27 November 2019

Assessing North Korea’s Cyber Evolution

By Ali Crawford

Ali Crawford has an M.A. from the Patterson School of Diplomacy and International Commerce where she focused on diplomacy, intelligence, cyber policy, and cyber warfare. She tweets at @ali_craw. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

Author and / or Article Point of View: The author believes that the international community’s focus on addressing North Korea’s nuclear capability sets the conditions whereby their cyber capabilities can evolve unchecked.

Summary: Despite displaying a growing and capable cadre of cyber warriors, North Korean cyber prowess has been overshadowed by threats of nuclear proliferation. While North Korea remains extremely isolated from the global community, it has conducted increasingly sophisticated cyber attacks over a short span of time. In a relatively short period of time, North Korea has cultivated a cyber acumen worth recognizing as threatening as its nuclear program.


Text: As the internet quickly expanded across the globe and changed the nature of business and communication, Western nations capitalized on its capabilities. Authoritarian regimes felt threatened by the internet’s potential for damaging the regime’s power structure. In the 1990s, Kim Jong-il, father of current North Korean leader Kim Jong-un, restricted internet access, usage, and technology in his country[1]. Eventually, Kim Jong-il’s attitude shifted after recognizing the potential benefits of the internet. The North likely received assistance from China and the Soviet Union to begin training a rudimentary cyber corps during the 80s and 90s[2]. Cyber was and still is reserved explicitly for military or state leadership use.

The expansion of North Korea’s cyber program continued under Kim Jong-un, who today seeks to project military might by displays of a capable nuclear program. But Kim Jong-un, who possesses a degree in computer science, also understood the potential for cultivating cyber power. For North Korea, cyber is not just an asymmetrical medium of warfare, but also a method of surveillance, intelligence-gathering, and circumventing sanctions[3]. Within the last decade, North Korea has demonstrated an impressive understanding and application of offensive cyber competence. Several experts and reports estimate North Korean cyber forces range from 1,800 to upwards of 6,000 professionals[4]. Internet access is reportedly routed through China, which lends added difficulty to attribution but provides a measure of defense[5]. North Korea is largely disconnected from the rest of the world and maintains a rudimentary internet infrastructure[6]. The disconnect between the state and the internet leaves a significantly small and less vulnerable attack surface for other nations to exploit.

Little information is available regarding the internal structure of North Korea’s cyber forces. What is thought to be known suggests an organizational hierarchy that operates with some autonomy to achieve designated mission priorities. Bureau 121, No. 91 Office, and Lab 110 report to North Korea’s Reconnaissance General Bureau (RGB)[7]. Each reportedly operate internally and externally from Pyongyang. Bureau 121’s main activities include intelligence gathering and coordinating offensive cyber operations. Lab 110 engages in technical reconnaissance, such as network infiltration and malware implantation. No. 91 Office is believed to orchestrate hacking operations. Other offices situated under Bureau 121 or the RGB likely exist and are devoted entirely to information warfare and propaganda campaigns[8].

In the spring of 2013, a wave of cyber attacks struck South Korea. A new group called Dark Seoul emerged from North Korea armed with sophisticated code and procedures. South Korean banks and broadcasting companies were among the first institutions to endure the attacks beginning in March. In May, the South Korean financial sector was paralyzed by sophisticated malware. Later in June, marking the 63rd anniversary of the beginning of the Korean War, various South Korean government websites were taken offline by Distributed Denial of Service (DDoS) attacks. Although Dark Seoul had been working discreetly since 2009, its successful attacks against major South Korean institutions prompted security researchers to more seriously consider the North Koreans as perpetrators[9]. The various attacks against financial institutions would be a prequel to the massive cyber financial heists the North would eventually manage, possibly making South Korea a testing ground for North Korea’s code and malware vehicles.

North Korea’s breach of Sony Pictures in 2014 catapulted the reclusive regime to international cyber infamy. Members of an organization calling themselves the Guardians of Peace stole nearly 40 gigabytes of sensitive data from Sony Pictures, uploaded damaging information online, and left behind a bizarre image of a red skeleton on employees’ desktop computers[10]. This was the first major occurrence of a nation-state attacking a United States corporation in retribution for something seemingly innocuous. While the Sony hack was an example of how vague rules for conducting cyber war and crime differ between nations, the attack was more importantly North Korea’s first true display of cyber power. Sony executives felt compelled to respond and sought counsel from the U.S. government. The government was hesitant to let a private company respond to an attack led by the military apparatus of a foreign adversary. Instead, President Barack Obama publicly named North Korea as the perpetrator and vaguely hinted at a potential U.S. response, becoming the first U.S. president to do so.

Cyber crime also provides alternative financing for the regime’s agenda. In February 2016, employees at the Bank of Bangladesh were struggling to recover a large sum of money that had been transferred to accounts in the Philippines and Sri Lanka. The fraudulent transactions totaled $81 million USD[11]. Using Bangladesh Bank employee credentials, the attackers targeted the bank’s SWIFT account. SWIFT is an international money transfer system used by financial institutions to transfer large sums of money. After-action analysis revealed the malware had been implanted a month prior and shared similarities with the malware used to infiltrate and exploit Sony in 2014[12]. The Bangladesh Bank heist was intensively planned and researched, which lent credence to the North’s growing cyber acumen. As of 2019, North Korea has accumulated an estimated $2 billion USD exclusively from cyber crime[13]. Security assessments indicate the Sony attack, the Bangladesh Bank hack, and the WannaCry attacks are related which lends some understanding to how North Korean cyber groups operate. In 2018, the United States filed criminal charges against a North Korean man for all three cyber crimes as part of a grander strategy for deterrence[14].

Finally, it is important to consider how North Korea’s cyber warfare tactics and strategies will evolve. North Korea has already proven to be a capable financial cyber crime actor, but how would its agencies perform in full-scale warfare? In terms of numbers, the North Korean military is one of the largest conventional forces in the world despite operating with rudimentary technology[15]. Studies suggest that while the North may confidently rely on its nuclear program to win a conventional war, it is unlikely that North Korea would be able to sustain its forces in long-term war[16]. North Korea would need to promptly engage in asymmetric warfare to disorient enemy forces to gain a technological advantage while continuously attempting to attack enemy systems to disrupt crucial communications. The regime could conduct several cyber operations against its adversaries, deny responsibility, then use the wrongful attribution as grounds for a kinetic response. North Korea has threatened military action in the past after being hit with additional sanctions[17].

Despite North Korea’s display of a growing and expansive cyber warfare infrastructure coupled with a sophisticated history of cyber attacks, the international community remains largely concerned with the regime’s often unpredictable approach to nuclear and missile testing. With the international community focused elsewhere, North Korea’s cyber program continues to grow unchecked. It remains to be seen if someday the international community will diplomatically engage North Korea regarding their cyber program with the same intensity as their nuclear program.

No comments: