North Korea’s army of 6,000 hackers have been implicated in a multimillion dollar bank heist, the theft of intelligence from finance and defense firms, and the infiltration of infrastructure networks—all in the first six months of 2016. This only adds to the numerous attacks against South Korea – one of the most vulnerable countries in the world to cyber attacks – and U.S. companies in previous years.
Throughout its history, North Korea has viewed itself as a vulnerable nation pitted against stronger adversaries. In order to confront its enemies, with the U.S. being first and foremost among them, North Korea has always pursued asymmetric strategies. Cyber warfare is the latest example of this trend, and recent evidence suggests North Korea is redoubling its commitment to its cyber capabilities. South Korean military estimates suggest that North Korea has doubled its cyber personnel from 3,000 to 6,000 since 2013. While Pyongyang may face an insurmountable disparity in conventional forces, its recent cyber advances prove it has found an area of asymmetric advantage to complement its nuclear deterrent.
North Korea has organized its cyberwarfare apparatus within its special operations command. Most of North Korea’s 6,000 cyberwarfare personnel are organized in several mission-specific groups located within the General Bureau of Reconnaissance (GBR). The newly formed GBR consolidates all of North Korea’s intelligence and special operations capabilities for targeting foreign nations in one bureau that is overseen by the General Staff Department, and above that, Supreme Leader Kim Jong-un. The GBR is believed to employ hackers in several offices within Pyongyang and immediately across the Chinese border in Shenyang.
In addition to personnel expansion, Pyongyang has developed training and partnership programs. Within state and military universities, North Korea has developed a robust program for training professional hackers for both defensive and offensive cyber capabilities. In addition, North Korea is able to draw on independent foreign hacker groups for personnel, hardware, and software.
North Korea’s confirmed offensive cyber capabilities consist of distributed denial of service (DDOS) attacks, which can take large networks offline, and the ability to extract information and implant malware into a targeted network – as was done in the December 2014 Sony attack linked to North Korea. North Korea’s DDOS attacks have become increasingly complex in recent years, however, one has not been successfully used against the U.S. government since 2009. While North Korea has exhibited success in employing malware that can erase a hard drive after stealing information, there is currently no evidence to suggest that North Korea is capable of something as complex or as devastating as the Stuxnet attack, a computer virus that disrupted Iran’s nuclear program.
The same digital fingerprints from the Sony hack were found on the February cyberheist of $81 million from a Bengali bank, as well as the theft of F-15 blue prints from South Korea– and they all point back to Pyongyang. The former case is alarming because it shows the hackers are sophisticated enough to infiltrate the Society for Worldwide International Financial Telecommunications (SWIFT) system, which underpins transactions among 9,000 banks in 209 countries. While $81 million went unrecovered, additional false transactions, had they not been blocked by the Federal Reserve, would have increased the heist’s total to $850 million.
In the latter case, F-15 fighter jet blueprints, along with 42,000 other defense related documents, were stolen from South Korean firms over the course of two years. The fact that the breach was only discovered earlier this year suggests the possibility that other cyber operations are currently in progress.
The breadth and depth of North Korea’s capabilities mean it is a constant concern for both government and private networks. With the exception of the SWIFT hack, most other attacks were on networks later shown to have vulnerabilities that were easy to exploit. Good cyber hygiene is therefore crucial for any firm conducting its operations in South Korea. However, the sophistication of the SWIFT attack, and the expansion in capabilities and target set that it implies, suggests a need for greater vigilance.
Among other state cyber threats, North Korea is in fourth place, behind Russia, China, and Iran. However, North Korea has committed itself to increasing the breadth and depth of its cyber capabilities and, given its successes against Sony, numerous South Korean targets, and the SWIFT bank heist in Bangladesh, it is very likely to continue development. Among the cyber threats arrayed against the US, North Korea exists as a pernicious but relatively moderate threat to U.S. government security, however, it is more of a threat to private U.S. firms. Both should stay aware of North Korea’s evolving capabilities.
Will Edwards is an international producer at The Cipher Brief.