Recent missile launches from the DPRK have received a lot of attention, however their cyber offensives have also been active and are growing in sophistication.
North Korean cyber attack efforts involve around 6,000 military operatives, within the structure of the Reconnaissance General Bureau (RGB) – part of the military of which Kim Jong-un is supreme commander. Within the RGB, most cyber offensives are conducted by Unit 180, however other military sections also involved include Units 31, 32, 56, 110, 121, 204, and 1232.
Global internet access from North Korea is only available to government employees and the few foreigners in the country. Ordinary citizens have free access to a local online network called Kwangmyong, but require special permission to access the world wide web.
In order to provide plausible deniability for cyber attacks thus making attribution more difficult, and to utilise better foreign internet connections, North Korea send many of their trained cyber operatives outside the country. A group was sent to China and another to India to carry out covert cyber attacks. Recorded Future have identified internet traffic indicating North Korean links, from countries such as New Zealand, Malaysia, Nepal, Kenya, Mozambique, the Philippines, and Indonesia. This may be because traffic has been routed through these countries or it may indicate the existence of local Korean cyber offensive teams.
The Lazarus Group comprising North Korean operatives has been attributed in many recent cyber attacks. Some of the more notable recent North Korean cyber attacks include:
- Operation Flame in 2007, the “Ten Days of Rain” in 2011, and DarkSeoul in 2013. Malware used in these attacks indicates possible North Korean collusion with Iran.
- The 2014 Sony Pictures cyber attack utilising a version of Shamoon wiper malware, in response to the launch of the movie, The Interview. The malware destroyed data on 70% of Sony Pictures’ computers. Shamoon is the malware used by Iran in their attack against Saudi Aramco, indicating possible collusion between Iran and North Korea.
- A reported 2016 cyber attack on South Korean institutions in which North Korea stole the current US/South Korea operational war plan, including detailed plans to neutralise North Korean leadership in the event of conflict.
- A 2016 attempted theft of funds from Bangladesh Central Bank, through the US Federal Reserve Bank, in which $1b was nearly stolen using the Dridex malware. The attack was narrowly thwarted when bank authorities noticed a misspelling on the withdrawal request, however the attackers still managed to get away with $81m.
- The 2017 Wannacry ransomware attack which affected 300,000 computers, including crippling the UK’s NHS. This attack utilised the Eternal Blue tool initially developed by the NSA.
- The 2017 cyber attacks on YouBit, a South Korean bitcoin exchange. YouBit filed for bankruptcy after 17% of it’s crypto coins were stolen in the attack.
- Cryptojacking attacks carried out in 2017 and 2018.
While North Korean cyber attacks were initially aimed at creating disruption (such as those directed against South Korea and Sony), recently, as international sanctions against North Korea take their toll, cyber attacks are used to steal valuable foreign cash (through bank attacks, ransomware attacks and cryptojacking).
In summary, it is clear that North Korea has invested significant resources and view cyber as a key area where they can achieve their objectives of disruption and fund raising. As North Korea is very much a closed society with restricted internet access, they are only likely to be successful against poorly-defended systems. Their closed society is unlikely to produce the skills and creativity required to discover and develop many zero-day exploits. However, their technical sophistication of cyber attacks is growing, as they co-operate with and learn from countries such as Iran, and as many operatives now reside in countries such as China and India. Restricted internet access provides the DPRK with cyber asymmetry – they are able to carry out attacks against rival nations, yet there is very little local online infrastructure for rivals to counterattack. North Korea probably also recognise that the West is reluctant to escalate a cyber attack with physical military reprisal, although there is currently a draft US review which includes significant cyber attack as an “extreme circumstance” for which a nuclear response may be appropriate.
The North Korean nuclear missile programme has been targeted and will surely continue to be targeted by US and South Korean cyber offensives, perhaps also involving input from other nations such as the UK. We know details of the success of the US/Israel cyber offensive which setback Iran’s nuclear programme with Stuxnet. Who knows whether sleeper malware is already in position in the DPRK, ready to activate. If at some point in the future North Korea launch a nuclear-armed missile and it either detonates on the launchpad or turns around in mid-flight and returns to the launch site, then we will know why.