North Korea’s Cyber Capabilities and Strategy
North Korea is among the least wired countries worldwide. Yet, an increasing number of cyber activities are attributed to the regime in Pyongyang – and these activities have shown growing sophistication and success over the last few years. Its cyber operations will likely continue to increase as they fulfill at least three strategic purposes and exhibit favorable cost-benefit ratio for the North Korean regime.
Only a few more than 1,000 IP addresses are ascribed to North Korea; selected individuals within the country can have selective and purposive access to the worldwide web. While strategic planning and decision-making presumably lies with authorities in Pyongyang, such as the Reconnaissance General Bureau’s Bureau 121, execution of cyber operation is likely de-centralized and outsourced. More than 6,000 hackers outside North Korea are believed to operate on behalf of the regime in Pyongyang, among them infamous groups named Lazarus, Kimsuky, APT37 or BeagleBoyz.
North Korea might be particularly famous for the hacking of Sony Pictures in 2014, in response to regime-critical film “The Interview”. Since at least 2009, however, the regime conducted “denial of service” (DoS) attacks to paralyze US and South Korean government websites. By 2013, it launched technically more sophisticated malware campaigns to infiltrate and manipulate data systems, such as the “DarkSeoul” malware to disrupt television stations and banks in South Korea. North Korea’s cyber capabilities further improved to include ransomware attacks by 2017 when the “WannaCry” malware infected more than 200,000 or 300,000 computers across 150 countries. North Korea acquired a diverse set of technical capabilities relatively quickly. It has also shown its fine-tuned techniques of phishing and social engineering, which require detailed knowledge of respective targets and procedures.
Cyber activities for three strategic purposes
Pyongyang can pursue at least three strategic objectives with its cyber operations: causing disruption, conducting espionage, generating revenue. Of course, activities also overlap in purposes.
Cyber campaigns easily muddle targets and create a sense of vulnerability. Disruption is thereby an immediate if not automatic result from cyber operations, fueling perceptions of insecurity and threat. Cyber-attacks against the 2018 Pyeongchang Winter Olympic Games that caused a temporary shutdown of the official website serve as an example of operations with the mere aim of disruption. Campaigns targeting North Korean defectors, human rights activists and cybersecurity researchers aim to disrupt while also collecting available information. Furthermore, North Korea is presumably increasing campaigns targeting international news outlets in order to spread disinformation. Particularly worrisome for South Korea, considering its wired society and upcoming presidential elections in March 2022, are Pyongyang’s tailored misinformation campaigns of organized social media manipulation.
Activities in cyber space also allow for covert collection of information. Malware and ransomware campaigns can be specifically designed to infiltrate communication and data systems, to retrieve vast amounts of information at once or over time. Such cyber operations can pursue a number of different intelligence purposes from economic and scientific to military espionage, depending on the respective targets. Over the course of 2020 and 2021, for example, North Korea is believed to have conducted a number of hacking attempts into companies involved in COVID-19 vaccine research and development, among them Pfizer and AstraZeneca. Defense industry and political institutions have been long-time targets of cyber operations. Over the course of 2020, Pyongyang presumably conducted a series of espionage campaigns attacking defense firms in dozen different countries including Russian aerospace companies. In October of last year, a joint cybersecurity advisory by relevant US institutions warned individual experts, research and government entities in South Korea, Japan, and the US against North Korean cyber operations attempting to collect information on sanctions and nuclear policy. Pyongyang is also said to be behind cyber-attacks against the South Korean Atomic Energy Institute (KAERI) in May 2021 and the Indian Kudankulam Nuclear Power Plant in November 2019.
While disruption and espionage fulfil crucial strategic purposes, the majority of North Korea’s activities in cyber space presumably aim to raise money. Malware campaigns against financial institutions as well as ransomware attacks can serve this purpose of generating vast amounts of revenue. Pyongyang’s cyber-crime capabilities first entered world stage in 2016 when it targeted Bangladesh’s national bank and successfully retrieved $81 million. The WannaCry attack is estimated to have generated $130,000 in May 2017 from ransom demands in cryptocurrency. Since then, cryptocurrency has become not only the key tool, but also target for operations to generate revenue. A series of campaigns against cryptocurrency exchange entities in 2020 illustrates this. The UN reports that North Korea acquired the $316.4 million equivalent of virtual assets between 2019 and 2020. The US assistant attorney general termed “North Korea’s operatives … [as] the world’s leading bank robbers” in February 2021.
Cyber operations are here to stay
Activities in cyber space exhibit a particularly favorable ratio of benefits, costs and risks. They facilitate the pursuit and fulfillment of the above-mentioned strategic purposes, without being cost-intensive or particularly risky.
While the initial set-up and development of knowhow and trained personnel is time-intensive, maintaining and improving cyber capabilities then requires relatively low levels of material and human resources. Furthermore, information and guidance on software development is easily accessible in the open-source or illegal domains. Hackers can learn from one another, copying and adjusting techniques for their own purposes and targets.
Investigation is challenging in cyber space. Attribution of activities has technical limits and perpetrators can channel operations through other IP addresses, further blurring digital traces. Cryptocurrencies provide additional pathways to cover tracks. Pyongyang can thereby easily deny accusations and circumvent law enforcement structures. Furthermore, prevention and defense tend to generally lag behind as offensive operations demonstrate weaknesses and needs for adjustment.
Additionally, North Korea has a particular advantage: its targets are manifold, widely inter-connected and dependent on the worldwide web. In turn, Pyongyang and its de-centralized operatives constitute very hard targets for digital counter-operations. US strategies of forward defense and deterrence in cyber space are uncertain to effectively deter and defend against North Korea’s digital operations. Rather, Pyongyang’s interest in cyber campaigns for disruption, espionage and revenue will likely increase in tandem with its weapons developments and intensifying need of evading sanctions.
This text has first been published by the Italian Institute for International Political Studies (ISPI) on December 21, 2021