant cyber threat actors to the United States and its allies is much longer than the "big three" publicly noted by US officials: China, Russia, and Iran.

Second, cyber attribution remains very difficult, takes a long time, and may never be possible if attackers take appropriate actions to cover their tracks. Word has been getting around policy circles in Washington, DC, that the cyber attribution problem is mostly solved, and it is tempting to think so after seeing reports like McAfee's or the Mandiant report on Chinese espionage earlier this year.

The real story, however, is that these attribution successes only occurred because bureaucrats screwed up. The Mandiant report showed Chinese hackers using passwords containing their military unit name and logging into Facebook from the same networks used to conduct state-sponsored cyber operations. According to McAfee, Troy used the same basic software and tactics for years. Despite those errors, the South Korean government was unable to definitively state whether or not North Korea was responsible at the time of historical attacks.

Third, Operation Troy shows that the distinction between "cyber espionage" and "cyber attack" is exaggerated. While many focus on the distinction between stealing information and taking down networks, experts know the truth: Once an adversary is on a network, regardless of why they got there, they have the capability to inflict harm. McAfee's report begs the question of why Troy chose to switch from espionage operations to attacks at the moments they did. If the compelling evidence is accurate, and North Korea is responsible, the implications for international politics are of the greatest consequence. Cyber espionage operations have been observed against critical infrastructure in the United States and allied countries for years. When will adversaries pivot from learning about those systems to doing more?

Finally, the case shows us that the law enforcement paradigm of responding to foreign cyber threats is failing. Almost all countries initially respond to cyber attacks by calling other governments. In the case of Troy, there is little doubt that the investigation could have been concluded -- and the recent wave of attacks against South Korea probably prevented -- if Chinese law enforcement had worked closely with South Korean officials. North Korea's Internet runs mostly through China, and North Korean hackers are widely believed to operate out of Chinese territory. China is notorious, however, for denying law enforcement requests for assistance.

How can the U.S. and its allies cope with these threats? An answer is to incorporate law enforcement responses and the efforts of private companies into a whole-of-government approach that stresses reducing adversaries' incentives to conduct attacks. A diplomatic priority should be to link cyber conflict to other issues during negotiations. Getting North Korea (and China and Russia and Iran) to stop highly lucrative cyber operations just by asking nicely has no hope of success.

Military and intelligence agencies can help that bargaining process by aggressively developing new capabilities, and by pursuing new human intelligence leads to best exploit the bureaucratic errors detailed in the Mandiant and McAfee reports.

Tim Junio is a cybersecurity fellow at Stanford University's Center for International Security and Cooperation.