Parsing the North Korean Cyber Threat

Recent Features


Parsing the North Korean Cyber Threat

To combat North Korea’s cyber activity, we must first understand it.

Parsing the North Korean Cyber Threat
Credit: Flickr/ medithIT

North Korea has dominated the headlines in recent weeks, as international tension climbs over the country’s nuclear aspirations and capabilities. In the cyber realm alone, it has been reported that the country’s hackers stole U.S.-South Korean military contingency plans, when South Korean officials mistakenly exposed their own internal military network by connecting it to the internet.

Other reports suggested that hackers affiliated with North Korea recently targeted a group of U.S. electric power companies, seemingly for the purpose of conducting “reconnaissance” on U.S. companies’ industrial control systems. No corner of the world appears immune. Irish reporting, for instance, asserts that “North Korean state-sponsored cyber gangs are launching almost daily attacks on Irish companies, banks and utilities.” The North Korean cyber threat clearly comes in a range of flavors, shapes, and sizes — and thwarting that threat requires parsing it.

Understanding the North Korean cyber threat also requires appreciating the primacy of regime survival and the “military-first” policy in that country. In the estimation of a senior CIA official: (1) Kim Jong-un “defines winning as staying in the game”; (2) at the same time, North Korea “exists to oppose the United States”; and (3) North Korea is between “bookends” — the fear of Chinese abandonment on the one hand and the fear of a U.S. strike on the other. (Full disclosure: the official made these comments at a conference that our University Center co-hosted in early October this year). In short, from the U.S. perspective, North Korea poses an increasingly urgent and complicated threat to the U.S. homeland, from the nuclear standpoint, to missiles, to proliferation, and cyber; and the list goes on.

North Korea’s cyber strategy and tactics must therefore be taken in broader context, as part and parcel of other geopolitical tools and goals (military, diplomatic, economic). Cybercrime, for example, is undoubtedly helping to fund North Korea’s nuclear and missile programs. Likewise, if North Korea does not have the requisite launch capacity for its missiles (be they nuclear-tipped or conventional), the country may turn to some combination of cyber plus other modalities of attack. Significantly, just last month North Korea publicly stated, for the first time, that they have developed a hydrogen bomb that can be detonated at high altitudes, thereby signaling “interest and ability” in an electromagnetic pulse (EMP) attack. The probability of first use at this time may be low, but the potential consequences for “lifeline” sectors (such as electricity, communications, transportation, fuel, and water) could be catastrophic.

Determining how to counter North Korea effectively is no easy feat. The country possesses hostile intent as well as substantial cyber capability. A 2015 report by South Korea’s Defense Ministry estimated that North Korea’s “cyber army” had an elite squad of 6,000 hackers at its disposal, many operating abroad, in northeast China and throughout Southeast Asia. At the same time, North Korea is not “wired” like most other nation-states, which limits its cyber-related vulnerabilities. And, to the extent that the country is connected to the internet (for military and intelligence purposes) efforts seem to have been made to protect and preserve that capability by opening a second, Russian, connection to supplement the preexisting lone one, supplied by China. Interestingly, Russia does not appear to be averse to drawing ever-closer to North Korea, even as pressure increases on China to pull back. Perhaps this is because Russia, on balance, has calculated that it has more to gain from a disruptive stance within the international system; one that goes against the grain of global (vast majority) opinion about North Korea, which presently seeks to isolate and contain that country, in response to its nuclear and other activity of late.

Turning back to the cyber component of the larger North Korean threat, it is itself multidimensional and may manifest in at least three ways: as a standalone cyber threat, as a component of a broader campaign that makes use of other means (for example military), or as an indicator of an attack that is yet to come. This last variation could come in the form of cyber-type intelligence preparation of the battlefield (IPB) or mapping of critical infrastructure. North Korea has already undertaken both disruptive and destructive activity in the cyber domain — that is, computer network attack (CNA). The country’s computer network exploitation (CNE, meaning espionage) efforts, moreover, are persistent, ongoing, and global, across a range of sectors and targets. The objective of CNE is to steal secrets: military, economic, and diplomatic. The flip side is that these efforts may provide an opening for U.S. intelligence, allowing American officials to identify indicators and provide warning of potential broader attack plans (orders of battle).

Computer network attack, in turn, may be executed on its own, as an exclusively cyber-specific mission, or it may be invoked and implemented together with kinetic operations. The hack of Sony Pictures Entertainment Inc. is a well-known example of North Korean CNA. But the country operates as aggressively within its region as it does farther abroad. 2017 has seen a significant increase in North Korean CNA (attempted and successful) directed against South Korea’s companies and government. In recent meetings, senior Japanese cybersecurity officials, too, have flagged a worrying rise in the volume and audacity of North Korean cyber activity. The country’s aggression level is also more likely to rise than fall, in light of recent news reports that the United States allegedly pursued cyber activities aimed at frustrating North Korea’s ballistic missile program.

External pressure — most recently in the form of sanctions imposed by the international community (including key trading partner China) following North Korean nuclear and missile testing — has spurred North Korea to double down on a third thread of cyber strategy: state-sponsored cybercrime, in order to raise revenue. North Korea is the prime suspect in the SWIFT hack, a string of bank heists throughout Asia that leveraged the global interbank financial telecommunications system. The country is also reported to have targeted “bitcoin and other virtual currencies” for theft, and is believed by many to have been behind the WannaCry ransomware that hit 150 countries.

The North Korean state is no stranger to turning to criminal activity. For instance, it has long practiced counterfeiting of a range of items — currency (“super-notes”), pharmaceuticals, and cigarettes, to name a few — to fill its coffers. In the latest variation on this theme, the regime uses criminal proxies with cyber skills. The former head of the United Kingdom’s Government Communications Headquarters (GCHQ) threw a red flag when he warned just days ago, “They’re after our money.” The message is clear: expect a further spike in North Korean state-sponsored and/or state-supported cybercrime. Turning from intentions to capabilities, there has also been chatter about Russian criminal support of North Korean cyber activities.

In the face of this multidimensional cyber threat, the Department of Homeland Security has worked hand in glove with the Federal Bureau of Investigation and the larger U.S. intelligence community to provide situational awareness — including the identity of attackers, and their tactics, techniques, and procedures (TTPs) — to private-sector critical infrastructure owners and operators. “Hidden Cobra” is a case in point. There, North Korea targeted critical U.S. infrastructure; DHS, together with partners like the Cyber Threat Intelligence Integration Center (CTIIC), provided stakeholders with granular and timely information and analysis.

Still, we need to do more, and we need to do better, since our adversaries are persistent and capable. Planning and exercising in earnest for a range of scenarios should top the agenda — including those whose impact would entail cascading effects due to interdependencies. Others, beyond the United States, could and should do more to contain and crack down on North Korea. But that does not absolve us of the responsibility to inoculate ourselves, insofar as possible, against a threat that continues to evolve and intensify seemingly daily.

Frank J. Cilluffo is Director of the George Washington University Center for Cyber and Homeland Security. He served as Special Assistant to the President for Homeland Security immediately after 9/11.

Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber and Homeland Security. She previously served as Security Policy Advisor to Canada’s Minister of Foreign Affairs.