North Korea has garnered much attention, largely due to its nuclear ambitions, but also for its presumed substantial offensive cyber capabilities. The isolated country has been suspected of some of the more noteworthy hacks that, if true, have demonstrated an increasing use of cyber operations that have spanned from distributed denial-of-service (DDoS) attacks to more destructive “wiping” of data on targeted networks and systems. As of late, there has been indications that North Korea has been using its cyber prowess in support of more criminal activities such as the theft of money, and more recently, of cryptocurrencies. Such a divergent range of activities is of note as many of the other suspected nation state-driven cyber operations have concentrated on stealing data, disseminating influence campaigns, or launching destructive attacks.
North Korea Cyber power
This is not to say that suspected North Korean cyber activity is absent these purposes. Some of the more aggressive actions believed to be orchestrated by North Korea include but may not be limited to the following:
- August 2017: Cyber espionage activity tied to the “Lazarus Group” targeted U.S. defense contractors with spearphishing e-mails. Lazarus Group operations are believed to be orchestrated by North Korean cyber actors.
- June 2017: The U.S. Computer Emergency Response Team published a warning of potential North Korean cyber attacks against U.S. media, aerospace, and financial companies. Known as “Hidden Cobra,” the alert identified Internet Protocol (IP) addresses associated with a malware variant used to manage North Korea’s DDoS botnet infrastructure.
- November 2014: In addition to having personal information and intellectual property stolen from its networks, Sony Pictures Entertainment suffered damages from wiper malware. The Federal Bureau of Investigation maintained high confidence that North Korea was responsible.
Nevertheless, when looking at the breadth of North Korea’s alleged cyber malfeasance, there is less evidence that the government is testing its cyber tools against real world targets – as has been suggested with Russia and Ukraine and China and Taiwan – and more about leveraging current capabilities to support immediate regime interests. True, South Korea suspects that much of the hostile cyber activity that targets its public and private organizations is being conducted by its antagonistic neighbor. However, there is little evidence suggesting that newer or never-before-seen techniques or malware are being deployed. Rather, some of this activity has occurred after a perceived transgression against North Korea’s interests such as the conduction of U.S./South Korean military drills (e.g., the 2004 DDoS attack) or South Korean elections (e.g., 2011 DDoS attack), intimating that cyber attacks were used as a quasi-anonymous signaling/punitive measure than any real test of new weaponry.
Shift towards cyber-crime activities
And this is consistent with North Korea’s latest foray into the theft of money. According to one source, North Korea has historically relied on illegal activities (e.g., gun-running, jewel smuggling, illegal gambling and counterfeiting) to financially support those projects supporting North Korean regime objectives in the wake of strict sanctions that have crippled the rogue nation’s economy. Therefore, it should come as little surprise that North Korea is taking advantage of the vulnerabilities inherent in cyberspace and the anonymity it invariably provides to those operating in the domain in the same capacity.
Concern that North Korea is developing more powerful and sophisticated cyber capabilities is not without merit, particularly as a strong information technology base and development can quickly improve the tools with which to operate. Nevertheless, overestimation of capabilities does little to understand the true nature of what it can do, how it uses tools, or when and where it would apply them.
Cyber as a means of last resort?
If tensions continue to escalate and North Korea feels its regime or sovereignty is being threatened, then it can be expected that it would use all means to preserve its central power, including cyber attacks. But what’s been observed thus far in the real world is by no means overly advanced or sophisticated. If it has been “testing” cyber weapons or techniques in the real world, it is likely that it would concentrate such efforts on its southern neighbor. Thus far, there has been nothing tied to North Korea that has victimized South Korea on the eye-opening and unprecedented scale of a Stuxet, Flame, or Duqu. This is not to say that it does not possess advanced cyber weaponry; it may be that it’s not being tested in the real world, which bears its own set of unknowns, particularly with regards to how it will work in an open environment and its ultimate effectiveness.
If North Korea was behind the activities it is alleged to have orchestrated, then it shows that the government has used cyber attacks – the purposeful intent to destroy or disrupt targeted systems – primarily as a retaliatory measure toward activities it perceives hostile to regime interests. And as to its criminal activities, the theft of money via cryptocurrency to avoid sanction monitoring is not awe-inspiring; it’s just a means to an end.
This is a guest post written by Emilio Iasiello.