CYBINT collection similarities between Iran and North Korea

Similarities and behaviors that exist in cyberspace for CYBINT collection between rogue totalitarian states, Iran and North Korea are appended as under.

1. Internal Situation. Both countries face a profound dilemma in field of IT infrastructure and internet connectivity. They are ruled by repressive regimes which ensure a tight grip over their societies by isolating them from the outside world. North Korea has hermit infrastructure and refuses to open the country to internet while Iran has total control over media to ensure complete domination and rule over people to have regime stability.
2. CYBINT Focus on U.S. Both Iran and North Korea have focused their cyber espionage activities and cyber-attacks towards U.S and its allies either to provoke them or destabilize their economy.
3. Unclear Information about their Intelligence and Security Organizations. Communication system and networks around the globe are interconnected with each other and much of their technology originates from U.S. However, both the countries have closed architecture and their absence and minimum connectivity with outside world minimizes the extents to conduct CYBINT on them. Thus, true picture of their intelligence structure and security organization’s activities are unclear.
4. Cyberspace Characteristics. Cyberspace distinctive features and attributes like low relative cost, anonymity, and attribution have attracted both countries to direct their efforts towards cyber intelligence. These efforts are primarily aimed to attain economic supremacy and display strategic strength against adversaries while avoiding sanctions.
5. Strike Adversaries Globally. Both countries have weak military forces that are unable and cannot afford to give response to stronger armies; therefore, they opt to use cyber weapons which give them a cheap and a global access to show their response or importance. Moreover, they exploit cyber space inchoate rules to achieve their desired objectives instantaneously without interfering with the physical domain of countries.

Since Iran and her ally North Korea do not have well defined internal network and system infrastructure; therefore, their common contextual elements encourages them to have active CYBINT intelligence methodology. However, in view of their conservative approach towards internet, one would consider that these countries would be lacking in resources and abilities to conduct cyber espionage. But in reality, their repressive regimes do not impede or retard their abilities to wage cyber operations especially against U.S. They have dedicated organizations with sophisticated equipment to conduct intelligence operations.

North Korea has State Security Department which is exclusively responsible for CYBINT activity and her DPRK is assumed to train groups of hackers to make virus battalions. While Iran, has High Council of Cyberspace organization which administers both defensive and offensive CYBINT operations. Their intelligence operation are not ad hoc or isolated; they are extensively organized and planned by their respective organizations with specific goals and missions that support the country’s national strategy.

Both countries exploit attribution characteristic of internet and by using its speed and global connectivity pose a serious threat to U.S by accessing sensitive data of U.S. government relating to advanced nuclear and long-range missiles.

Cyber activities outside the traditional intelligence cycle can be seen from the collection operation case studies conducted by both countries. These operations exhibit their aggressiveness in cyber domain.

1. Magic Kitten. Magic Kitten is an Iranian based APT which according to CrowdStrike Intelligence had been carrying out network intrusion attack since 2009. It kept a low profile and targeted mostly political dissidents groups of Iran. It was highly modular and was flexible enough to add new features and functionalities during an operation which made it different from the traditional intelligence collection tools. It used spear phishing email as it delivery vector with an attached dropper that implanted a base module of RAT on victim’s machine to build a strong foothold on victim’s network. The malicious code’s command and control was able to collect victim’s machines data, key logging, file execution, remote shell, data alteration, screenshots, voice recording and web browser along with email credentials.
2. Flying Kitten. Another APT by Iran which apart from targeting political groups attacked US defense and aerospace companies for intelligence collection and gathering. The APT used fake website to gather the credentials of users and simultaneously delivered malwares on host’s machine to collect data from victim’s system.
3. Charming Kitten. An Internet Relay Chat (IRC) based malware that collected data using social engineering websites from fictitiously created personas. It targeted individuals of US government agencies and defense contractors for intelligence collection and also extricated data from victim’s machines using its backdoor malware operations. The malware was fully controlled that was capable of deleting files, downloading files, and exfiltrating data from victim’s machine.
4. Silent Chollima. Malware’s first intrusion traces back to 2006 which targeted South Korea’s government and military systems for stealing sensitive information. However, its first destructive attack was seen in 2009 which targeted U.S and South Korea including White house, Pentagon and financial websites. Later, Silent Chollima was strengthened with a wiper malware that erased all the data of victim’s machine which characterize its activity outside the traditional intelligence life cycle. Upgraded version of Silent Chollima mainly targeted South Korean business and government organizations.
5. In 2014, a massive network intrusion operation was carried out by using the same malware on Sony which gathered company’s confidential information of 100 Terabyte followed by deletion of their data from servers by wiper.