North Korean Hackers Stole US and South Korea “Decapitation” Plans Months Ago

For more than a year, North Korea has been able to pour over a massive cache of sensitive military information it stole from South Korea’s government, including plans for a so-called “decapitation strike” against Premier Kim Jong-un and other members of the regime in Pyongyang. This raises serious questions about the ability of the U.S. and South Korean militarities to respond in a limited fashion to North Korean provocations amid reports that the North Koreans appear to be preparing their own plans for counterattacks.

On Oct. 10, 2017, media outlets in South Korea offered new details about the extent of the hacking, citing a public statement by Rhee Cheol-hee, a member of President Moon Jae-in’s Democratic Party who sits on the South Korean Parliament’s National Defense Committee. The breach of the Defense Integrated Data Center occurred in September 2016 and authorities in the South were still attempting to determine the exact contents of the stolen data.

Rhee said that the hack impacted approximately 235 gigabytes of information in total. “The Ministry of National Defense has yet to find out about the content of 182 gigabytes of the total data,” he explained in his statement.

The Wall Street Journal said the South Korean Ministry of Defense declined to confirm the details Rhee provided about its investigations. The U.S.  Embassy in South Korea told the newspaper that it was aware of the breach, but did not provide any additional information.

North Korean soldiers with backpacks bearing the international symbol for radioactive material during a parade in 2013., Kyodo via AP

But according to the Yonhap News Agency, the South Korean military already knows that the trove includes planning documents related to the war time employment of the country’s special operations forces, messages to senior American commanders, and information about military bases and critical infrastructure, such as power plants. Operations Plan 3100, or OPLAN 3100, one of South Korea’s plans on how to respond to small North Korean provocations, was reportedly in the cache of information.

Most importantly, North Korean hackers were reportedly able to obtain a copy of the U.S. military’s OPLAN 5015. This is a detailed outline for what has been described as a “decapitation strike,” that would, based on available reports, seek to swiftly neutralize North Korea’s top civilian and military leadership, as well as eliminate the threat of the country’s weapons of mass destruction – including both nuclear and chemical stockpiles – and ballistic missiles.

Though the exact parameters of this attack plan are classified, any such operation would undoubtedly include precision strikes by U.S. and South Korea aircraft, including missions by the low-observable B-2 Spirit stealth bomber to penetrate into North Korea’s most densely defended areas, as well as stand-off strikes by America and South Korean ships and land-based ballistic missiles. On the ground, both countries’ special operations forces would likely move in to assess the damage and secure any sensitive materials or high priority individuals.

Depending on how long OPLAN 5015 envisions the overall operation lasting, additional conventional air, naval, and ground forces could conduct follow-up activities after the initial onslaught. These extra personnel would have to be prepositioned and on alert to handle any North Korean counterattacks, including commando raids and ballistic missile strikes.

Though North Korea’s missile tests get the most public attention, the country does maintain a massive special operations component trained to perform what would essentially be suicide missions against critical targets during a conflict. In an actual war, North Korea would insert these elite troops using a fleet of aging, but surprisingly capable An-2 biplane transport planes, miniature submarines and other covert watercraft, and other means.

Also on Oct. 10, 2017, Yonhap reported that the North Koreas had trained to assault the Combined Forces Command headquarters in Seoul, the top U.S.-South Korean command center, using paragliders, during a series of provocative exercise the month before, citing unnamed South Korean defense officials. North Korean commandos apparently conducted highly realistic drills involving an assault on a full-size model of the headquarters building.

Paragliding commandos could be hard for radars and other sensors to spot and the equipment could be a cheap and effective option for infiltrating into the South given the distances involved in any such operation. Yonhap News states that elite North Korea troops could conceivably launch from the top of large mountains along the border with South Korea and then glide deep into the country. 

Recreational paragliders often make trips covering 100 miles or more, which is the approximate distance between the North’s Mount Kumgang National Park and Seoul. The shortest distance between South Korean capital and the demilitarized zone is less than 30 miles. But powered paragliders, often called paramotors, can launch from virtually anywhere and could conceivable penetrate deep into South Korean territory and would be tough to engage, especially if launched en masse at night.

North Korean special operations forces march during a parade in 2017., Iliya Pitalev/Sputnik  via AP

Given these various factors, as we at The War Zone have already noted, even a limited military operation has long been a difficult proposition for the U.S. military and its South Korean allies in general, even if the details were secret. It would be hard for the inevitable response not to escalate the situation into a broader conflict, too.

Well aware of this, the United States and South Korean militaries routinely train for mass casualty scenarios, including those involving the need to decontaminate large amounts of personnel and equipment after a possible nuclear or chemical attack. Among the more than 23,000 U.S. military personnel on the Korean peninsula is a forward deployed U.S. Army chemical battalion, in position specifically to respond to such a situation among other duties.

OPLAN 5015 would include many, if not all of these specifics. The U.S. military writes these plans according to a standardized format and they have to include the responsibilities of all senior commanders with a stake in the operations, the roles of their assigned forces in often granular detail, sources of intelligence for planning and operational purposes, the timelines for putting the operation into action, what reinforcements and stores of ammunition and other supplies are available, and other key details that North Korea could easily use to counter the mission.

