In December 2014, while many were still preoccupied with the aftermath of the North Korean cyber attack on Sony Pictures Entertainment, South Korea was in a crisis of its own. An entity identifying itself as an “Anti-Nuclear Power Group” demanded that the country shut down three of its civilian nuclear reactors by Christmas Day, threatening to release 100,000 pages of sensitive documents and inflict “secondary destruction” if its demands were not met. It also demanded, rather vaguely, a payment of $10 billion. For a week after Dec. 15, the group gradually tension by releasing documents including the reactors’ blueprints, safety evaluations, and information regarding the power plant’s employees.
On Christmas Eve, South Korea’s government and the nuclear operator, Korea Hydro & Nuclear Power Co. (KHNP) conducted an emergency security check and went into lockdown. Media reported on the crisis around the clock. However, when the day came, no attack was attempted on the reactors, no additional documents were released, and no additional communication came from the group afterward. Months later, researchers attributed the attack to North Korea’s primary intelligence and covert operations agency, the Reconnaissance General Bureau. More interestingly, investigations revealed that the documents released were from compromised subcontractors, while the main malware deployed did not contain code for extracting data. The malware also only targeted KHNP headquarters, not the reactors. It was a well-staged bluff.
The KHNP incident is a good illustration of how North Korea continues to advance ways to use cyber operations for strategic ends. While North Korea has certainly been diversifying the application of its cyber capabilities to many areas, one particular area of interest is its attempts to use cyber means for coercion. North Korea, even before the advent of networks and digital technologies, had a long tradition of launching limited attacks in an attempt to undermine and destabilize South Korean society, while remaining below the threshold of war. As early as 2009, Pyongyang has been increasingly incorporating disruptive cyber operations in its toolkit of limited provocations.
However, the chief dilemma when planning these operations is that while such a limited attack lowers the risk of retaliation or escalation, it also fails to sow enough chaos. North Korea’s goal has therefore been to find a happy medium between the two tradeoffs. Until the KHNP incident, disruptive cyber operations had proven to be useful for avoiding escalation, but not necessarily able to inspire fear. Even the DarkSeoul campaign that launched a series of coordinated wiper and denial of service attacks on banks and newspapers arguably failed to cause fear once systems were recovered for routine operations.
The case of KHNP was different because it played on the fear caused by uncertainty, rather than through the damage or destruction of a vital element of society. It aimed to cause fear by making the South Korean government and the public entertain the possibility of an attack on a nuclear power plant, not by actually disrupting the supply of electricity by damaging the civilian nuclear power plants. It is analogous to the usual North Korean threats to engulf Seoul in a “sea of fire” using its long-range artillery, than the actual shelling of Yeonpyong Island. Here, the focus of the operation is in the process of unraveling the crisis rather than the destruction of the target. The latter becomes secondary, to the extent that the attacker cares about guarding its reputation for future attacks of the same kind. If staged well, this kind of operation could be that happy medium – avoiding war by not carrying out the attack threatened but causing fear by picking a relatively high value target.
However, a plan that relies on the manipulation of risk solves one problem but creates another. For the threat to have any impact on the threatened, North Korea needs to credibly convey that it has both the intent and capability to inflict harm. In the KHNP case it relied on “doxing,” or the hack and release of sensitive stolen information, to try to convince it has the relevant capability and knowledge to carry out the threat. But it is not impossible to imagine that they would demonstrate this in more distuptive ways, for example, by taking administrative control of, or actually damaging, a portion of the target. If North Korea is indeed going down this path of relying on the manipulation of risk to sow fear, there may be greater room for misperception and miscommunication between the threatener and the threatened, especially when mutual expectations regarding red lines and related consequences for engagements in cyberspace have not been sufficiently established.
Another related, but important departure from previous patterns of North Korean cyber operations is an apparent desire to use cyber means to issue compellent threats – that is, to utilize the conditional restraint of power in order to get the threatened to do something it otherwise does not want to do. An offensive cyber operation that simply infiltrates and executes a destructive payload on a nuclear power plant on Christmas is catagorically different from an operation that holds the power to hurt in reserve, communicates a threat and a demand with a deadline, and substantiates the threat up until the deadline with increasing pressure.
Although compellence is hard to achieve in general, and even more difficult using destructive malware as the main tool of threat, it is notable that North Korea has nonetheless tried to use cyber means to coerce its target in both the Sony and KHNP cases. For other dyads, trying to force a target to take specific actions through compellent threats may not work well because vulnerabilities are mutual in many cases. But it is more understandable that North Korea would attempt these threats through cyberspace because even if the probability of success is low, the negative consequences of each failed attempt is also low, since there are few options for conventional retaliation or punishment without risking escalation and North Korea is less dependent on cyberspace for its daily activities than other countries.
An open question is whether North Korea can find an even better cyber means for compellent threats. One thing to look out for is the possibility that North Korea may use ransomware and/or doxing, rather than destructive malware. Others have rightly argued that because a cyber operation using destructive malware relies on stealth and surprise to be successful, it is difficult to credibly communicate a threat before an attack, because doing so alerts the target and triggers preventative measures.
Cyber operations using ransomware and doxing, however, are designed to impose continuous, accumulating cost for the duration of the time that the threatened is not complying with the threat. It is therefore more suitable for using in conjunction with compellent threats, as long as credible assurance can be given that once the target complies, the cost also stops. Both are analogous to throwing the victim in the water, and offering to save him if he pays, rather than threatening to drown him unless he pays. North Korea has already allegedly tried using doxing and ransomware for criminal purposes, and it may not be long before it can find other applications for these tools.
This article has been updated by the contributor.