18 June 2018

Trump must still hold North Korea accountable for cyberattacks


President Trump concluded his first summit with North Korea’s Kim Jong Un in Singapore. In recent weeks, the president stated he is no longer interested in a maximum pressure strategy and Kim Jong Un has temporarily halted ballistic missile and nuclear weapons tests as part of his charm offensiveNonetheless, North Korea has intensified cyberattacks on the South, a blatant violation of the pledge Kim made at his April summit with the president of South Korea. Despite the reduction of tensions after the Singapore summit, Pyongyang’s two-faced diplomacy should be a reminder of the critical need for Washington to remain vigilant and maintain sanctions pressure until North Korea fully commits to disarmament and peace.


Last month, South Korea’s government began investigating a wave of alleged North Korean cyberattacks that began before inter-Korean summit on April 27 and continued until at least late May. These attacks targeted sensitive information belonging to South Korean financial companies and to groups focused on North Korea. Although it is still unclear to the total number of infected computers or the type of information stolen, these recent breaches reflect North Korean hackers continuing to exploit South Korea as a testing ground for their cyber capabilities.

Recent analysis of North Korea’s cyber activity patterns reveal that Pyongyang has emphasized cyber reconnaissance efforts rather than theft or sabotage. Since they are more discreet and less destructive, reconnaissance attacks carry less risk of jeopardizing Kim’s recent diplomatic initiatives, which are already blunting the impact of sanctions. Despite being less provocative, these ongoing intelligence-gathering missions enable North Korea to continue maturing the cyber capabilities that will put them in a more advantageous position if diplomacy fails.

In March, suspected North Korea-linked hackers conducted a global data reconnaissance effort, which experts labeled as Operation GhostSecret. This campaign targeted a broad range of industries including critical infrastructure, entertainment, finance, health care, and telecommunications across 17 different countries, including the United States.

Operation GhostSecret incorporated a robust command infrastructure that supported multiple functions such as deleting files and even leaving backdoors for other viruses to use in future attacks. 

In previous years, Pyongyang had already demonstrated the ability to infiltrate the networks of critical infrastructure systems in both the U.S. and South Korea. For example, in October 2017, FireEye, a private cybersecurity firm, reported several attacks against U.S. electric companies the previous month. North Korea’s future reconnaissance missions could eventually focus on manipulating the industrial control systems (ICS) of critical infrastructure, enabling Pyongyang to cause cataclysmic damage at a time of its choosing.

Despite the current emphasis on reconnaissance, North Korea’s cyber capabilities have previously served a range of goals, including espionage, physical sabotage and destruction, political score settling, cybercrime and theft, and improving war-fighting capabilities. More concerning, North Korea has expanded it cyber operations to target the critical infrastructure of the regime’s adversaries, creating backdoors to networks vital to daily life, posing a persistent existential threat to commerce and national security.

Theft is an important element of Pyongyang’s cyber activity, likely because sanctions have limited its opportunities to earn legitimate revenue. For example, last year, North Korean hackers reportedly infiltrated South Korean cryptocurrency exchanges to steal various types of cryptocurrencies. North Korean hackers also deployed the WannaCry ransomware virus to extort money from comprised computer owners. They even stole money directly from banks worldwide through cyber-enabled means, including the theft of $81 million from the Bank of Bangladesh. If not for a bit of good luck, Pyongyang’s hackers would have made off with a cool $1 billion.

Yet when North Korean hackers reportedly attacked South Korea’s banking and media sectors in March 2013, their primary objective was not economic or commercial. Rather, the main purpose of the DarkSeoul attacks was to hone Pyongyang’s capability to undercut South Korea’s ability to function in the midst of a northern offensive. Tellingly, Pyongyang launched its cyber strike in the midst of major joint exercises by U.S. and South Korean forces. The attack paralyzed the networks of major banks, leaving citizens unable to withdraw money from ATMs.

Pyongyang’s cyber activities exploit its enemies’ dependence on critical and financial infrastructure. The U.S., South Korea and broader international community must enhance cyber resilience to mitigate North Korean cyberattacks and infiltrations. To that end, the U.S. government must continue its outreach efforts to inform vulnerable U.S. industries about its latest analysis of North Korea’s evolving offensive cyber capabilities so they can prepare for future attacks. 

Moving forward, Washington must make it clear to the Kim regime that its ongoing malicious cyber activities amidst its diplomatic overture will carry severe consequences.

One suggestion is increasing sanctions to restrict the funding sources critical to Pyongyang’s cyber operations. Section 209 of the North Korea Sanctions and Policy and Enhancement Act requires the president to sanction persons involved directly or indirectly with North Korean malicious cyber activity. Unfortunately, Washington is yet to fully implement these measures. Allowing North Korea’s cyber onslaught to go unnoticed puts the U.S. and its allies at greater risk, especially if diplomatic efforts break down and tensions resurge with North Korea. 

Mathew Ha is a research associate focused on North Korea at the Foundation for the Defense of Democracies (FDD), where Trevor Logan is a cyber research associate. Follow them on Twitter @MatJunsuk and@TrevorLoganFDD. Follow FDD on Twitter @FDD. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.

No comments: