It seemed inevitable that Trump would soon face the same challenge his predecessors did: how to deal with North Korea without prompting a broader war. He would confront issues that had been long debated in the Situation Room: whether to order the escalation of the Pentagon’s cyber- and electronic-warfare effort, crack down again on trade with crushing economic sanctions, open negotiations with the North to freeze its nuclear and missile programs, or prepare for direct missile strikes on its nuclear and missile sites.
It seemed clear to me that, still lacking a strategy, Trump’s answer would likely be to attempt all four.
* * *
—
While the United States struggled to sabotage Kim’s missile program, the North’s hackers were looking for new targets in the West. In the two years after the Sony attack, their cyber corps had learned a lot and grown more global. As a top cybersecurity official for one of the behemoths of Silicon Valley put it to me, “If there was a ‘most improved’ award for states looking to weaponize the Internet, the North Koreans would win it. Hands down.”
While Americans were thinking about how to use cyberweapons to neutralize the North’s missiles, the North was thinking about how to use them to pay for those missiles—a huge challenge for a country under every form of economic sanction. Which is how the North’s hacking teams cooked up a plan to steal $1 billion from the Bangladesh Central Bank in 2016.
With their exquisite nose for vulnerable institutions, the North’s hackers focused on Bangladesh in January, figuring their cyber protections had to be pretty minimal. It was a good bet. With just a few weeks of quiet digital observation of the bank, the hackers got all they needed: the procedures for transferring funds internationally, some stolen credentials, and an understanding of when the bank would be closed for a holiday that extended into a weekend. The extra days provided them with time to execute transfers before anyone was around to stop them.
The hackers put together transfer orders for just under $1 billion, including one transfer to the Shalika Foundation in Sri Lanka. That proved the fatal mistake: In instructions to the New York Federal Reserve, through which such transactions flow, someone spelled “foundation” as “fandation.” The error raised eyebrows, and the transfers were suspended—but only after Kim Jong-un’s hackers had gotten away with $81 million. If it had been a physical bank heist, it would have been considered one of the largest and most brilliant in modern times. (By comparison, the great Brinks heist of 1950, in Boston’s North End, swept up only about $2.7 million, worth about ten times that in modern currency.)
After the Sony hacks, the North had good reason to believe that any retaliation for their cyber exploits would be minimal, and they were right. There was no penalty for the Bangladesh bank attack, or cryptocurrency heists that followed.
“Cyber is a tailor-made instrument of power for them,” Chris Inglis, a former deputy director of the National Security Agency, told me. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation-state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
At an earlier time, North Korea counterfeited crude $100 bills to finance the country’s operations. That grew more difficult as the United States made the currency harder and harder to copy. But ransomware, digital bank heists, and hacks of South Korea’s fledgling Bitcoin exchanges all made up for the loss of the counterfeiting business. Today the North may be the first state to use cybercrime to finance its state operations.
Bangladesh was hardly the only victim, and not even the first. In 2015 there was an intrusion into the Philippines, then the Tien Phong Bank in Vietnam. In February 2016 hackers got inside the website of Poland’s financial regulator and infected visitors—from the central banks of Venezuela, Estonia, Chile, Brazil, and Mexico—in hopes of also breaking into those banks.
Then came two of the boldest attacks—one on South Korea, the other on the world.
There was no military document that the North wanted to read more than the American blueprints for war on the Korean Peninsula. Sometime in the fall of 2016, when most of the world was distracted by the presidential election, the North breached South Korea’s Defense Integrated Data Center, according to Rhee Cheol-hee, a member of the South Korean parliament’s National Defense Committee, and swept up 182 gigabytes of data—including OpPlan 5015, a detailed outline of what the US military delicately called a “decapitation strike.” Rarely have the details leaked. But the documents the North’s hackers stole appear to include strategies for finding and killing the country’s top civilian and military leaders, and then wiping out as much of the mobile missile fleet and seizing as many nuclear weapons as possible. OpPlan 5015 would not stop there—the strategy included ways to counter the North’s elite commandos, who would almost certainly slip into the South.
There is some speculation that the North intended to get caught stealing the war plan, in order to unnerve their adversaries and force them to rewrite it from scratch. We’ll likely never know. But the theft is just one more sign of how deeply the North has compromised South Korea’s sensitive networks. There is also evidence that Pyongyang has planted “digital sleeper cells” in critical infrastructure in the South in case they are needed to paralyze power supplies or command-and-control systems.
Then came WannaCry.
It is unclear how long the North Korean hacking team spent planning what the United States later charged was an “indiscriminate” attack on hundreds of thousands of computers, many in hospitals and schools. But it is clear how the hackers got inside: with some vulnerabilities in Microsoft software stolen from the NSA by the Shadow Brokers group. It was the ultimate cascading crime: the NSA lost its weapons; the North Koreans shot them back.
In this case, the hacking tool stolen from the NSA went by the name “Eternal Blue.” It was a standard piece of the TAO’s toolbox because it exploited a vulnerability in Microsoft Windows servers—an operating system so widely used that it allowed the malware to spread across millions of computer networks. No one had seen anything like it in nearly a decade, since a computer worm called “Conficker” went wild.
In this case, the North Korean hackers married the NSA’s tool to a new form of ransomware, which locks computers and makes their data inaccessible—unless the user pays for an electronic key. The attack was spread via a basic phishing email, similar to the one used by Russian hackers in the attacks on the Democratic National Committee and other targets in 2016. It contained an encrypted, compressed file that evaded most virus-detection software. And once it burst alive inside a computer or network, users received a demand for $300 to unlock their data. It is unclear how many paid, but those who did never got the key—if there ever was one—to unlock their documents and databases.
The hackers guessed correctly that while Microsoft had patched this hole in the system—after the NSA had warned the company about the vulnerability just two months before the attack—few people who used old Microsoft Windows systems would have gone to the trouble of updating their software. And when the attackers struck in the late afternoon of May 12, 2016, anybody with ancient computers and ancient software to match—like the National Health Service in the United Kingdom—was a sitting duck.
“Many of the computers that were the most adversely affected were running Windows XP,” Brad Smith, the president of Microsoft, explained to me later. “It’s an operating system that we released in 2001. And when you stop and think about it, you realize that was six years before the first iPhone. It was six months before the first iPod.” Smith didn’t use the other obvious historic marker: the operating system was released to manufacturers just eighteen days before the September 11 attacks, a moment that changed our national sensibility about our vulnerabilities.
WannaCry, like the Russian attacks on the Ukraine power grid in the previous tw
o years, was among a new generation of attacks that put civilians in the crosshairs. In that regard, it is akin to terrorism. “If you are wondering why you’re getting hacked—or attempted-hacked—with greater frequency,” said Jared Cohen, the former State Department official who now runs Alphabet’s Jigsaw, a part of the Google parent company, which has done pioneering work in how to make people safer on the Internet, “it is because you are getting hit with the digital equivalent of shrapnel in an escalating state-against-state war, way out there in cyberspace.”
Cohen is right: WannaCry is a prime example of where the newest cyber battles are headed. In the first years of state-on-state cyberwars, the targets of crippling hacks were mostly strategic, and often state-owned. Olympic Games was aimed at an isolated, underground nuclear enrichment facility. The attacks on ISIS were directed at vicious terrorist groups. The North Korea missile hacks were aimed at a program that directly threatened America and its allies.
But with WannaCry, the targeting seemed far more random, and the results were unpredictable. With computer systems of several major British hospital systems shut down, ambulances were diverted and nonemergency surgeries delayed. Banks and transportation systems across dozens of countries were affected. But it is doubtful the North Koreans knew, or cared, which systems would be crippled.
“I suspect the attackers had no idea what would be hit,” one American investigator told me. “It was about creating chaos” and fear. Evidence of the untargeted nature of the malware lies in the fact that it hit seventy-four countries; after Britain, the hardest hit was Russia. (In what some might see as a sign of cosmic digital justice, Russia’s Interior Ministry was among the most prominent victims.) Then Ukraine. Then Taiwan. There was no discernible political pattern.
Moreover, there was no warning. Britain’s National Cyber Security Centre saw nothing coming, its director of operations, Paul Chichester, told my Times colleagues. In fact, investigators in Britain suspect the WannaCry attack may have been an early misfire of a weapon that was still under development—or a test of tactics and vulnerabilities.
“This was part of an evolving effort to find ways to disable key industries,” said Brian Lord, a former deputy director for intelligence and cyber operations at Britain’s GCHQ. “All I have to do is create a moderately disabling attack on a key part of the social infrastructure, and then watch the media sensationalize it and panic the public.”
For all the billions spent on cyber defenses, in the end the Cyber Security Centre, British intelligence, and Microsoft had little to do with bringing the attack to an end. For that they had to thank Marcus Hutchins, a college dropout and self-taught hacker who was living with his parents in the southwest of England. He spotted a web address somewhere in the software and, largely on a lark, paid $10.69 to register it as a domain name as the attack was under way. The activation of the domain name turned out to act as a kill switch; it kept the malware from continuing to spread. (Hutchins was later arrested in Las Vegas and charged with being the author of another kind of malware, one designed to steal banking credentials.)
It took months—until December 2017, three years to the day after Obama accused North Korea of the Sony attacks—for the United States and Britain to formally declare that Kim Jong-un’s government was responsible for WannaCry. Thomas Bossert, President Trump’s homeland security adviser, said he was “comfortable” asserting that the hackers were “directed by the government of North Korea,” but said that conclusion came from looking at “not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks. And so you have to apply some gumshoe work here, not just some code analysis.”
Bossert was honest about the fact that having identified the North Koreans, he couldn’t do much else to them. “President Trump has used just about every lever you can use, short of starving the people of North Korea to death, to change their behavior,” Bossert acknowledged. “And so we don’t have a lot of room left here.”
The gumshoe work stopped short, of course, of reporting about how Shadow Brokers allowed the North Koreans to get their hands on tools developed for the American cyber arsenal. Describing how the NSA enabled North Korean hackers was either too sensitive, too embarrassing, or both. And it was one of the most troubling parts of the whole incident.
While the US government says that it reports to industry more than 90 percent of the software flaws it discovers, so that they can be fixed, “Eternal Blue” was clearly part of the 10 percent it held on to in order to bolster American firepower. Microsoft never heard about the vulnerability until after the weapon based on it was stolen. Yet the US government acted as if it bore no responsibility for the devastating cyberattack. When I asked Bossert, and his deputy, Rob Joyce, who ran the TAO and clearly knew something of what happened to these pilfered weapons, they argued that the fault was entirely with those who used the weapons—not with those who lost control of them. It was a mystifying argument: if someone fails to lock up their guns, and a weapon stolen from their house is used in a school shooting, the gun owner has at least some moral or legal liability.
“It’s a problem,” Leon Panetta, the former defense secretary and CIA director told me one day as we discussed the WannaCry attacks, “when the US government can’t hold on to its arsenal. We can’t be in that position. And we wouldn’t tolerate that explanation from other countries.”
Brad Smith of Microsoft, clearly angry, compared the NSA’s loss of its weapons to the air force’s losing a Tomahawk Missile that was then shot back at an American ally. He pointed to the arrest of “an NSA contractor who had these weapons in his garage. And you don’t see Tomahawk weapons in people’s garages.”
In fact, these days you did.
It was just two months later that Ukraine was hit with the NotPetya attack, which roused Dymtro Shymkiv to action from upstate New York. It was very similar to WannaCry, although NotPetya was the work of the Russians, the Trump administration said in early 2017. Those hackers had clearly learned from the North Koreans. They made sure that no patch of Microsoft software would slow the spread of their code, and no “kill switch” could be activated.
In short, they designed a more accurate weapon, and struck two thousand targets around the world, in more than sixty-five countries. Maersk, the Danish shipping company, was among the worst hit: they reported losing $300 million in revenues and had to replace four thousand servers and thousands of computers. NotPetya made the Sony strike, only three years earlier, look like the work of amateurs.
* * *
—
Whatever the cause of Kim Jong-un’s missile troubles in 2016—sabotage or incompetence or bad parts or faulty assembly—he solved the problem in 2017.
At a speed that caught American intelligence officials off guard—to say nothing of the newly arrived Trump administration—Kim rolled out an entirely new missile technology. Clearly he had a parallel program running alongside the Musudan, and it was based on another decades-old Soviet engine design that powered intercontinental ballistic missiles.
Unlike the Musudan, this one worked, and it worked right away. In quick succession Kim demonstrated ranges that could reach Guam, then the West Coast, then Chicago and Washington, DC. Out of nine intermediate and long-range launch tests in 2017, only one failed. That was an 88 percent success rate—a startling improvement from the year before.
And on the first Sunday in September, Kim detonated a sixth nuclear bomb, one that was far more powerful than any the North had set off before. It was fifteen times greater in power than the atomic bomb that leveled Hiroshima. Kim had entered the big leagues of nuclear power.
Many have seen this coming. For twenty years public CIA estimates declared that North Korea would have this capability sometime before 2020, but Kim’s burst of progress after such a string of failures the previous year had not been predicted. Like the Russia
hacks during the US election, Kim’s strategic move caught the intelligence world unawares.
I went back to see General McMaster in December 2017. He readily acknowledged that Kim’s race to the finish line—a bid to establish the North as a nuclear power before any negotiations began or sanctions took a more punishing toll—“has been quicker and the timeline is a lot more compressed than most people believed.”
The question he and other officials would not touch, of course, was whether the North’s string of successes in 2017 indicated that they had figured out the vulnerabilities of the Musudan—and solved them. What happened to “left of launch”? Were the new missiles less vulnerable to cyber and electronic attacks? Or had the supply chain changed, making it harder to infiltrate bad parts into the missile program? Or had the United States concluded it was simply being too obvious in attacking the Musudan and now was holding back until it was ready to strike at a larger missile?
There were plenty of indications that the US reliance on cyber tools was alive and well, just somewhat better hidden. Trump asked Congress in November 2017 for $4 billion in emergency funds for boosting missile defense and taking other steps to contain the North. Hundreds of millions of dollars were dedicated to what the budget documents called “disruption/defeat” efforts. Those efforts, several officials confirmed, include a more sophisticated attempt at cyber and electronic strikes. And there were several billion dollars allotted for traditional missile defense—even amid the doubts that it will work.
Trump’s former CIA director, Mike Pompeo, occasionally hinted at ongoing programs, suggesting that the United States was “working diligently” to slow Kim’s progress and delay the day when he was ready to put a nuclear warhead atop one of those missiles. Pompeo suggested that day was just “months away,” but he repeated this estimate from early in Trump’s administration through its first eighteen months. Jim Mattis, the defense secretary, had a darker take: after the North’s most successful missile test, in November 2017, he said the country already had the ability to hit “everywhere in the world, basically.”
The Perfect Weapon Page 33
