North Korea and Cybersecurity
President Trump and his administration has ongoing diplomatic relationships with officials from the Government of North Korea, particularly its Supreme Leader and Chairman of the Worker’s Party of Korea-Kim Jung-un. The United States Secretary of State and various other cabinet members assisted in diplomatic relations with the regime, making it possible for President Trump to meet with the Supreme leader on two separate occasions over the last year (with summits in Singapore and Vietnam). Despite being an example of effective foreign policy on the United States’ part, North Korea has not completely removed its ability to refine nuclear energy and develop its nuclear ballistic missile program. Even though the United States and supporting nations like South Korea possesses various forms of intelligence on North Korea’s nuclear ambitions, Kim Jung-un has ordered the abandonment of some facilities for developing nuclear ballistic missiles as an example of how his regime remains committed to the prospect of total denuclearization. The strongest example of this comes from images captured by a satellite placed on the coordinates of the border between North Korea and South Korea. The United States and South Korea are collaborating in collecting geospatial intelligence on North Korea in order to increase the effectiveness of any intelligence and counter intelligence strategies each country may implement in regards to North Korea’s nuclear capabilities. Although Kim Jung-un has pledged a commitment to halting any activity taking place at his former nuclear facilities in theory, the unfortunate reality remains that he is directing various members of the government to conduct and develop efforts to collect funding in order to support its nuclear weapons programs.
On May 9, 2019, North Korea launched two short-range missiles even though its government continues its diplomatic relations with the United States. While the latest missile launch may be a sign of a prospective solution being further away than previously projected by the national media, the overwhelming consensus by countries engaging in intelligence gathering on North Korea is that its government contains the ability to bypass the effectiveness of sanctions by conducting one of the most complex and sophisticated offensive cyber strategies in the world. The missile launching and new intelligence indicating the possible use of formerly abandoned nuclear facilities in North Korea, raises key questions about the country’s commitment to denuclearization, the prospect of any future diplomatic summits with the United States, and if they are preparing to launch a cyberwar sometime in the near future. Cybersecurity professionals, as well as national and domestic policy experts agree that the Government of North Korea’s offensive cyber strategies aim to use malware and ransomware to compromise computer networks around the world with the intention of directing stolen currency back to Pyongyang, as a strategic operation that funds its nuclear ballistic missile program, ultimately preparing them for cyberwarfare should Kim Jong-un make it a part of the government’s national security and foreign policy.
North Korea’s Cyber Strategy More Dangerous than Nuclear Capabilities?
While the prospect of North Korea possessing weapons of mass destruction could pose a significant threat to the national security of many countries, especially those that have restricted the regime’s access to capital through the use of sanctions, the Government of North Korea does not currently possess the capability to launch or successfully defend itself against a nuclear war with the majority of Western countries. Even though the intelligence suggests that Kim Jong-un has an interest in North Korea becoming a significant nuclear power, at this point the country’s cyber capabilities far exceed its ability to establish itself as a nuclear state. North Korea uses two prominent hacking organizations, APT38 and Lazarus, to develop original malware source code to be launched at financial institutions, or examine existing scripts in the open source in which the hacking groups can provide further development in order to make them more effective at creating malware that uses encryption methods to hide its outbound communication and wiring of currency.
While North Korea’s launching of short-range missiles at their current stage of development would pose little to no threat to the United States, its cyber program has a far greater ability to launch effective cyberattacks against individuals, governments and private sector networks, and organizations responsible for managing critical infrastructure. Even though the United States possesses a greater nuclear arsenal than North Korea, America is far more vulnerable than the regime as it relates to cyberattacks, and the significant detriment it could be to the country. The United States contains multiple internet service providers (ISPs), and the internet is made available to all citizens for personal, public or professional use. The United States’ dependency on the internet and technology for business and communications purposes creates a scenario in which hackers can find different types of vulnerabilities for their threat agents simply because there are many networks to compromise within the United States. North Korea, on the other hand, uses its government in collaboration with one ISP to provide internet access to a select number of citizens, typically government and military personnel; if North Korean citizens are granted the opportunity to have access to the internet their web browser will only allow them to view a few thousand potential websites while anything else is impossible to reach due to the government’s policies. Due to the lack of ISPs in the private sector, along with strict policies regarding access to the internet, should the Government of North Korea decide to shut down the internet, effectively removing all technology from its networks, it would make it challenging for other countries to use counter intelligence to launch a cyberattack against North Korea during instances of cyberwar.
