The National Election Commission (NEC), a constitutional independent institution established to manage South Korea's elections, has refused to cooperate with an investigation into North Korea hacking attempts made on the NEC and the equipment it uses which is used in other nations' elections, a report said.
In the past two years, the NEC has come under cyber attack eight times seven kf which are believed to have been conducted by “Lazarus Group”, a hacking organization linked to North Korea’s General Reconnaissance Bureau, East Asia Research Center's Tara O reported on May 11.
On April 18, the South's National police said Lazarus Group had spread malicious code to 207 computers in 61 government institutions since November 2022. One of the institutions hacked was the NEC.
The National Intelligence Service (NIS) reached out to the NEC to inform them about the hacking, but the NEC did not reply.
"Without reviewing NEC’s systems, the NIS could not determine the extent of the hacking penetration or devise security measures," Tara O noted.
The NIS and the Ministry of Public Administration and Security each recommended that the NEC receive security consulting. The NEC refused.
Related: Allegations of fraud in South Korean elections called warning on new voting technologies, May 8, 2020
In late March, the NIS contacted the NEC to offer to conduct a security audit of NEC’s IT system. The election commission refused assistance, stating “it is not a legal obligation” and “there is political controversy.”
"The NEC also rejected the alternative of receiving a security audit while the governing election commission officials are present," Tara O noted.
The NEC has claimed that it is impossible to hack the electronic vote counting machines that it uses for elections in Korea. The South Korean company that produces the electronic voting and vote-counting machines used in in the South's elections also exports the machines to other countries. The NEC supports the export of the machines.
"The exports of these machines are promoted by the National Election Commission," Tara O wrote.
When asked about the hacking attempts on the Korean-made electronic voting machines used in Iraq, an NEC official said: “Although the equipment is made by the same company, the Iraqi equipment can transmit information, while the voting equipment used by the NEC cannot transmit information, so there is no possibility of a hacking attempt.”
The NEC official’s claim is "false," Tara O noted. "NEC chose a WiFi company that uses Huawei equipment to provide Internet and WiFi to voting sites for handling the pre-vote ballots, which is unsecure. The voting equipment also has multiple USB ports, which means it has the capability for connectivity with thumb drives, phone cables, keyboards, or computer mice for transmitting and receiving information."
The NEC has in the past refused audit or review by other government agencies. On Aug. 12, 2022, the NEC refused to provide information to or be audited by the Board of Audit and Inspection (which audits other government agencies), stating “since the Election Commission is an independent body under the Constitution, it is difficult to be subject to the auditor’s inspection.”
"The NEC is a government agency funded by taxpayers, and as such the citizens have the right to ensure that their funds are used properly by the NEC," Tara O noted.
On March 3, members of the People Power Party’s Executive Committee issued a statement stating, “The irresponsible behavior of the National Election Commission, which is neglecting to take measures against a serious threat from North Korea, is absolutely unacceptable.”
Lazarus Group gained notoriety after its hacking of Sony Pictures in 2014 in the U.S. after the studio produced a satire movie about Kim Jong-Un; again in 2016 for stealing $81 million after it cyber attacked Bangladesh’s central bank; and again in 2017 for infecting Windows computers with its WannaCry ransomware, encrypting files so the owners could not access them, and then demanding ransom payment in Bitcoin to decrypt the files.
Membership . . . . Intelligence . . . . Publish