Subscribe to our weekly newsletters for free

Subscribe to an email

If you want to subscribe to World & New World Newsletter, please enter
your e-mail

Defense & Security

Cyber actors: North Korea

Online crime scene with a finger print left on backlit keyboard with North Korea flag on it

Image Source : Shutterstock

by Lukas Joselewitsch

First Published in: Mar.04,2024

Mar.15, 2024

How cyber operations support the state system.

' North Korean units are primarily concentrating on political and economic espionage and the procurement of foreign currency. Disruptive attacks are currently rather unlikely. ' The funds generated are primarily used for the political and economic stabilization of the state and the expansion of nuclear and conventional military capabilities. ' To date, around three to six billion US dollars (excluding unreported cases) have been gained through the use of cyber resources. ' The activities can be countered by detecting and publicizing North Korean procedures as well as reconnaissance of potential target institutions. ' North Korean units act opportunistically and flexibly. It is to be expected that the attacks will continue despite countermeasures. At present, there is no significant threat to Germany. In recent years, the Democratic People's Republic of Korea (DPRK) has increasingly instrumentalized cyber and information space to implement its state policy agenda, exploiting the entire spectrum of possible operational targets: Sabotage and disruption, signaling, political espionage, economic espionage, foreign currency procurement and propaganda. According to Kim Jong-un, cyberattacks function alongside nuclear weapons as an "all-purpose sword" to achieve the regime's goals. Goals and Impact DPRK units have repeatedly launched disruptive attacks to sabotage and disrupt enemy systems in order to force political concessions from South Korea and the US or as an instrument of political signaling: so far unsuccessful. Notable examples in this context were various operations against IT systems in South Korea, such as Operation Dark Seoul1 and Ten Days of Rain, which led to widespread disruption in the country. No comparable activities were observed after 2014; it can be assumed that offensive cyber activities had little impact as a means of coercive diplomacy. It can therefore be assumed that any operations outside of a military scenario will not be carried out by the DPRK for the time being. So far, political espionage has primarily been directed against South Korean civilian and public institutions as well as international organizations and foreign individuals. The aim of the operations is to obtain strategically and security policy-relevant information. In recent years, for example, there has been an attack against eleven UN Security Council members in order to obtain information on sanctions resolutions.2 International think tanks and journalists have also been compromised in order to obtain information on foreign assessments of the DPRK's situation.3 The aforementioned activities continue and are flexibly adapted to the regime's political interests. It cannot be assumed that North Korea will refrain from political espionage. With regard to economically motivated espionage activities, the DPRK carries out operations to generate information on economically relevant sectors. In the past, the main target was international defense companies with the aim of gaining technical information for the development of modern weapons systems, including nuclear weapons.4 However, during the Covid-19 pandemic from 2020 to 2022, the state also attacked vaccine manufacturers abroad to enable the DPRK's self-sufficient vaccine production. Economic espionage is similar to political espionage in its calculations and is geared towards the strategic goals of the state leadership. It is to be expected that the DPRK will carry out more attacks against satellite technology companies in the future in order to underpin recent efforts to produce space-based weapons and reconnaissance systems. Financially motivated attacks to obtain foreign currency have been observed since around 2011. Initially, the actors' approach was primarily aimed at low-threshold targets such as gaming platforms. From 2015, however, there was an increase in the quality and quantity of activities. The DPRK attracted international attention with complex attack campaigns against financial institutions: Compromising the international SWIFT payment system and attacking the ATM payout mechanism, as well as the WannaCry global ransomware campaign.5 The attacks against the financial sector generated approximately two billion US dollars, and the ransomware activities led to the encryption of 230,000 systems in 150 countries. In response to the operations, the DPRK's approach was exposed by internationally cooperating cyber security institutions and appropriate protection mechanisms were provided. As a result, the lucrativeness of the attacks was significantly reduced and the DPRK had to realign its strategy. Since then, attackers have increasingly focused on non-governmental cryptocurrency platforms, which are still proving to be a profitable and preferred target. These platforms often have low security standards and attract less public attention than a bank if they are compromised. As part of the operations, the DPRK hackers gain access to digital bank accounts and transfer the cryptocurrency to a North Korean wallet. The currency is then laundered through various mechanisms and converted into fiat currency. Since 2015, the DPRK has been able to generate an estimated three to six billion US dollars in this way. However, it can be assumed that the number of unreported cases is much higher. In 2020, 1.7 billion US dollars are said to have been gained through malicious attacks. Apart from the use of the WannaCry malware,6 no financially motivated attacks against German targets are known.

Motives

The DPRK does not have an official cyber doctrine that provides insight into the strategic calculations of the state leadership. However, the regime's motives can be deduced from the political situation of the state, the specifics of cyberspace and the official state goals. Pyongyang sees itself as immanently threatened by the US military presence and alliance with South Korea. This is a key driver for the execution of disruptive attacks. In the event of a military conflict, cyber means can be used as an instrument of asymmetric warfare. In peacetime, cyberspace is used by the regime to carry out attacks against other states without risking escalation with conventional weapons systems. This strategy of "a thousand pinpricks" serves to demonstrate power, generate urgently needed financial resources and legitimize the state leadership in both domestic and foreign policy terms. Due to economic insufficiency, international sanctions and a high demand for imported goods, the North Korean state is dependent on foreign currency to maintain its internal economy, finance luxury goods for the elite and further expand its nuclear and conventional armaments capabilities. The regime has been using clandestine and illegal methods to obtain foreign currency since 1970. In this context, cyberattacks now appear to be the most lucrative instrument for counteracting the economic deficit. On the one hand, this can be attributed to the decline in conventional methods. For example, counterfeit money production, smuggling and modern slavery of North Korean citizens abroad have been intensively combated by the international community.7 In addition, a correlation can be seen between the increased investment in the nuclear weapons program and the rising quantity and quality of cyber operations. Procurement tactics in cyberspace are difficult to prevent due to the opacity and immateriality of the domain. Actors can operate undetected and largely unpunished as well as plausibly deny accusations. Furthermore, the cost-benefit ratio is in the attackers' favor. Active countermeasures (such as hackbacks) against the DPRK are largely ineffective, as North Korea offers hardly any attack surface due to its low level of digitalization. It is suspected that the USA has occasionally disrupted North Korea's attack infrastructure, but without any discernible success. To gain a theoretical insight into the state's motivation, the Songun Doctrine (military first), which has determined the regime's political actions since 2009, is essential. The doctrine prioritizes the nation's readiness to defend itself in the face of perceived threats. State resources are primarily invested in the DPRK's defense apparatus, with the nuclear weapons program at its core. The basic idea behind the Songun Doctrine is the interaction between a strong military and economic prosperity. According to the doctrine, a strong arms industry should generate sufficient financial resources through exports of military equipment and at the same time guarantee the territorial integrity of the state. The country's elites, which also include the cyber units, are officially primarily active in the defense sector. It is therefore in line with the doctrine that the majority of investments and industrial espionage operations serve to promote the military.

Organization

The organization of the North Korean cyber groups cannot be clearly determined due to various contradictory statements. However, it is known that the cyber units are subordinate to the Korean People's Army, whose commander-in-chief is the "Supreme Leader" Kim Jong-un. The majority of the known actors are said to be based in Bureau 121 of the General Bureau of Reconnaissance (RGB) military intelligence service. The units assigned here include the Lazarus Group, Bluenorrof and Kimsuky.8 It is also possible that parts of the cyber apparatus are subordinate to the Ministry of State Security. Of central importance alongside the RGB is Bureau 39, which is said to be responsible for the conventional generation of financial resources. Due to the common objectives of the organizations, it can be assumed that there is operational cooperation. Recently, a change in the organization and responsibilities of the actors has been observed. While in the past the groupings operated independently of each other, a merging of the units has been evident since 2022. There has been an exchange of responsibilities and instruments between the players, which suggests a changed (division of labor), more efficient and resource-saving cooperation. The training and further education of the units takes place both at universities in the DPRK and in China.9 A key feature of the North Korean cyber organization is the strategic deployment of units disguised as IT specialists abroad. The actors operate from their respective locations, which makes attribution more difficult and reduces state costs.

Outlook

The North Korean regime will continue to pursue operations in cyberspace in order to achieve state objectives and will probably do so even more in the future. Financially motivated operations and espionage in particular are now an essential instrument of state policy. The fundamental motives are also anchored in the DPRK's doctrinal system. The country's missile and nuclear program requires high levels of investment and technical information. At the same time, the state is increasingly under pressure due to its economic problems. It is therefore difficult to predict how the regime's volatile and impulsive policies will develop in the future. If attacks on digital accounts, crypto marketplaces or digital financial flows continue to prove lucrative, it cannot be assumed that Pyongyang will abandon the procurement of foreign currency through targeted cyber operations. Cooperation between DPRK units and political allies such as Russia, China or Iran has not been observed at times. Inter-state cooperation in cyberspace requires a high degree of coordination and operational integration, which is rather unlikely given the regime's current political interests. The DPRK's activities in cyberspace have not yet posed any particular threat to the Federal Republic of Germany. However, even the slightest erosion of the current tense diplomatic relations between the DPRK, South Korea and the USA could have devastating consequences for the global security situation. In 2019, the United Nations already initiated corresponding steps such as intensified sanctions, public naming and shaming and increased transnational cooperation in order to curb the impact of the attacks and their political effects.10 It is likely that fluctuating cryptocurrency prices or increased platform security measures could counteract the attacks. The security authorities have so far concentrated on the detection and publication of North Korean TTPs (Tactics, Techniques and Procedures). This approach and the wide dissemination of attacker-related information has sometimes proven to be the most effective means of mitigating attacks. However, due to the great importance for state doctrine and finances, it can be assumed that the DPRK will adapt its methods and look for new ways. It is therefore currently important to monitor the approach, strengthen the resilience of the attack targets and prevent the procurement methods in the digital and kinetic space as best as possible with international partners. At present, DPRK actors are only of limited relevance to Germany. Few significant attacks against regional targets have been observed to date. There is currently no indication of a future operational prioritization for Germany.

More about this:

1 https://cyber-peace.org/cyberpeace-cyberwar/relevante-cybervorfalle/operation-troy-darkseoul/. 2 Vgl. https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF. 3 Vgl. https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/. 4 Ein Beispiel hierfür ist der Angriff gegen einen russischen Produzenten von ballistischen Raketen. 5 In 2017 erfolgte eine massive Ransomwarekampagne unter dem Namen WannaCry, bei der Systeme verschlüsselt und lediglich gegen eine Lösegeldsumme von 300 US-Dollar wieder entschlüsselt wurden. 6 Die sich selbst replizierende Ransomware infizierte 2017 Teile der deutschen IT und richtete merklichen Schaden an. Es ist davon auszugehen, dass die DVRK die Kontrolle über die rapide Distribution verloren hatte und die Angriffe gegen Deutschland Spill-Over-Effekte waren. 7 VN Dokumente: S/2019/691; S/2022/668; S/RES/2397. 8 Lazarus und Bluenoroff sollen für komplexe finanziell motivierte Operationen und Kimsuky für politische und wirtschaftliche Spionage zuständig sein. Zudem wurde Lazarus für unterschiedliche disruptive Angriffe verantwortlich gemacht. 9 Universitäten in China sind u. a. das „Harbin Institute of Technology“. 10 VN Dokumente: S/2019/691 S/2022/668; S/RES/2397. ISBN 978-3-98574-215-8

© 2024 The Author(s). This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by-sa/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The terms on which this article has been published allow the posting of the Accepted Manuscript in a repository by the author(s) or with their consent.

First published in :

KAF - Konrad Adenauer Foundation

바로가기
저자이미지

Lukas Joselewitsch

Lukas Joselewitsch works in the OC 33 - National IT Situation Center, Analyses and Forecasts department at the Federal Office for Information Security (BSI) in Bonn. He studied International War Studies at the University of Potsdam and University College. His thematic focus is on security policy, diplomacy, geopolitics, military conflicts and information technology. 

Thanks for Reading the Journal

Unlock articles by signing up or logging in.

Become a member for unrestricted reading!