On top of that, the United States and the South Korea have a unique arrangement that means during a broad conflict with North Korea, the U.S. military is in complete control of both American and South Korean forces on the Peninsula. This issue of so-called of returning “wartime control” to the government in Seoul remains a major point of discussion between the two countries and they have repeatedly delays plans to do so. Though the present linkage limits South Korea’s ability to operate independently militarily from the United States, it makes it clear to the North Koreans that a war against one is a war against both. 

South Korean Hyunmoo-2 ballistic missile launchers fire during an exercise in September 2017., South Korea Defense Ministry / Sipa via AP Images

As such, it also means that the operations plans Kim’s hackers stole would likely include information about both U.S. and South Korean forces and their capabilities, no matter which country authored the plan itself. The United States is known have, or at least had in the past, nearly a half dozen more OPLANs focused on contingencies surrounding North Korea, including one, OPLAN 5029, that reportedly outlines the response to the sudden collapse of the regime in Pyongyang for any reason.

Not surprisingly, North Korea has denied any involvement in the breach. The country’s reclusive government accused their counterparts in the South of “fabricating” the claims, according to South Korea’s Yonhap News Agency.

There are widespread reports about North Korea’s extensive cyber warfare capabilities, which experts say is the responsibility of Bureau 121, part of the Reconnaissance General Bureau, one of the country’s clandestine intelligence arms.  This unit may have been behind a breach of computers across South Korean government offices, banks and media outlets, a hack of electronics and entertainment conglomerate Sony, infecting cell phones with malware, and GPS jamming.

In May 2017, South Korea’s military blamed North Korea for breaking into their networks in September 2016, though they did not disclose what, if any information, they had stolen. Nearly a year earlier, the North’s reportedly hackers lifted Korean Aerospace Industries data. relating to the F-15 Eagle fighter jet, which the company produces components for.

Though hard to confirm, cyber attacks would be in line with other North Korean activities to harass opponents and bust sanctions in the face of international pressure. It only underscores the increasing importance and vulnerability of networked systems in general both during conflicts and in times of uneasy peace, giving countries an easily deniable way to try and disrupt potential opponents without touching off an actual war.

Armed with information about OPLAN 5015 and any other details from this latest hack, the North Koreans also have more leverage to deter a possible attack. Since taking office in January 2017, U.S. President Donald Trump has steadily ratcheted up the rhetoric against Kim and his regime, implying that there is no solution to the growing crisis except for force.

“Presidents and their administrations have been talking to North Korea for 25 years, agreements made and massive amounts of money paid hasn’t worked, agreements violated before the ink was dry, makings fools of U.S. negotiators,” Trump wrote in a pair of Tweets on Oct. 7, 2017. “Sorry, but only one thing will work!”

We at The War Zone have continually highlighted how difficult and costly even a limited military operation against North Korea would be, both for the United States and its regional allies, South Korea and Japan. These threats have served mainly to bolster North Korea’s own propaganda machine and the Kim regime’s position that it needs nuclear weapons and other deterrents to stave off an otherwise inevitable America-led assault.

Regardless, finding out the true nature of OPLAN 5015, which media outlets have widely reported on, as well as other decapitation plans, such the South Korean military’s “Kill Chain” concept, would have to have been a priority for North Korea’s intelligence services given the common suggestion that they include provisions for the assassination of Kim Jong-un himself. It is entirely possible that they feel they have confirmed this particular detail, explaining why they have been referring directly to the existence of such plans for some time now and even accused the United States of making an actual attempt on the leader’s life.

Whatever details Bureau 121 may have uncovered will probably only serve to reinforce the regime’s paranoia and lead to additional provocations, such as more long-range missile launches or even the possibility of an end-to-end atmospheric nuclear test, all while limiting the ability of the United States and South Korea to respond militarily short of a catastrophic Peninsula-wide conflict.

If North Korea has already had this information since before President Trump took office, one wonders how this has impacted his rhetoric or the U.S. military’s plans for possible military action. The U.S. military would surely have changed the OPLAN 5015 details by now. Unfortunately, it might be functionally impossible to change them dramatically enough to be sure the North Koreans would be unable to spot preparations for the attack.

US Marine Corps F-35B stealth fighter jets drop bombs on South Korea’s Pilsung training range in September 2017., US Army

“Yes, there are [military options], but I will not go into details,” Mattis had told reporters on Sept. 19, 2017. “Yes, I don’t want to go into that,” he added when asked if these plans involved some kind of “kinetic” action, usually a term for lethal force, such as what one would expect from a decapitation strike.

However, it might have been that Mattis understood “kinetic” in this context simply to mean an active operation. In September 2017, The Washington Post reported, citing anonymous U.S. government officials, that Trump had approved a Pentagon plan to have U.S. Cyber Command conduct its own operation against Bureau 121. 

This may have have served the dual purpose of being a potential dry run of sorts for a future, broader cyber attack, akin to the one the United reportedly planned to launch against Iran if the Iran Deal had failed to move ahead. It definitely let North Korea know that the United States has similar capabilities and is willing to use them.

Still, these new details suggest that threats of any action might be even harder to implement than we’ve previous thought, while still pushing North Korea to escalate the situation itself, ultimately leaving the United States ever less room to avoid an actual war.

Contact the author: