As North Korea’s nuclear and ballistic missile programs ruffle the feathers in the United States and regional players in East Asia, there is another, less visible, confrontation occurring in the depths of computer systems around the world.
In the last decade, despite a notable deficiency in global internet access, North Korea has leaped into the spotlight on the geopolitical and criminal cyber stage. Resorting to cyberspace allows Pyongyang, and its leader Kim Jong-un, global reach to coerce adversaries – particularly South Korea and the United States – without the escalatory consequences of conventional military efforts.
“North Korea likely views cyber as a cost-effective, asymmetric, deniable tool that it can employ with little risk of reprisal attacks, in part because its networks are largely separate from the internet, and disruption of internet access would have minimal impact on its economy,” says a U.S. Department of Defense report submitted to Congress in 2015.
“Any use of force in response to a nonfatal attack – and no cyber attack has ever hurt anyone directly – would seem disproportionate,” says Martin Libicki, the Keyser Chair for Cybersecurity Studies at the U.S Naval Academy. “North Korea’s low level of digitization and ultra-low level of connectivity means that cyberspace-only responses would not be something their leaders would fear.”
According to South Korean government estimates, North Korea has doubled its offensive cyber personnel from 3,000 to 6,000 since 2013. The country has trained cadres of hackers, both within North Korea and across the border in Chinese cities like Shenyang. After they complete their training, hackers are deployed to China, Malaysia, throughout Eastern Europe, and elsewhere to launch attacks using more reliable and connected internet infrastructure.
Many of these military hackers work within mission-specific units under the country’s clandestine military intelligence branch, the General Reconnaissance Bureau. Formed in 2009, the bureau consolidates North Korean political warfare, foreign intelligence collection, propaganda, subversion, covert action, and cyber warfare missions.
Unit 121 of the bureau, the country’s premier cyber warfare group, is allegedly responsible for many of the disruptive attacks against South Korean, Japanese, and U.S. targets between 2009 and 2013. Going by the moniker “DarkSeoul,” the unit has targeted South Korean government, financial, media, energy, and military assets, including the country’s military cyber command and a civilian nuclear power plant, with coordinated distributed denial of service attacks, disc-wipers, and other malware intended for data extraction.
In 2014, Unit 121 reached across the globe into the United States, targeting the networks of Sony Pictures in anticipation of the release of a film depicting the assassination of Kim Jong-un. The attack wiped Sony files and immediately released damaging internal communications and intellectual property. A group calling itself the “Guardians of Peace” claimed responsibility for the attack, which also came with the warning to movie theaters around the world that running the film would result in retribution.
The U.S. National Security Agency reportedly saw the attack coming through their beacons buried deep in North Korean networks, allowing the Obama Administration to quickly attribute the attack to Pyongyang and follow up with a new set of sanctions. However, as Libicki notes, “North Korea’s isolation and autarky give additional sanctions little scope for potential value.”
The intention of these destructive attacks is to coerce or compel their targets to bend to North Korea’s will – in the Sony case, compelling theaters to not run the film under threat of a follow-on attack. Jenny Jun, a co-author of a Center for Strategic and International Studies report on North Korean cyber strategy, says that “an offensive cyber operation that simply infiltrates and executes a destructive payload on a nuclear power plant on Christmas, for example, is different from an operation that threatens but does not actually inflict damage and instead, makes a demand and sets a deadline while increasing pressure up until the deadline.”
One problem with this strategy is that Pyongyang has found it difficult to carry through on its threat of follow-on attacks. As Libicki points out, this approach rests on the false rationale that a discovery of implants in a network means there are more that have yet to be discovered. Often, intruders’ access is cut off shortly after breaches are discovered. So, by belligerently displaying that it has breached the networks of its targets with disruptive malware, North Korea paradoxically hinders its own ability to deter or compel its victims. “Using cyber attacks for deterrence or compulsion may require a degree of subtlety so far missing form anything else North Korea has done,” argues Libicki.
Jun agrees. “Because a cyber operation using destructive malware relies on stealth and surprise, it is difficult to communicate a credible threat before an attack, because doing so alerts the target and triggers preventative measures.” Rather than using destructive malware, Jun suggests North Korea may turn to doxing – hacking and then slowly leaking information – and ransomware to apply growing pressure and coerce their victims. These tools are designed to impose increasing costs over time to get something in return. “They are analogous to throwing the victim in the water and offering to save him if he pays, rather than threatening to drown him unless he pays,” says Jun.
As opposed to attacks that destroy data, ransomware instead encrypts it and demands a ransom payment to provide the decryption key. This profit-motive is commonly the objective of criminal actors, but North Korea has already demonstrated its willingness – possibly as a result of the burden of sanctions – to engage in illicit activity, both in cyberspace and through traditional methods, to fund its nuclear and ballistic missile programs, and the lavish lifestyles of its leaders.
Part of its illicit economy includes sophisticated cybercrime on a global scale. In 2016, North Korean state-sponsored hackers, known as the Lazarus group by industry, sought to glean nearly $1 billion through the Society for Worldwide International Financial Telecommunications (SWIFT) network, the global financial backbone that underpins transactions among more than 9,000 banks in 209 countries. However, due to a typo, the hackers only made off with $81 million through Bangladesh Bank’s holdings at the Federal Reserve in New York. Most of the money quickly disappeared into North Korea’s expansive laundering apparatus, using foreign national intermediaries in Southeast Asia. The Lazarus group has since targeted banks around the world.
In May, the WannaCry ransomware worm – leveraging a stolen NSA exploit – hit some 300,000 computers in over 150 countries. Technical analysis of the WannaCry malware indicated links with the Lazarus group, yet it appears the design of the attack’s payment structure did not highly prioritize its ability to create a profit. The single avenue of payment – an email account with a third-party company – was quickly disabled, leaving victims without the option of actually paying the ransom. Furthermore, the worm possessed a “kill switch” that allowed a British security researcher to halt the attack before it could spread further.
The apparent mistakes seem to indicate the authors of WannaCry were either less sophisticated than previous North Korean hackers – such as single military officer moonlighting for his/her own personal gain – or that WannaCry was still in its testing phase, and the North Korean hackers lost control of it prematurely, leading to its discovery.
The lack of emphasis on profit behind the WannaCry attack, which only garnered some $150,000 in bitcoin after two weeks, suggests that perhaps Pyongyang is developing highly infectious ransomware for coercive purposes rather than to create a profit.
“Granted,” says Libicki, “understanding North Korean motives remains particularly iffy, and North Korea likes it this way.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.