Background: Since the North Korean government's 2009 reorganization, Pyongyang has primarily deployed its hackers out of the Reconnaissance General Bureau (RGB), the country's primary intelligence organization, which is responsible for political warfare, foreign intelligence collection, propaganda, subversion, covert action and cyber warfare missions.
- Of the six official branches of the RGB, Bureau 121 is assessed to be the principal cyber operator overseas, with other units also varyingly engaging in cyber activity. As of 2015, North Korea was estimated to maintain some 3.000 to 6,000 government cyber operators.
- The U.S. Department of Homeland Security has dubbed North Korea state-sponsored hackers of the RGB "Hidden Cobra", while private cybersecurity firms have labeled them as the "Lazarus Group". Offshoot groups include "Reaper", which has increasingly become a component of Pyongyang's global espionage operations, and "Bluenoroff", which is responsible for Pyongyang's financially-motivated cyber operations.
- North Korean state-sponsored hackers are assessed to be responsible for using the moniker "DarkSeoul" beginning in 2013 when they launched cyber operations targeting South Korean government, financial, media, energy and military assets, including Seoul's military cyber command and a civilian nuclear power plant. The primary purpose if the attacks were harassing and coercing their southern neighbor with coordinated distributed denial of service attacks, disk-wipers and other malware intended for data extraction.
- In December 2014, North Korean hackers hit Sony Pictures Entertainment in anticipation of the release of "The Interview", a film depicting the assassination of Kim Jong Un. The attack wiped Sony files and immediately released damaging internal communications and intellectual property. A group calling itself the "Guardians of Peace" claimed responsibility for the attack, which also came with the warning to move theaters around the world that running the film would result in retribution. The U.S. quickly pinned the blame on North Korea, and in January 2015, imposed a series of targeted sanctions in response.
Robert Hannigan, Former Director, GCHQ and Executive Chairman BlueVoyant, Europe
Former Director, GCHQ
"DPRK cyber activity reflects a rational foreign policy. Pyongyang has the same objectives in cyberspace as in the real world: defending the leader's image, attacking its southern neighbor, building the nuclear program and acquiring foreign currency. They are remarkably consistent."
Issue: North Korea's malign cyber activity includes targeting international financial institutions, engaging in broad ransomware campaigns and illegally accruing and laundering cryptocurrencies. North Korea views cyber as a cost-effective, asymmetric and deniable tool that it can employ with little risk of escalation or reprisal cyber attacks.
- Pyongyang has employed cyber capabilities to siphon foreign currency directly from the backbone of the global financial system and help fund its state apparatus. In February 2016, Lazarus Group obtained legitimate Bangladesh Central Bank credentials, likely through an insider, for the SWIFT global inter-bank messaging system, and attempted to transfer $951 million of the bank's funds to accounts around the world.
- Pyongyang has recently set its sites on cryptocurrencies. In addition to the WannaCry ransomeware attack - which demanded payments in Bitcoin - the Lazarus Group has been linked to malware used to mine cryptocurrency, as well as to a sophisticated Bitcoin-stealing phishing campaign.
- There is minimal risk of retaliation for North Korea's cyber operations due to the fact that Pyongyang's digital networks remain largely separate from the global internet, and the disruption of internet access in North Korea would have a minimal impact on the country's economy. North Korea's low level of digitization and ultra-low level of connectivity means that cyber-only responses are not necessarily something Pyongyang would fear, while any kinetic response to a nonfatal cyber attack would seem disproportionate.
Joseph DeTrani, Former Director of the National Counterproliferation Center
"North Korea is transitioning more to cybercrime for financial gain. In fact, this is and will be the most lucrative illicit activity available to North Korea. And it's a twofer - money and disruption/espionage."
Robert Hannigan, Former Director, GCHQ and Executive Chairman, BlueVoyant, Europe
Former Director, GCHQ
"DPRK needs foreign currency and, as sanctions bite deeper, they will try anything that might help create income. Cryptocurrencies are a logical extension of DPRK's interest in cyber attacks against conventional banks, from Bangladesh to Poland. Attacking bitcoin exchanges in South Korea will be doubly attractive."
Response: While Pyongyang's limited connection to the outside internet - which is primarily through Russian and Chinese telecoms - makes it resilient against many cyber attacks, it also indicates that RGB's cyber operations are largely staged from outside North Korea's borders. This provides an opportunity for the U.S. to pressure third party countries to help stem the flow of North Korea's malicious cyber activity.
Looking Ahead: Given the anonymity that cryptocurrencies can lend and the relatively small underdeveloped regulatory environment surrounding them, North Korea's attraction to cryptocurrencies is likely to continue and could generate a significant revenue stream for the Kim regime's build up, despite international sanctions. Furthermore, North Korea may increasingly turn to doxing - hacking and slowly releasing sensitive information - and ransomware to impose continuous, accumulating costs against targets by extorting or intimidating them into falling in line with Pyongyang's criminal or political demands.
This Analysis was first published in The Cipher Brief's Threat Report in association with The Cipher Brief's Annual Threat Conference. The Cipher Brief's 2019 Threat Conference will occur March 24-26 in Sea Island, GA.
