Why the North Korean cyber threat shouldn't be ignored

Why the North Korean cyber threat shouldn't be ignored

At the luxurious Capella Hotel on Sentosa, off the southern coast of Singapore tomorrow, two of the world’s most divisive leaders will meet in a historical summit. You might have heard about it. But while most of the discussion has been around Trump’s insistence that North Korea “de-nuke”, what about the DPRK’s cyber program?


How has North Korea become such a cyber threat?

The Korean peninsula (including South Korea) has risen to be “one of the top three geographies hosting DDoS botnet command and control services and being the originator of DDoS attacks worldwide,” according to Carl Herberger, Radware’s vice president of security solutions. The country’s cyber program goes back to the 80s/90s and cyber actors are reportedly trained from a young age. Threat Intelligence and research firm Flashpoint has analyzed publicly released North Korean educational textbooks. They revealed that programming is introduced in secondary school, with more advanced topics and information security principles being taught in tertiary programs. Javier Velazquez, threat intelligence analyst at EclecticIQ explains that the education system is specifically designed to prepare top students for entry into specialized universities in the North Korean capital, Pyongyang.

For a long time, their priorities were very local, which allowed North Korean cyber actors to experiment and improve their skills without attracting too much attention from major cybersecurity companies. “It wasn't until Sony that the majority of the industry really started tracking the threat. By then, they had overcome most of the amateur mistakes,” says Ross Rustici, senior director of intelligence services at security specialist Cybereason.

The state-sponsored hacking program is highly advanced and covers three main areas: intelligence operations, destructive campaigns, and currency generation. “Their intelligence units are the best both in terms of operational security and the techniques they use,” says Rustici. The destructive group is the most well-known of the three, Rustici explains, being responsible for the attack against Sony and the year before that the media and banking attack in South Korea. “This group is good enough to get the job done but not overly advanced.” The final group is the most prolific and is responsible for generating money for the regime. Dabbling in “just about anything that can make money online”, the vast majority of these groups work outside of North Korea, are “well-resourced and thought out to have it achieve multiple aims”.

The more well-known threat actor groups -- ‘Lazarus Group’, ‘Group 123’ and ‘DarkHotel’ -- are well-documented when it comes to their tactics, techniques and procedures (TTP). However, the smaller, lesser-known groups, believed to run from a multitude of international locations, “are not only difficult to locate, but it is almost impossible to understand how they perform attacks -- a critical component in counter intelligence and security operations,” says Velazquez.

What trends are being seen?

Each country’s cyber-criminal underground has its own individual characteristics. “North Korea does not have a traditional cybercriminal underground in that there is not a centralized space such as forums where actors can congregate to buy and sell illicit services, explains Flashpoint’s North Korea/Korea expert, Mitch Haszard. Further, the strict regulation, monitoring, and access control of the internet makes it very hard for people to access meaning “those North Korean actors that are conducting cybercrime are likely given permission to do so by the regime.”

For the most part, motivation seems to be money, information, and retribution, according to Rustici: “So far, their destructive attack policy appears to be a tool of retribution for perceived attacks. In the North Korean version of events they have always responded to provocation with a measured response.” Flashpoint’s Haszard agrees, noting that open source information on the region proves that the regime uses cyber operations “as a means of financing the itself while under harsh international sanctions”.

Radware’s Herberger identifies five key “fearful trends”:

  • Attacks which kill – “only a matter of when and not if”
  • Apathy in security decision-making – “many find the pursuit, in the end, fruitless”
  • More critical infrastructure outages - “widespread cyber-attack disruptions to critical infrastructure”
  • Comeuppance of cyber-hostage taking – “In at least one case this has led to business failure.”
  • Cyber-attack laws begin to be adopted en mass – “including nationalistic-rules”

Velazquez has noticed a growing interest in targeting cryptocurrency wallets, exchanges and users. The nature of cryptocurrencies means that financial transactions using digital currency cannot be censored, stopped or sanctioned, further, they provide anonymity – playing right into the hands of attackers. “Since it is widely believed threat actors from DPRK are self-funded,” says Velazquez, “it’s interesting to observe that many of their latest campaigns have had a strong focus on targeting cryptocurrency infrastructure or PoS.”

For Rustici, the biggest change is not the program itself but the rest of the world’s perception of it. The Sony hack, he explained, was a turning point for international security professionals, as they realized that “the North Koreans were actually really good at what they do… There is no other country out there that mixes capability and intent in such a dangerous way on a global scale.”


The risk to the US and how to mitigate it

The US and North Korea have a complicated relationship history, and conflict between North and South Korea has been ongoing since Korea was divided in 1945. “South Korea has been enemy No. 1 for a long time, the U.S. has been enemy 1b,” says Rustici. “The US has always been an active player in the ‘cyber cold’,” says Velazquez, and it “continues to monitor activities from both well-known and suspected North Korean threat actors who are looking to target their infrastructure.” The three experts all agree that more attacks will come, with the most likely target being financial institutions and cryptocurrency exchanges.

Rustici argues that the US is not structurally set up to mitigate cyber risk in the private sector: “Ultimately, the US government is set up to absorb a blow and then respond to it. That is not a risk mitigation strategy but rather an incident response and retaliation strategy.”

So, what can be done? Haszard describes a number of information sharing initiatives, including The United States Computer Emergency Readiness Team (US-CERT) which releases advisories that include indicators of compromise (IOC) associated with North Korean cyber activity. Radware’s Herberger advocates for a “Digital Secret Service” which he explains would work in a similar way to the existing US Secret Service but focused on cyber warfare: “As cyberattacks against political leaders, institutions, and others grow, this Digital Secret Service would stand guard against the hacktivists and others increasingly attacking the fidelity and trustworthiness of our democratic governments.”


The Trump-Kim summit

The US is currently juggling two major Asian conflicts -- a potential trade war with China and a possible real war with North Korea. Tipped to win President Trump the Nobel Peace Prize, the planned US-North Korea summit is now on again for tomorrow, 12th June, after a week of back-and-forth, will-they-won’t-they between Trump and Chairman Kim. Given the history between the two countries, even getting to this point is impressive, but while the focus now seems to be on North Korea’s nuclear weapons program, the country’s cyber program shouldn’t be ignored.

The full extent of North Korea’s cyber warfare program is unknown. However, a Recorded Future cyber threat analysis report reveals that “North Korea’s destabilizing, disruptive, and destructive cyber operations as well as its internet-enabled circumvention of international sanctions” have been aided by a failure to prevent American technology from reaching the country.

Looking back at previous attacks reveals a pattern, Velazquez explains -- the DPKR’s cyberattacks have always been linked to their nuclear tests. “After every nuclear test since 2009, there has been a very targeted cyberattack, many of which have been against South Korea’s infrastructure. These attacks, which have also been against US infrastructure, appear not only to be probing for weaknesses but also to establish a beachhead for future intrusions.” And security researchers have indicated that North Korean cyber operations have continued over recent months, despite the recent negotiations between the US and North Korea.

Experts agree that total denuclearization North Korea is unlikely. But while the nuclear issue is generally more well-known, “the international community should not overlook North Korea's cyber forces when negotiating any possible concessions in future negotiations,” says Haszard.

After all, as Rustici notes, “Outside of the nuclear program, cyber is the crown jewel of the North Korean intelligence/military apparatus.” 


«The key to meaningful innovation lies with relevance


European blockchain institutions welcome input from IT professionals»
Kate Hoy

Kate Hoy is Editor of IDG Connect

  • twt
  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?