15 May 2020

Loose cobras: DPRK regime succession and uncertain control over offensive cyber capabilities

JD Work

The world does not yet know if Kim Jong Un is incapacitated, or dead, as has been rumored in April 2020. However, any potential transition of leadership raises concern over control of strategic weapons – including offensive cyber capabilities commonly referred to as HIDDEN COBRA.

If the DPRK succession does not occur smoothly, multiple scenarios may be considered where HIDDEN COBRA threat activity may result in new intrusion or attack against critical infrastructure targets. These include potential action on pre-planned contingency plans for retaliation in the event of conflict arising out of miscommunication or other mistakes, attempts to acquire new illicit revenue to cover the ever-rising costs of ensuring loyalty to a new successor, or incidents driven competition and opportunism in the disorder inherent to contested transition where no heir has yet clearly emerged.

The opaqueness of the regime is likely to be aggravated by crisis, limiting opportunities to observe prospective regime threat activity and provide further warning across these scenarios.


Unconfirmed rumors surfaced in mid April 2020 regarding the potential incapacitation of North Korean leader Kim Jong Un, leading to speculation about the ramifications of a sudden transition of leadership in Pyongyang. These rumors have once again raised serious concerns over the stability of the Democratic People’s Republic of Korea’s (DPRK) control of strategic weapons, including nuclear and ballistic missiles. 1 Any regime succession scenario in an autocracy involves the potential for a contested transition with different factions competing for ultimate authority from differing bases of power, influence, and resources. Control of strategic weapons becomes a key prize in such struggles, leading to longstanding nightmares of potential “loose nukes” no longer fully under the authority of a unitary government. Political power contests are particularly risky within the North Korean system, as it remains both famously opaque and notoriously prone to political violence and personal retribution. These worries are familiar to the international affairs community from multiple earlier crisis moments. 2 A prospective change of leadership in Pyongyang also uniquely takes place as a family affair, within a political dynasty built around the perceived legitimacy of the Kim bloodline. 

In particular, the international community’s fears surrounding a North Korean transition of power are compounded by its questions about control of offensive cyber operations capabilities. In the case of intrusion sets, or malign offensive cyber actors attributed to the DPRK, known commonly under the umbrella term HIDDEN COBRA, the risk of unanticipated actions triggered by a transition crisis are magnified by these groups’ high operational tempo and their varied selection of targets, both unrestrained by any sense of international norms. 3 Efforts to understand DPRK-attributed threat activity groups face many challenges limiting the ability to gather information. To date, intelligence efforts focus primarily on observed technical artifacts and operational patterns, paying less attention to the operators behind the keyboard, or to the organizational structures in which these operators work. However, it remains notoriously difficult to gather facts and information regarding the situation on the ground in Pyongyang, let alone from within the compound at Wonsan where Kim allegedly sheltered from the ongoing coronavirus pandemic. Yet even without a full picture, the international community may still consider a number of potential scenarios upon the death of Kim Jong Un, whether at this moment, or at some unknown point in the future. 

Dead Hand scenario

The first scenario of immediate concern is that of Dead Hand control. This involves the pre-delegation of authorities to automatically execute cyber attacks in the wake of the death or incapacitation of DPRK leadership. The Dead Hand command and control architecture for offensive cyber operations has been contemplated for almost a decade among multiple adversaries. In this system, loss of positive direction from national leadership triggers immediate pre-planned strikes against the United States and its allies. HIDDEN COBRA sustains routine, recurring intrusion accesses within multiple financial, energy, transportation, defense and government, media, and telecom networks—many of which have remained active for extended periods of months before detection and remediation. 4 These accesses may be leveraged to generate prompt destructive effects.

Dead Hand control is modeled on early nuclear warfighting concepts including the reported Russian system Perimeter, which issued attack orders to the strategic rocket force and other nuclear warfighting components, automatically triggered by disruption of communications with national command authorities. The Russian system was intended to assure second strike retaliation in the event of successful surprise attack resulting in leadership incapacitation. Multiple actors have adapted these nuclear concepts in offensive cyber operations, initially as a measure to harden botnet command and control in the face of law enforcement and security takedowns. 5 Given the degree to which command and control of the North Korean state has been centralized to Kim Jong Un, and to a wider extent to the Kim bloodline, it remains unclear how military and intelligence services may respond to the sudden loss of their leader, or even disruption in the flow of routine orders. Such responses may include action on any standing pre-delegation of authority to initiate offensive strikes. The potential for catastrophic escalation of otherwise “normal” frictions under such conditions has been considered in terms of a nuclear crisis, and such concerns are equally valid in the case of offensive cybersecurity operations. 6

This scenario raises particular dangers where a pre-programmed strike from DPRK may involve out-of-theater retaliation capabilities, staged to provide assured second-strike offensive cyber options in the event of conflict on the Korean Peninsula. Components assigned to carry out these strikes may potentially include at least some subset of DPRK threat activity groups known variously as APT37, REAPER, Scarcruft, Group123, and Richochet Chollima, based on industry reporting suggesting broader global presence and round-the-clock operations cycles. 7 While these elements have likely been assigned other primary missions, a contingency role cannot be ruled out. 

DPRK’s ability to maintain its presence abroad has been substantially degraded in recent years by international diplomatic pressure and continuing sanctions that have disrupted cover companies and associated intelligence service basing options. This pressure has likely also degraded DPRK’s ability to sustain offensive cyber teams in a number of countries. However, even a small number of surviving threat activity groups would be sufficient to initiate pre-planned offensive operations. This is especially true where reconnaissance, initial access footholds, and construction of tailored payloads have been previously built up over time within the headquarters components of the Korean People’s Army (KPA) Reconnaissance General Bureau. 

North Korean-attributed intrusion operations targeting the United States and its allies’ critical infrastructure have been observed corresponding during earlier periods of heightened conflict risk. Beyond well-known financial sector intrusions, DPRK has targeted electrical and other energy sectors in actions which have encompassed attempted compromise of US utilities in September 2017, as well successful intrusions against global nuclear energy generation targets on multiple occasions, including incidents ongoing through early 2019. 8 Such networks almost certainly remain ongoing targets of interest and would be priorities for destructive effects in a Dead Hand tasking model. 

The dangers of a Dead Hand scenario resulting in prompt destructive cyber actions are greatest in the initial hours or days of a transition crisis. This is especially true where even outer circles of North Korean elites may not be fully aware of developments pertaining to Kim Jong Un’s health, given the regime’s tendency to limit information deemed threatening to the image of the Kim family. The tight restrictions on news of Kim Jong Il’s death in 2011 offers a likely precedent. A lack of formal transition planning, due to the unexpected nature of Kim Jong Un’s rumored health concerns, only exacerbates this uncertain and reactionary atmosphere. The fears and speculation of elites outside of the family circle may therefore supplant verifiable information. As a result, a small number of intermediate leadership elements may in fact execute retaliation scenarios for which authorities had been pre-delegated by the younger Kim. Execution of offensive cyber operations may be driven by orders arising from miscalculation, or worse yet, middle management failure to countermand standing orders triggered by some misunderstood version of events.

Since the most recent rumors regarding Kim Jong Un’s health have stretched over multiple days (and perhaps even weeks), the immediacy of this retaliation scenario is somewhat diminished. However, the prospect of such action may take on a new dimension depending on the timing and manner in which the party is directed to acknowledge Kim Jong Un’s death or serious health complications, should they need to do so. This consideration is compounded by risks arising from the potential irregularities inherent in any scenario other than a smooth transition. North Korea’s offensive cyber cells deployed around the world may be expected to be isolated from key internal information flows, particularly through informal channels, and therefore the officers responsible for key tactical decisions are likely poorly informed. As a result, it is possible that they may react to conflicting narratives or even deliberate disinformation emanating from Pyongyang. The risks of such misinformed aggressive actions become magnified should DPRK attempt to place blame for Kim Jong Un’s passing on the usual external enemies highlighted in their propaganda.
Kingmaker scenario

Cyber operations previously played a linchpin role in Kim Jong Un’s ascension to power. The line of succession to follow Kim Jong Il remained profoundly unclear throughout the ‘00s. While a familial dynasty was considered the most likely outcome, Kim Jong Un’s then youth and lack of leadership experience did not suggest he would emerge as the favored son. 9 However, he was reported to have been deeply involved in early cyberattacks in July 2009 against the US and Republic of Korea (ROK) governments, as well as global military and financial sector targets. 10 These attacks were followed in March 2010 by the attack on the ROK corvette Cheonan, in which Kim Jong Jun was allegedly personally involved. 11 Kim Jong Un was rewarded in October 2010 with a four star general rank, having ably demonstrated his ability to engage and manage the Korean People’s Army and Reconnaissance General Bureau. 12 

Offensive cyber operations continued to underpin the consolidation of Kim Jong Un’s control of the regime after Kim Jong Il’s death. This required cementing the support of key military and intelligence factions, and eliminating potential rivals. 13 Ongoing attacks against South Korean targets, including media companies, demonstrated his ideological commitment. Successful breaches of banking networks, continued cryptocurrency mining, and other online theft campaigns created a steady flow of illicit revenue to support the young leader’s efforts to buy personal loyalties and direct funding elsewhere in the North Korean regime. 14

Control of these capabilities, reportedly managed in part through the consolidated Korean Worker’s Party (KWP) function known informally as Office 39, may thus serve as kingmaker for Kim Jong Un’s successor, whether through direct institutional authority or backroom political support. This sprawling enterprise, allegedly run much like an ongoing racketeering conspiracy, manages global front companies, smuggling networks, and money laundering exchanges. Office 39’s prior director, Jang Song-thaek, was one of Kim Jong Un’s most important early mentors. In return for that support, Kim Jong Un offered him political redemption. Jang finally fell from favor following his failure to respond effectively to tightening sanctions, leading to his execution in late 2013 and the exile of his wife Kim Kyong-hui, who would not reappear until January 2020. 15 Jang would be one of the highest profile victims of what became a major government purge, resulting in the reported murder of hundreds. This in turn led to the defection of other key Office 39 staff and disruption to Kim Jong Un’s illicit fundraising. 16

It is no coincidence that one of the key inner circle figures in prospective line of succession is Kim Jong Un’s younger sister Kim Yo-Jong, who reportedly took Kim Kyong-hui’s position in the Politburo. She had studied at Kim Il-sung University, an institution reportedly involved in cryptocurrency mining operations for the regime. More importantly, by some accounts Yo-Jong is also married to Choe Song, the current director of Office 39 and son of KWP Secretary Choe Ryong-hae. 17

While Kim Yo-Jong’s role in advancing her brother’s interests abroad has had mixed results, and led to uncertainty about her status and relative prominence, her ties to critical revenue streams offer a powerful advantage in any transition scenario. Yo-Jong’s place in the current uncertain period is also unique in that she has continued to speak for her brother, assuming an important role of responsibility during Kim Jong Un’s reported incapacitation, though detailed timing remains unclear. 18 Evidence of her ideological stance and policy preferences, to the extent that these may be discerned while her brother has been in power, suggest she would sustain the country’s current strategic direction. 19 Such continuity would presumably incentivize the support of key regime power centers including both Office 39 and the Reconnaissance General Bureau. 20 Even if she does not assume the highest seat in government, her support—or her elimination—will be critical to the ultimate victor. 21
Rogue Faction scenario

As with any strategically significant capability, a scenario exists where a dissident faction takes advantage of the disorder inherent to transition periods to pursue external attacks for its own objectives. The risks for rogue command of offensive cyber capabilities are likely more pronounced than comparative nuclear command and control scenarios, due to the degree of decentralized control over cyber actors as opposed to the centralization of launch authorities for nuclear release. The degree of personal control exercised by the North Korean Supreme Leader over ballistic missile systems and associated nuclear warheads is more likely to preclude origination of falsified orders, or misguided action on such orders in case of irregularities. 22 However, this is an unproven hypothesis that may be tested in a transition crisis. While nuclear assurance is a relatively more mature problem for multiple military organizations, the newer issues associated with offensive cyber approval and direction are as yet understudied. 23 These process matters are further complicated by the unconventional, and frequently non-military, nature of key cyber threat activity groups. How such already murky concerns then play out in the opaque HIDDEN COBRA organizational structure remains a mystery. Likewise, the reaction of these entities under the stress of a transition crisis remains nearly impossible to predict.

However, offensive cyber action against ROK, US, or other global targets driven by factional competition within the North Korean government is unlikely to become a reality without internal pressures in which success of an operation would advantage a given faction. The most plausible circumstances leading to such a scenario would involve a contested transition where no heir has yet clearly emerged. The uncertainties of a fight for leadership, especially over an extended crisis duration, may be seen among KWP and KPA elites as inviting external intervention by other parties. Such interventions may include unwanted Chinese influence, or even prospective US-ROK mobilization or Japanese response. Such eventualities may occur in any circumstance as a contingency measure for enhanced crisis readiness. An aspiring successor and their supporters may therefore believe that destructive cyberattacks could offer a low-risk option to push back against possible intervention from foreign governments, with less potential to trigger international response than kinetic campaigns or use of strategic capabilities.

Attacks against the key resources supporting political rivals competing for the most senior leadership roles in the event of a sudden political vacuum may also appear as a variation on this scenario. In North Korea’s narrowly constrained technology ecosystem, the potential efficacy of these options is somewhat reduced. However, the available cyber capabilities function best when aimed at key groups and assets rather than broad disruption. The regime is critically dependent on a number of external financing mechanisms, driven by illicit relationships and continuing criminal enterprise, that serve to reduce the impact of international sanctions. These units are likely targets in the event one faction may seek to deny their value to a competitor. The threat activity groups would be a tempting target in their own right for both kinetic or virtual action by any faction that would seek to undermine competitors’ support.

In the event that transition devolves and the overbearing scrutiny of central KWP elites wavers, there is also a likelihood that individual leaders or even mid-level operators may seek to realize their own ambitions. A succession crisis could present an opportunity that comes but once in several generations, allowing political players the chance to acquire personal wealth and a potential exit from the nightmare that is service to the North Korean regime. A number of prior defections have occurred with less favourable prospects than those provided by a sudden transition, including by key individuals involved in handling of illicit funds. 24 In this climate, offensive capabilities may thus be bent to personal ends. 

Cyber capabilities remain a new and largely untested element in significant succession disputes. Despite the fact that rogue action by factional elements in control of other strategic assets has remained a longstanding concern in other crisis events, custodial security safeguards for offensive cyber arsenals has received little consideration to date. 25 Some prior evidence exists to suggest that cyber capabilities may feature prominently in future contested leadership transitions within authoritarian regimes. Indications of action by factional elements observed during the prior unexplained absence of Russian President Vladimir Putin provide one such example. 26 During the Syrian civil war, the contested control and ultimate loss of key Syrian signals intelligence facilities, including critical bilateral liaison operations capabilities, provides a second analogy. 27 However, the North Korean case is substantially unique due to the centrality of cyber espionage and theft to the regime’s ongoing survival.

Implications and outlook

DPRK offensive cyber operations activity remains a prestige program for the regime, though its importance may have been somewhat overlooked to date by external observers. This program is made up of a number of key functions that enable Hidden Cobra threat activities, including vulnerability discovery, malware implant development, targeting and access operations, effects actions on objective, financial theft operations, and influence operations. The generation of these capabilities and employment roles appear to be split, and in some cases duplicated, across competing organizations, including KWP offices, DPRK Ministry of State Security directorates, and KPA components. The offensive cyber operations capability lacks much of the physical footprint, associated pattern of life, and other geospatial signatures of strategic and undersea warfare programs. Its intangible nature has limited more widespread analysis using commercial overhead imagery and the associated open source collection, tracking, and modeling methodologies increasingly familiar to the international affairs community.

Yet these cyber capabilities offer the regime clandestine means for accumulating illicit wealth, projecting power to hold regional and great power adversaries at risk, and sustaining North Korea’s Juche ideology of self-reliance that appears increasingly built upon economic and military espionage. Any challenger wishing to assume the legacy forged by Mount Paektu (at least as the regime’s mythmaking would so style), must prove themselves equal to the task of mastering this portfolio of cyber capabilities and to command the compliance, if not the respect, of the leaders that shape the organizations involved in the conduct of these operations. The prospect of infighting, cooperation, or opportunism among these key figures will determine in no small part the shape of North Korea’s post-Kim Jong Un future, now or in years to come. 28

The apparent centrality of Kim Yo-Jong in the succession question may well also drive additional actions by DPRK’s cyber groups, intended to demonstrate loyalty, capability, and effectiveness. Potential near-term courses of action favor leveraging existing Hidden Cobra infrastructure and access for rapid action, including further theft from cryptocurrency exchanges, international banking institutions, and other financial sector targets. Observers should also anticipate accelerated intrusion attempts to drive new revenue opportunities, as any successor will require the funds directed through Office 39 to cover the ever-rising costs of ensuring loyalty. 

Despite the cyber domain’s importance to the regime for purposes of clandestine espionage, attack, and finance, it remains an open question what proportion of these capabilities will remain under control of the Politburo and Kim Jong Un’s successor in the event of contested transition. Uncoordinated use of offensive cyber capabilities at levels below the national command echelon may be contemplated under multiple scenarios with potential disruptive or destructive effects across a variety of targets. While some scenarios may suggest confusion and disruption of routine processes leading to operational pauses and degraded effectiveness, these outcomes appear more likely in cases where a strong unitary leadership continues and the operators and planners merely await guidance, preparing to prove themselves to the new successor. Without expectations of a clean succession, there are strong incentives to execute new operations aggressively in pursuit of different beliefs regarding personal and positional benefit. Additionally, red-on-red engagements between competing factions controlling differing cyberattack arsenals and infrastructure may surface, where various Hidden Cobra subset operators leverage insider knowledge and access to hunt and degrade sources of power contributing to rivals’ base of support. These fights over staging and delivery mechanisms, foothold, implant command and control, exfiltration infrastructure, and effects triggers may very well play out across the compromised systems and networks of uninvolved third-party victims previously targeted by North Korean military and intelligence services, and threaten unanticipated collateral damage.

Limited information from within the North Korean regime may be further restricted by instability, distrust, and internal crackdowns during a transition. Further warning across these scenarios is highly likely to be attenuated by instability, distrust, and internal crackdowns that may collectively deny what limited channels of information remain available to the international community. This will limit opportunities to observe specific threats and deny options to validate the credibility and veracity of what few indications may surface. Coupled with the disruption of routine interactions, movement restrictions, and economic contraction due to the ongoing coronavirus pandemic, any prolonged leadership transition could well pose the most severe intelligence and policy challenges of a decade which has already defied even the most fevered imagination in just its opening months.

JD Work serves as the Bren Chair for Cyber Conflict and Security at Marine Corps University, and as a non-resident senior fellow with the Atlantic Council’s Cyber Statecraft Initiative in the Scowcroft Center for Security and Strategy. He holds additional affiliations with the School of International and Public Affairs at Columbia University, the Elliot School of International Affairs at George Washington University, and as a senior adviser to the Cyberspace Solarium Commission. He can be found on Twitter @HostileSpectrum. The views and opinions expressed here are those of the author(s) and do not necessarily reflect the official policy or position of any agency of the US government or other organization.

No comments: