January 6, 2015 | The Tower
How Iran and North Korea Became Cyber-Terror Buddies
In late November 2014, cyber-warfare burst into the American public consciousness when Sony Pictures Entertainment was the victim of a massive cyber-attack. Hackers leaked Sony’s corporate secrets in bulk data dumps, exposing everything from financial records to screenplays to embarrassing in-house emails. The dumps were punctuated by messages mocking the company, followed by terrorist threats, such as “Remember the 11th of September 2001.” The hackers’ motives seemed clear: They wanted to force Sony to scrap the release of its new comedy, The Interview, in which two madcap American journalists are recruited by the CIA to assassinate North Korean tyrant Kim Jong-Un.
On December 19, the U.S. government named a culprit. The Federal Bureau of Investigation released a statement saying, “The FBI now has enough information to conclude that the North Korean government is responsible for these actions.” At a press conference later that day, President Obama endorsed the FBI’s accusation, asserting, “We can confirm that North Korea engaged in this attack.” Sony, which briefly cancelled The Interview, promptly released the film in theaters and online.
Nonetheless, some questions remain. In particular, did North Korea act alone? U.S. officials seem to think so. There have been no reports of any hard evidence indicating that another state colluded with North Korea in the attack. But North Korea itself, while gloating over the damage, has denied responsibility. And on December 29, Reuters reported that U.S. investigators are indeed looking into the possibility that “Pyongyang ‘contracted out’ some of the cyber work.” The FBI has been standing by its statement that the North Korean government was behind the attack, but has been sparing in its release of any details.
What we do know is that North Korea has a long and enterprising history of illicit activities, and has done plenty of business with countries that are becoming increasingly notorious for their cyber-warfare capabilities. These include China, Russia, and, most disturbingly, the world’s leading state sponsor of terrorism—Iran.
At the moment, the possibility of Iranian involvement in the Sony hack is, of course, speculative. But there is some compelling circumstantial evidence that it may be the case. In particular, the Sony hack was not the first time an American company was hit with a devastating cyber-attack last year. And like the attack on Sony, it appears to have been retaliation against someone connected to the company. Someone who exercised his right to free speech in ways that a foreign tyrant did not like. And there is strong evidence that the perpetrator of the attack was Iran.
In February 2014, nine months before the Sony hack, a huge cyber-attack on the Las Vegas Sands Corporation took place. The hackers inflicted at least $40 million worth of damage to the gaming company. They ruined computer servers, stole confidential information, and left threatening messages.
On December 11, 2014, a richly detailed article by reporters Ben Elgin and Michael Riley appeared in Bloomberg Businessweek. Unfortunately overshadowed by saturation coverage of the Sony hack, Elgin and Riley broke the story that private investigators from Dell SecureWorks, hired by the Sands, had traced the attack back to Iran. While the investigators could not determine whether the Iranian government was involved, Businessweek asserted, “It’s unlikely that any hackers inside the country could pull off an attack of that scope without [the government’s] knowledge, given the close scrutiny of internet use within its borders.”
The article also noted that the attack was unprecedented. While other countries have spied on American companies and stolen information from them, the attack on the Sands involved something new: It appears to have been the first time “that a foreign player simply sought to destroy American corporate infrastructure on such a scale.” And it was probably payback for a comment made by Las Vegas Sands majority owner Sheldon Adelson.
In October 2013, Adelson spoke at Yeshiva University in Manhattan. When asked for his opinion of President Obama’s efforts to negotiate with Iran over its nuclear program, he replied that Iran was not going to be bargained out of its pursuit of nuclear weapons. He added that, in his opinion, America could get real results by detonating a nuclear weapon in the desert, where it would hurt no one, and then telling Iran that, unless it gives up its nuclear program, “the next one is in the middle of Tehran.”
Adelson’s comments were posted on YouTube. Two weeks later, Iran’s Supreme Leader Ali Khamenei was quoted by Iran’s Fars News Agency as saying, in reference to Adelson, “If Americans are telling the truth that they are serious about negotiation, they should slap these prating people in the mouth and crush their mouths.”
Some three months after Khamenei’s remarks, the cyber-attack on the Sands took place. Businessweek reported that the hackers left profane and threatening messages addressed personally to Adelson. A photo of Adelson with Israeli Prime Minister Benjamin Netanyahu was posted on company websites, along with “images of flames on a map of Sands’ US casinos.”
Nine months later, the attack on Sony occurred. Due to its connection to Hollywood and its resulting plethora of embarrassing celebrity gossip, that attack drew much more public attention. But few noted how similar it was to the cyber-attack on the Sands. Both were large-scale. Both were not just larcenous, but apparently intended to be ruinous. Both looked like payback for expressing views that angered rogue states. And both demonstrated a willingness to inflict a taste of the intimidating and violent tactics with which totalitarian regimes control their own populations on American citizens and corporations.
Thus far, the U.S. government has either denied or refused to comment on the possibility of Iranian involvement in either of these attacks.
When asked for any official press releases or documents related to the Sands attack, an FBI spokesperson responded, “To my knowledge, no public documents, to include news releases, have been filed about this case.” The FBI also declined to answer any questions, saying, “The FBI’s investigation into the Las Vegas Sands Corporation intrusion is still pending, and, as such, further information is not available.” The Sands, which has confirmed the attack but not its origins, declined a request for further comment on the incident.
In similar fashion, President Obama has publicly dismissed the idea that North Korea had help in its attack on Sony. During the December 19 press conference in which he named North Korea as the culprit, Obama said, “We’ve got no indication that North Korea was acting in conjunction with another country.”
There are reasons to be skeptical of such sweeping assurances. First, there have been leaks to the press from anonymous administration officials suggesting that other players might have been involved. And on January 2, 2015, in response to the attack, the U.S. government imposed sanctions targeting ten North Korean individuals, including two working in Iran, and one in Iran’s client state, Syria.
More importantly, Obama is heavily invested in the Iran nuclear talks, which he described in a recent interview with National Public Radio as Tehran’s “chance to get right with the world.” In an interim agreement reached in Geneva on November 24, 2013, the nuclear talks were advertised as a route to a comprehensive deal within six months. A deal that would assure the world of an entirely peaceful Iranian nuclear program. That deadline has now been extended twice, while Iran has refused to surrender equipment and facilities that could be used to make nuclear weapons.
U.S. negotiators appear increasingly desperate to make a deal. They have bypassed Iran’s missile program; detoured around its support for terrorist groups such as Hamas and Hezbollah; and downplayed Iranian arms smuggling, violation of sanctions, and threats to obliterate Israel. Administration officials have also ducked questions regarding the possibility that Iran might be secretly engaged in nuclear activities with North Korea.
Sources less invested in downplaying Iranian abuses have raised the intriguing prospect that Iran and North Korea might be collaborating on cyber-warfare. A lengthy report released last August by Hewlett-Packard’s security research unit, titled “Profiling an Enigma: The mystery of North Korea’s cyber-threat landscape” explored the possibility. In a section on North Korea’s “Important political and military ties,” HP’s researchers noted, “While this report focuses on North Korea’s cyber-warfare capabilities, these capabilities cannot be fully separated from the implications of partnerships with countries known to deal in illegal weapons trade with the regime.” Noting that cyberspace has now become “an arena for warfare,” the HP report listed five nations that already have a record of weapons trafficking with North Korea, and are now “potential allies in the cyber realm”: China, Russia, Syria, Cuba, and Iran.
Among these candidates, the most natural partner is Iran. The governments of China and Russia might be willing to host North Korean hackers, but they are hardly in dire need of munitions and technology from Pyongyang. Syria and Cuba might be more interested, but have less to offer in return.
Iran, on the other hand, has flourishing cyber-warfare capabilities and substantial oil supplies. As such, it would seem to offer many opportunities for mutual gain. Iran and North Korea have long been involved in illicit trade, Pyongyang is short on cash and long on munitions, and Iran has oil wealth to spend, as well as a documented appetite for North Korean goods.
HP’s suspicions were echoed in an early December report by a California-based security consulting firm, Cylance. The report focuses on a group of Iranian hackers believed to be working out of Tehran. Their attacks were dubbed Operation Cleaver, after a word that appears repeatedly in the hackers’ coding. Calling Iran “the new China,” Cylance described Iranian cyber skills as rapidly evolving and targeted at critical infrastructure around the world.
Both reports also note that North Korea and Iran have burgeoning ties. For example, a scientific and technological cooperation deal signed in September 2012. Cylance describes it as an “extensive agreement,” which could translate into “collaboration on various efforts including IT and technology.”
Neither report goes into much detail on the North Korea-Iran axis. But the 2012 science and technology agreement between these two states, which called for “exchange of expertise” and “joint use of scientific research equipment,” is noteworthy for a number of reasons—all of them disturbing. In particular, the deal roused immediate concern among analysts tracking the two countries’ rogue nuclear activities. The agreement was strikingly similar to a 2002 accord between North Korea and Syria. With North Korean help, Syria built a secret nuclear reactor, with no evident purpose except to produce plutonium for nuclear weapons. In 2007, as the reactor was nearing completion, an Israeli air strike destroyed it.
In March 2013, a former State Department expert in North Korea’s illicit activities, David Asher, testified about both agreements before the House Committee on Foreign Affairs. On the Syria deal, Asher testified that “in hindsight, this ‘scientific cooperation agreement’ was the keystone for the commencement of covert nuclear cooperation between North Korea and Syria, which ultimately resulted in the construction of a nuclear reactor complex and possibly other forms of WMD cooperation.” Asher warned that, in light of the Syria experience, North Korea’s 2012 scientific agreement with Iran “needs to be aggressively monitored.”
The high-level ceremonies surrounding the signing of the North Korea-Iran deal were reported in some detail by North Korea’s state-run news agency, KCNA. The signing came less than a year into the rule of North Korea’s young dictator, Kim Jong-Un, who inherited power in December 2011 upon the death of his father, Kim Jong-Il. Thus, the publicity North Korea lavished on the event was effectively a declaration, reaffirming Pyongyang’s longstanding ties to Tehran despite a change of leadership, and promising more cooperation on multiple fronts.
It was also a slap in the face to the U.S., which earlier that year extended a hand to Pyongyang. When young Kim took power, the Obama administration hoped he might prove more tractable than his forebears. The deal represented an unequivocal statement that the new supreme leader would maintain his father’s hardline policies.
The signing was a major event for both countries. It followed a summit of the 120-member Non-Aligned Movement, at which Iran took over the group’s three-year chairmanship from Egypt. When the summit ended, North Korea’s delegation stayed on in Tehran, where they were welcomed by top leaders of the Iranian regime. There was a reception with a military honor guard, and an official banquet hosted by then-president Mahmoud Ahmadinejad, notorious for saying Israel must be “wiped off the map.” Iran’s Supreme Leader, Ayatollah Ali Khamenei, granted North Korea’s President of the Presidium of the Supreme People’s Assembly, Kim Yong-Nam, an audience, during which he reportedly reminisced about the delights of meeting Kim Jong-Un’s grandfather. Khamenei lauded the two countries’ “abundant grounds for the expansion of relations,” including “increasing cooperation,” and stressed that Iran and North Korea have “common enemies.”
The centerpiece of the festivities was the signing of the scientific cooperation deal. According to KCNA, among the Iranian officials present were the president, the head of Iran’s Atomic Energy Organization, the governor of the Central Bank, and at least four ministers—including the Minister of Defense and Armed Forces Logistics; the Minister of Industry, Mines, and Trade; the Minister of Science, Research, and Technology; and the Minister of Agriculture.
Kim Yong-Nam flew home bearing gifts for Kim Jong-Un and himself, which were personally delivered by Iran’s defense minister, Ahmad Vahidi. This was an ominous sign. Vahidi was and still is under U.S. sanctions for his connections to the Iranian nuclear program. He has also been on Interpol’s Wanted List since Argentina charged him with aggravated murder and damages in connection with the 1994 bombing of the AMIA Jewish community center in Buenos Aires, which killed 85 people and wounded hundreds.
In return for Iran’s hospitality, Kim Yong-Nam sent his hosts a message of “deep thanks” and his official wishes for “greater success in their work for building a strong Islamic state.” He added that he was “deeply impressed to witness the fresh successes the government and people of Iran have made in all fields including politics, economy, science and technology, and national defense, meeting all sorts of challenges and ordeals.”
Among the “ordeals” Iran had recently encountered was the Stuxnet malware attack some two-to-three years earlier, which damaged Iran’s nuclear program, as well as its oil and gas facilities. The Hewlett-Packard report notes that, while some U.S. lawmakers believe the two states are focused chiefly on nuclear collaboration, some experts suspect they are also driven by a mutual interest in developing cyber-warfare capabilities in order to protect both nuclear weapons development and oil refineries “against malware such as Stuxnet.”
According to the Cylance report, Iran has become more aggressive with its own cyber-attacks in response to Stuxnet. Since at least the early 2000s, “Hacking campaigns sourced out of Iran” have been “nothing new.” But after Stuxnet, Iran appears to be more focused on retaliation. Its tactics are more wide-ranging and destructive, with a number of enhanced attacks in 2011 “serving as a warning, showcasing the rapid evolution of Iran’s hacking skills.”
By late 2012—just after North Korea and Iran signed their science and technology deal—Iranian hackers were targeting the online services of U.S. banks. They also attacked Israel so energetically that, in June 2013, Israeli Prime Minister Benjamin Netanyahu accused Iran of targeting Israel’s water, power, and banking systems with “non-stop attacks.” In September 2013, anonymous U.S. administration officials told the Wall Street Journal that Iran had “hacked unclassified Navy computers in recent weeks in an escalation of Iranian cyber-intrusions targeting the U.S. military.”
Five months later, Iran displayed its prowess in the Sands attack. Four months after that, North Korea made its initial threats against The Interview, followed by the wholesale attack on Sony.
Another sign of possible collaboration between North Korea and Iran on cyber-warfare is the fact that they have been collaborating on other forms of warfare for a very long time.
Their partnership began shortly after Iran’s 1979 Islamic Revolution and has continued ever since. It has brought much needed cash to North Korea, the enhancement of Tehran’s military arsenal, and mutual gains through shared test results. The relationship began to flourish in earnest when North Korea supplied Iran with armaments during the 1980-88 Iran-Iraq war. Since then, the two countries have developed a series of networks involving middlemen, front companies, and transportation routes in order to evade a growing list of sanctions, enhancing their ability to traffic in more and more sophisticated weaponry.
In recent decades, this relationship has proven particularly fruitful. In 1992, for example, a North Korean freighter slipped past U.S. Navy surveillance and delivered a cargo of Scud missiles to the Iranian port of Bandar Abbas. In 2003, a North Korean defector testified before Congress that he traveled from North Korea to Iran in 1989 and helped the Iranians test-fire a North Korean missile. In 2007, a secret State Department cable made public by Wikileaks stated,
“Iran and North Korea have continued their longstanding cooperation on ballistic missile technology via air-shipments of ballistic-missile related items. We assess that some of the shipments consist of ballistic missile jet vanes that frequently transit Beijing on regularly scheduled flights of Air Koryo and Iran Air.”
In 2010, a Congressional Research Service report by analyst Larry A. Niksch estimated that “North Korea earns about $1.5 billion annually from missile sales to other countries. It appears that much of this comes from missile sales and collaboration with Iran in missile development.” Also in 2010, the New York Times reported that Iran obtained 19 missiles from North Korea that were “much more powerful than anything Washington has publicly conceded that Tehran has in its arsenal.” This too was based on a classified State Department cable made public by Wikileaks. In 2013, a report from the National Air and Space Intelligence Center stated, “Iran has an extensive missile development program, and has received support from entities in Russia, China, and North Korea.” Among Iran’s ballistic missiles is the intermediate-range Shahab 3, based on North Korea’s No Dong missile, with a range long enough to strike Israel.
These are only a few examples. The extent of military collaboration between the two countries is enormous. North Korea supplies munitions to Iran and Iran’s terrorist clients, such as Hamas and Hezbollah, as well as to Syria, which is dependent on Iranian support. In July 2009, authorities in Dubai searched a Bahamian-flagged, French-owned container ship, the ANL Australia, which was bound for Iran. They discovered a North Korean arms shipment including detonators for 122 mm rockets and a large quantity of solid-fuel propellant. In December 2009, Thai authorities searched a plane that stopped for refueling in Bangkok, and found it crammed with 35 tons of North Korean weapons, also bound for Iran.
In 2011, the U.S. Treasury designated North Korea’s Bank of East Land a “major conduit for facilitating North Korea’s conventional arms trade,” including transactions with sanctioned Iranian financial institutions such as Bank Melli and Bank Sepah. In 2014, in a civil lawsuit brought before a Washington, DC federal court on behalf of American-Israeli citizens wounded by Hezbollah rocket attacks, Judge Royce C. Lamberth ruled, “North Korea and Iran are liable for damages because they provided material support and assistance to terrorists who fired the rockets at Israel that caused the plaintiffs’ injuries.” (Full disclosure: I testified as an expert witness). In his decision, Lamberth wrote that Iran supplied the financing and transportation, while North Korea provided Hezbollah with “advanced weapons, expert advice, and construction assistance in hiding these weapons in underground bunkers, and training in utilizing these weapons to cause terrorist rockets to rain down on Israel’s civilian population.”
This collaboration extends into the most dangerous area imaginable—nuclear proliferation. North Korea carried out nuclear tests in 2006, 2009, and 2013, has been threatening to conduct a fourth, and according to General Curtis Scaparrotti, commander of U.S. Forces in South Korea, now has the ability to fit a miniaturized nuclear warhead on to a ballistic missile. Under Kim Jong-Un, North Korea appears to have expanded its uranium enrichment facilities and restarted its plutonium-producing reactor at Yongbyon. This implies that, along with refining its technological skills, North Korea may be beefing up its stockpile of nuclear fuel.
A February 2014 report to Congress from the Office of the Secretary of Defense stated, “One of our gravest concerns about North Korea’s activities in the international arena is its demonstrated willingness to proliferate nuclear technology.” The report cited North Korea’s aid to Libya’s nuclear program under Muammar Qaddafi, and the aforementioned Syrian nuclear reactor.
There have been unconfirmed reports that North Korea is now collaborating with Iran on nuclear technology. As nuclear proliferation expert David Albright, President of the Institute for Science and International Security, testified to Congress in April 2013, “Unfortunately, North Korea and Iran could mutually benefit from collaboration on their respective nuclear programs.”
In public, U.S. administration officials tend to dodge the issue. Asked about North Korea-Iran nuclear cooperation at a hearing of the House Committee on Foreign Affairs last July, the Obama administration’s chief negotiator for the Iran nuclear talks, Wendy Sherman, said, “I think any further discussion of that probably should take place in a closed session.”
Last April, the Congressional Research Service released a report on “Iran-North Korea-Syria Ballistic Missile and Nuclear Cooperation.” Based primarily on unclassified and declassified U.S. Intelligence Community assessments, the CRS stated, “There is no evidence that Iran and North Korea have engaged in nuclear-related trade or cooperation with each other, although ballistic missile technology cooperation between the two is significant and meaningful.”
But the CRS report added a tantalizing hint that its sources might be insufficient. It suggested that Congress “might wish to consider requiring additional reporting from the executive branch on WMD proliferation,” and noted that “the number of unclassified reports to Congress on WMD-related matters has decreased considerably in recent years.” The Intelligence Authorization Act for Fiscal Year 2013, for example, “repealed the requirement for the [intelligence community] to provide an unclassified annual report to Congress regarding the ‘Acquisition of Technology Relating to Weapons of Mass Destruction and Advanced Conventional Munitions.’”
The Sony hack has monopolized media attention over the past month, and finally aroused public concern over the cyber-warfare capabilities of rogue states like North Korea. There are signs of Iranian involvement in the attack, but no conclusive evidence. There is conclusive evidence, however, of far-ranging collaboration between North Korea and Iran on cyber-warfare and numerous other forms of military technology.
These go far beyond the realm of cyberspace. They include such devastating conventional weapons as ballistic missiles and—most importantly—the development of nuclear technology and nuclear weapons. Clearly, the relationship between these two rogue totalitarian states represents a clear and present danger to the entire free world.
The really important question, then, is not precisely who hacked Sony’s computer network. It is what we might see if the administration rolled back the curtain and showed us whatever it knows about the full extent of North Korea’s rogue ventures, especially its long-standing romance with Iran.
Claudia Rosett is journalist-in-residence with the Foundation for Defense of Democracies, and head of its Investigative Reporting Project.