Even though intelligence exists that indicates North Korea’s hackers gaining access to the critical infrastructures like the electric grid and transportation systems within the United States, the majority of the regime’s offensive cybersecurity involves targeting financial institutions in order to collect funding for its nuclear missile program. North Korea has successfully launched malware attacks that adversely affect both the public and private sectors in the United States, but now focus the majority of its hacking resources to the unethical wiring of currency to Pyongyang. The Government of North Korea has continued to conduct these cyberattacks despite negotiations on denuclearization with the United States.
While every country has its own policies and cybersecurity strategies, due to the lack of international regulations and peace treaties, there are virtually no preventive measures in place when a hacking group in one country wants to conduct a cyberattack on another one. Due to each country having a different level of dependency on the internet and computer networks, it may be difficult for the United Nations to establish international committees to device policies that will have a positive impact in all territories. A more realistic approach could be the development of peace treaties between two different countries who pledge to never launch cyberattacks against the country in which they negotiate and sign a peace treaty. The lack of international regulations and peace treaties affords North Korea’s hackers to conduct cyberattacks despite being in denuclearization talks and discussions regarding sanctions with other territories. This puts pressure on every country interested in developing a denuclearization strategy or sanctions with North Korea to include cybersecurity measures within treaties in order to prevent the regime from continuing cyberattacks after they commit to stopping the production of ballistic missiles.
Types of Nuclear and Cyberattacks Conducted by North Korea
North Korea has displayed its nuclear and cyber capabilities for decades, showing the nation’s ability to develop advanced weapons and technical threat agents that many cybersecurity professionals may find difficult to mitigate successfully. The current political climate and military strategies conducted by the Government of North Korea often do not consist of deploying soldiers to implement its strategy, the current regime seems less interested in putting boots on the ground than funding its nuclear program through carrying out cyberattacks, emphasizing those that can lead to the collection of information on financial data or providing access to an organization’s bank accounts. Developing a nuclear program has been a strategic objective for the country since the 1950s when government officials created the territories’ first nuclear research plant in Yongbyon. North Korea withdrew from the Nuclear Non-Proliferation Treaty in 2003 in order to gain the opportunity to invest its resources in developing nuclear power. In result, North Korea launched its first test of a nuclear weapon in 2006. The regime has conducted countless missile launches and deploying of cyberattacks since the early 2000s, which creates motivation for the United States and other territories to establish diplomatic solutions that could prevent North Korea from advancing its nuclear arsenal and its cyber operations. Even though North Korea has the capability to launch a variety of cyberattacks, the regime uses its hacking organizations to target vulnerabilities within technologies used by individuals, companies, governments, militaries and critical infrastructures through the following methods: distributed denial of service (DDoS), malware and ransomware.
North Korea has launched thousands of cyberattacks since the early 2000s; however, many analysts consider the following four attacks to be the regime’s most prominent: the Fourth of July Incident (2009), attack on Sony Pictures Entertainment (2014), SWIFT Network Bank Heist (2016), and the WannaCry Ransomware Attack (2017). These four attacks are often referenced as North Korea’s most effective offensive cyberattacks; The Fourth of July Incident targeted the United States during the celebration of Independence Day by launching several DDoS attacks on websites pertaining to government operations, financial data, and the national media. The attacks compromised networks at the Pentagon, White House and New York Stock Exchange in the United States. North Korea also targeted South Korea’s Blue House, financial institutions and media outlets.
Even though North Korea’s hacking organizations frequently target financial institutions, they also carry socio-political motivations during certain cyberattacks. The targeting of Sony Pictures Entertainment was motivated by the fact that the company was going to release a comedic film depicting the assassination of North Korea’s Supreme Leader. In order to prevent the release of the film, North Korea’s hackers used malware to gain access to employee data, emails, and deleted many of the company’s confidential documents and spreadsheets. Through the examination of the infected network and conclusive findings through a forensic examination, the United States assisted Sony through the mitigation process and gathered enough intelligence to pinpoint that the attacks were launched by hackers in Pyongyang. The Sony attack is one of the few recent examples of offensive cybersecurity strategies by North Korea that did not have a financial motivation. However, the hacker’s ability to compromise networks at a private company within the United States signifies the potential North Korea has to conduct instances of cyberwar in any chosen area. If it’s possible for hackers to gain access to the networks at Sony, they also have the potential to use their existing versions of malware to attack government networks and technical controls for critical infrastructures like supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs).
One of the most effective attacks by North Korea’s hackers occurred in early 2016 when they were able to hack into networks at the Society for Worldwide Interbank Financial Telecommunications (SWIFT). North Korea’s hackers used malware in order to gain access to stolen credentials for SWIFT, and transferred $81 million from an account owned by the Bangladesh Bank to various accounts owned by North Korea. The state actor launched the same type of attacks on financial institutions in Vietnam and Ecuador.
North Korea’s most successful attack occurred in 2017 when the regime decided to direct all of its hacking resources into launching a widespread attack on devices using the Windows operating system. North Korea’s hackers were responsible for ensuring that WannaCry ransomware was connected to more than 300.000 devices around the world. When the ransomware infected a device, it would encrypt all of the existing files, blocking the user’s ability to gain access to any of their files, and recommended them to make cryptocurrency payments or submit their personal banking information to direct money to North Korea in exchange for the hackers to potentially leave the targeted network. The ransomware demanded that users submit payments between $300 and $600 dollars for each infected device. The ransomware exploited a vulnerability in the Windows operating systems which allowed it to spread rapidly to hundreds of thousands of machines in over 150 countries. Microsoft, the developer and manager of the Windows operating system, prioritized the mitigation of the ransomware, effectively removing all of its capabilities in four days. However, North Korea was able to collect millions of dollars during the process, causing WannaCry to be one of the most frequently examined case studies in regards to offensive cybersecurity and cyberattacks with financial motivations. At this point in the history of hacking conducted by North Korea, the regime has successfully proven its capabilities to carryout cyberattacks based on both political and economic motivations. After Microsoft mitigated WannaCry by sending out system updates that effectively erased the ransomware and preventing its resurgence, North Korea tried to re-launch the same ransomware in 2018 in connection with an e-mail phishing campaign; however, the threat agent was mitigated much sooner and North Korea collected far less currency. By the Fall of 2018, WannaCry became obsolete as cybersecurity professionals around the world gained enough intelligence concerning the ransomware that it would be extremely difficult to recreate the success of 2017. North Korea, who continuously devotes around 50% of its hacking resources to the development of new versions of malware and ransomware at any given time, remains in the development process in attempts to discover new malicious code that can replicate or exceed the success of WannaCry.
North Korea’s Cyberattacks Effecting Cybersecurity Policies
Even though North Korea’s offensive cyber strategies impact hundreds of countries around the world, the cyberattacks have led to few changes in policy for territories whose networks have been compromised by malware and ransomware. Due to North Korea’s ability to affect networks within the United States with a variety of different types of attacks, Congress proposes solutions that could impact the US’s cybersecurity, and the Executive Branch has implemented new policies. After the Sony attacks in 2014 and several nuclear test conducted by North Korea between 2014 and 2016, President Barack Obama created Executive Order 13722 and signed it into law; the policy restricts transactions with North Korea, labeled the regime as not being in compliance with the United Nations Security Council Resolution (UNSCR) due to its frequent testing of nuclear ballistic missiles, and declared North Korea’s cyber activity as a national emergency, urging Congress and leaders in the private sector to develop new policies which can help the United States defend its networks from current and future attacks by the regime. Executive Order 13722 outlines specific strategies for offensive and defensive cybersecurity measures, placing the United States in compliance with its national laws and foreign policy with the United Nations. The order established provisions which ensure that North Korea can not gain access to property within the United States due to the probability of the regime using territory to support hacking organizations and other groups of terror. The policy enforces additional sanctions on North Korea due to the United Nations violations of its nuclear program. The document discourages entrepreneurs in the United States from conducting any communication or business-related activities with organizations in North Korea or its government. The policy discourages United States citizens and corporations from using North Korea as a potential territory in which to use investments. The document includes a variety of different sanctions which declare a national emergency during circumstances where North Korea’s hackers gain access to critical infrastructures in the United States. Other sanctions aim to prevent North Korea’s access to vital resources like metal, coal and graphite. The Executive Order bans all direct or indirect trading with North Korean organizations. The only country possessing a trade agreement with North Korea is China, who frequently becomes a part of the discussions of denuclearization and economic sanctions as other countries would encourage China to put more pressure on North Korea by implementing new sanctions.
North Korea Attacks Critical Infrastructure
While the majority of current cyberattacks conducted by North Korea contain financial motivations, the regime continues to launch attacks on critical infrastructures, most notably those within the United States, which highlights their ability to spread malicious code during instances of cyberwar. Over the last few years, independent cybersecurity firms have released reports that indicate the types of attacks occurring on American critical infrastructure and how this relates to cybersecurity playing a significant role in the prevention or stopping the regime from gaining access to critical structures within the United States. According to a report released by McAfee, a firm that develops various anti-virus software and collects data on cyberattacks, concludes that hackers in North Korea have targeted more than 80 businesses managing critical infrastructures in the United States, including the financial sector, energy, telecommunications, transportation and defense systems used by the Federal Government. Even though the United States has been targeted the most by North Korea, there are also other territories in which the regime launches their attacks frequently, including the United Kingdom, Turkey and Germany.
The McAfee report indicates the types of communication taking place with the Government of North Korea and its two most prominent hacking organizations-APT38 and Lazarus. In order to conduct most of its cyberattacks, the Government of North Korea sends specific objectives to each of the hacking organizations, typically one focuses on the development of new malware and ransomware, while the other conducts research in the open source to find code to viruses that worked previously that can be developed further and become a part of the regime’s offensive cybersecurity strategies. In rare circumstances, the Government of North Korea will give both hacking organizations the same objectives in order to carryout a widespread attack on many networks in multiple locations. The sum total of these activities take place in three areas within Pyongyang, causing the capital city to gain the reputation of being one of the most active cities in regards to its ability to conduct cyberattacks around the world. McAfee’s cyber intelligence suggests that many of the cyberattacks on networks at financial institutions are conducted by Lazarus.
The reporting agency asserts that the digital forensic evidence it has collected on North Korea’s cyber intelligence should be made available to law enforcement and government agencies on a regular basis, suggesting that private companies should be willing to share this critical information in order to assist authorities in developing policies to assist both public and private organizations with offensive and defensive cybersecurity measures. The organization currently makes details about common viruses available to its customers with subscriptions. The report indicates that most of North Korea’s current cyberattacks are financially motivated; however, they recommend for governments and corporations to take all North Korean threat agents seriously, as some of them may be launched for other reasons and could be used to take down networks and systems. The report concluded with information regarding the most frequently targeted territories by North Korea’s hackers: cities in New York and Texas, oil and gas companies, financial institutions, Madrid, London, Rome, Tel Aviv, Bangkok, Taipei, South Korea and Hong Kong. Russia and China, two countries with an open line of communication with North Korea, were not impacted by the regime’s cybersecurity measures.
Conclusion
Offensive cybersecurity measures are considered the “third leg” of the Government of North Korea’s ability to defend itself from or attack other territories. The regime’s ability to conduct a variety of cyberattacks anywhere in the world, cause its hacking organizations to be an essential component of the country’s military strategy. Since most members of the general public within North Korea possesses little to no access to the internet, it would be safe to assert that the overwhelming majority of computer networks in the country are used for the development and implementation of malicious threat agents that travel from the capital city to areas across all continents.
Numerous reports on North Korea’s cyber intelligence capabilities pinpoint the following three motivations as being connected to nearly all of it cyberattacks: financial resources, politics and military strategy. Many of the versions of malware and ransomware deployed by North Korea has the dual functionality of having the ability to destroy networks and systems or wire currency to bank accounts in other territories, eventually sending the stolen resources to Pyongyang. Even though some of the cyberattacks could have more than one motivation, over the last few years it has become far more common for North Korea’s cyberattacks to contain a financial motivation as means of collecting currency even though many industrious countries have sanctions against the regime. Due to the lack of peace treaties and international regulations, North Korea can continue its attacks on financial institutions, direct currency and gain access to networks possessing critical information without the need to be concerned about targets taking legal actions against the regime. The development of new international policies and adoption of peace treaties between nations are the most effective tools territories can use in order to prevent or remove the components of cyberattacks by North Korea and other state and non-state actors. In order to prepare for these types of attacks, it would be significant for cybersecurity professionals in both the public and private sector to gather intelligence on North Korea, and other actors with the ability to conduct complex cyberattacks in a variety of ways, in order to develop offensive and defensive cybersecurity measures. Intelligence gathering has a direct impact on government’s ability to carryout measures that will promote the security of computer networks, systems, as well as critical infrastructures like the financial sector and national defense operations. Even in the absence of international laws and peace treaties, developing an open line of communication between territories can significantly reduce North Korea’s ability to launch the same types of cyberattacks in different countries simultaneously or within a short period of time from each other. The United Nations could develop a strategy in which participating countries can share information regarding vulnerabilities within their networks, digital forensic information on threat agents, and discuss strategies for mitigating the types of malware and ransomware their cyber professionals examine to collect intelligence. The current environment for cyberattacks will allow North Korea to continue its financially motivated attacks as a method of collecting currency despite the numerous sanctions restricting the regime’s access to capital. As North Korea continues to develop more effective versions of its malicious code and gain unauthorized access to bank accounts at financial institutions, it appears that the regime will place less emphasis on the possibility of launching a cyberwar, and instead continue its financially motivated offensive cyber strategy with little resistance from the international community due to the lack of regulations.