Threat profile - North Korea

Offensive cyber capabilities are of primary importance to North Korea in modern conflict, as cyber operations enable North Korea to counter conventional military strength.^[1] Moreover, cyber operations are relatively low-cost and low-risk in comparison to conventional military operations, because attribution is extremely difficult in cyberspace. Specifically, cyber operations enable North Korea to inflict damage and cause disruption without crossing the threshold for war.^[2] Furthermore and unique for nation states, North Korea uses its cyber capabilities to steal money, specifically to fund its nuclear and missile programs, whilst at the same time evading longstanding sanctions (see case 1).^[1] Next to that, North Korea is known to conduct economic espionage operations against specific sectors such as defense-related, manufacturing and high-tech targets.^[1]

The Reconnaissance General Bureau (RGB), one of North Korea’s intelligence services, houses multiple units that are tasked with conducting offensive cyber operations, although it is not entirely clear how the organization and its units are exactly structured.^[1] It appears that each unit has its own specific tasks, ranging from espionage, disruption and financial gain to surveillance. However, the units do seem to share resources, such as tools and human capital. To overcome their specific limitations, such as power cutdowns and having only two international internet gateways, the RGB houses some of its operators abroad (e.g. in China, so that even if attacks are attributed to North Korea, its operators will not be extradited).^[3]

On the defensive part, North Korea’s cyber capabilities appear to be quite fragile. The limited number of international internet gateways makes it relatively easy for adversaries to shut them down and in doing so, denying North Korea internet access^[1] Next to that, North Korea reportedly has outdated electronic systems for its infrastructure, increasing its own attack surface.^[1]

CASE 1: Bangladesh Central Bank Heist (2016)

In February 2016, the Central Bank of Bangladesh fell victim to a sophisticated cyber-attack.^[6] Hackers stole the bank’s SWIFT credentials and used these to make multiple fraudulent transactions, all in just a few hours. The hackers managed to steal 81 million dollars. It could have been much more, but the Federal Reserve Bank of New York managed to detect anomalies in the requests, blocking the remainder of the requests and preventing the attackers from stealing another 850 million dollars. The hackers cleverly used the differences in weekends, due to different time-zones, to prevent the banks from communicating with each other. The attack has been linked to APT38, which is assessed to be a subgroup of the state-sponsored North Korean Lazarus group responsible for providing funds to the regime.

Opportunities

Using cyber to counter conventional military strength, (mis)using the factor of ‘plausible deniability’
Use of cyber capabilities to attack financial targets (e.g. crypto exchanges) to fund the regime
Conducting operations from other countries where there is no risk of extradition (e.g. China)
Conducting cyber espionage operations to obtain IP and high-tech knowledge to modernize own key industries (e.g. defense, manufacturing, high-tech)

Since the Korean peninsula has been divided into North and South Korea, there have been persistent tensions between the two countries.^[8] There have been talks on unifying the two countries (which relates back to North Korea’s ambition to unify the countries under the North Korean government), but it is highly unlikely that this will happen in the near future. This divide has also resulted in tensions with countries that historically have been more supportive towards South Korea, such as the US and Japan.^[8] Relations between North Korea and the US further deteriorated when North Korea started to expand its nuclear weapon program, resulting in the imposition of severe economic sanctions. In general, North Korea is cut off from the rest of the world, resulting in North Korea having very limited diplomatic ties.

Activity of North Korea in cyberspace is characterized by obtaining strategic intelligence relevant to the regime on the one hand and by stealing money to fund its nuclear and ballistic missile programs on the other hand. Next to that, North Korea conducts targeted cyberespionage operations on sectors that contain IP and advanced knowledge on technologies useful to modernizing its key industries and to further develop its nuclear and ballistic missile programs.

North Korea has three main goals: (1) to ensure the continuity of the regime, (2) to become a completely self-sufficient nation free of outside interference and (3) to unify Korea under the control of the North Korean government.^[4] Although the last goal is unlikely to happen in the near future, North Korea does have a nuclear program in place to avert outside interference. Furthermore, it actively uses cyber operations to advance its strategic interests. North Korean cyber units conduct political espionage operations to obtain intelligence relevant to the regime (e.g. on nuclear and other strategic weapons and a possible unification of Korea). Next to that, North Korea is actively surveilling its citizens and monitoring North Korean defectors.

What separates North Korea from other nation states, is that it also conducts financially-motivated state-sponsored cyber-attacks to ensure the continuity of the regime and to be self-sufficient, as it is facing longstanding economic sanctions. A well-known example is the Bangladesh Central Bank Heist, as described in case 1. Money obtained from such attacks are for example used to fund its nuclear weapons and missile development programs. Furthermore, North Korea is the only nation state that targets crypto exchanges to obtain funding for its regime (see case 2). In 2021, North Korea reportedly stole 400 million dollars from crypto exchanges.^[10] Arguably one of the largest cyber-attacks that has been attributed to North Korea’s Lazarus Group is the WannaCry ransomware attack In 2017.^[11] The ransomware hit over 200,000 computers across 150 countries and resulted in an estimated loss of 4 billion dollars. An exploit called 'EternalBlue' was used. EternalBlue was reportedly developed by the NSA and later leaked by a group that called itself the Shadow Brokers. Next to that, North Korea is also known for conducting economic espionage to obtain IP and high-tech knowledge to boost its own industries. North Korea reportedly expresses interest in, amongst other sectors, the aerospace, agriculture, automotive, defense, automotive, education, energy, healthcare, manufacturing, maritime and high-tech industries, primarily in Asia, but increasingly a wider range of targets.^[5] Examples of last year are the attacks on multiple pharmaceutical companies, during which North Korean hackers tried to steal sensitive information on coronavirus vaccines and treatments.^[12] Such espionage operations enable North Korea to evade longstanding sanctions whilst at the same time having a way to combat the coronavirus.

On the military front, North Korea uses cyber operations as an expansion of its warfare capabilities in order to avoid outside interference. It can execute disruptive attacks without risking to exceed the threshold of war, partly due to plausible deniability. In the event of war, North Korea would use a ‘quick war, quick end’ strategy, trying to rapidly and aggressively attack adversary networks.^[2] Lastly, North Korea has used disruptive cyber-attacks in the past as a form of retaliation against adversaries, an example is the hack on Sony Pictures Entertainment (see case 3).

CASE 2: Ronin Bridge crypto theft (2022)

In March 2022, North Korea’s APT38 stole more than 600 million dollars in crypto from a blockchain network connected to the online game Axie Infinity.^[16] The attackers managed to exploit a vulnerability in the ‘Ronin Bridge’, the place where tokens are converted into ones that can be used on other networks. Specifically, the group managed to hack five of the nine ‘validator nodes’ of Ronin Bridge, which was exactly enough to approve transactions. This attack is an example of a broader strategy of North Korea in that it uses cyber operations as a way of collecting money to fund its nuclear weapon and ballistic missile programs whilst at the same time evading sanctions. In general, crypto targets are attractive targets to attack as it requires no negotiation (e.g. in comparison with ransomware) and because the funds are relatively difficult to retrieve after the transaction has been completed.^[17]

CASE 3: The Sony Pictures hack (2014)

On 24 November 2014, hackers broke into the systems of Sony Pictures Entertainment, stealing huge amounts of confidential data.^[7] Furthermore, Sony faced downtime of its networks for multiple days. Co-chairman and executive of Sony Pictures Amy Pascal stepped down as a direct result of the hack. The hackers also posted the data online, exposing sensitive documentation to the outside world. A hacktivist group called Guardians of Peace, which has been linked to APT38, claimed responsibility for the attack. It is believed that the group is sponsored by / affiliated to the North Korean regime, as it had expressed outrage earlier on a Sony film called ‘The Interview’, a satirical movie surrounding an assassination attempt against North Korea’s supreme leader Kim Jong Un.

Hunt and Hackett currently observes ten North Korean APTs. The data from the Threat Diagnostic System shows that these hacker groups mainly focus on South Korea, followed by India, Japan, the US and Vietnam (see figure 1). The focus on South Korea is of course the result of longstanding hostilities between the two countries since the North-South divide of the peninsula.

The US is also a longstanding adversary of North Korea. The US helped with dividing up the Korean peninsula and waged war against North Korea in the 1950s. Furthermore, North Korea is facing longstanding economic sanctions from the US. The expansion of North Korea’s nuclear program further deteriorated relations between the two countries. The relationship between North Korea and Japan is also marked by tensions. North Korea and Japan have longstanding disputes, with the kidnapping of multiple Japanese citizens during the Cold War as the main source of tensions. Furthermore, since North Korea has demonstrated that it can reach Japan with it ballistic missiles, Japan is critically following the developments around North Korea’s nuclear program. Although India is the second largest trading partner of North Korea, it is at the same time also abiding UN sanctions against North Korea.^[13] Vietnam has had historically close ties with (North) Vietnam, but relations deteriorated after Vietnam sought closer cooperation with the West. Furthermore, the assassination of the half-brother of Kim Jong Un by a Vietnamese citizen has led to tensions between the two countries.^[14]

Anomalies are based on differences between North Korea and the rest of the actors in the dataset. In other words, anomalies indicate to what extent North Korea has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. North Korea’s focus on financial gain explains the spikes in for example Bangladesh, Ecuador and Nepal, as it has attacked banks from all three countries (see figure 2).^[9][15] The explanation of why North Korea precisely targeted banks in these countries, can be found in the size and amount of money that these banks contain.^[18] The largest and most sophisticated banks have more advanced cyber defenses whilst the somewhat smaller banks, amongst which the ones in Bangladesh, Ecuador and Nepal, all had relatively weak cyber defenses, which made it easier for the hackers to enter and steal the money.^[9][15][19]

North Korean actors are mainly focused on government targets, followed by technology and energy (see figure 3). The focus on the government sectors supports the notion that North Korea conducts political espionage operations to obtain intelligence relevant to the regime. The focus on technology can be explained by North Korea’s economic espionage activities to obtain IP and high-tech knowledge to boost its own industries. Regarding the large focus on energy, North Korea has a longstanding history of struggling with meeting its energy demands. Therefore, it is possible that it conducts cyber operations to obtain knowledge that can be used to achieve energy security. However, also looking at sightings, North Korea is mainly attacking the energy industry for advancing its information position on nuclear power, so that it can further develop its nuclear program.

Looking at figure 4, the relatively large focus on the chemical and aerospace industries fits in the broader strategy of North Korea conducting cyberespionage operations to gather information that it can use to further develop its nuclear and ballistic missile programs. Regarding the automotive industry, North Korea has its own car manufacturing plant for producing domestic and military vehicles.^[20] However, North Korea has a longstanding history of copycatting versions of cars from famous car brands in its own factories. Therefore, targeting automotive fits in North Korea activity of conducting cyberespionage for collecting intellectual property and other advanced knowledge.

Threat profileNorth Korea

Cyber capabilities

CASE 1: Bangladesh Central Bank Heist (2016)

SWOT analysis

Strengths

Weaknesses

Opportunities

Threats

Geopolitical relations

Strategic motives

CASE 2: Ronin Bridge crypto theft (2022)

CASE 3: The Sony Pictures hack (2014)

North Korean APTs

Advanced Persistent Threats (APTs)

Tactics, Techniques & Procedures (TTPs)

Attack tools

Sources

Our articles covering North Korean threats

Questions or feedback?