Understanding the Strengths and Vulnerabilities of North Korean Hackers

Recent Features

Flashpoints | Security | East Asia

Understanding the Strengths and Vulnerabilities of North Korean Hackers

Pyongyang continues to defy miscalculated expectations regarding its cyber capabilities by successfully employing a series of sophisticated cyberattacks that target new and developing financial technology.

Understanding the Strengths and Vulnerabilities of North Korean Hackers
Credit: Depositphotos

The international community often incorrectly correlates North Korea’s lack of access to modern computer hardware within its borders to inferior offensive cyber capabilities. As demonstrated in a new report released by the Center for a New American Security (CNAS), North Korea has rapidly expanded its illicit activity within the cyber domain under sustained economic pressure from decades of sanctions. As such, Pyongyang will likely continue to adapt its cybercrime operations to evade the full brunt of economic sanctions as innovation within the crypto space, such as cryptocurrency, continues to outpace current regulation of financial technology. The report also outlined major flaws in North Korean cyber operations, as well as areas where the United States and its allies can expand coordination to counter North Korea-led cyber-enabled financial crime.

In partnership with data provided by leading blockchain analysis firm TRM Labs, CNAS provides in-depth analysis of Pyongyang’s demonstrated ability to exploit cryptocurrencies by investigating three separate case studies of North Korean hacks targeting cryptocurrency exchanges. Through analyzing these hacks, the report outlined key strengths and vulnerabilities in North Korea’s ability to steal, launder, and liquidate funds. A major takeaway from the study was that North Korean hackers demonstrated only moderate concern over eventual attribution of their crimes, meaning that the process of laundering stolen funds was not executed as seamlessly as the initial hack. This signals that Pyongyang is aware of the lack of legal retribution for its illicit cyber activities, thus preferring speed over total obfuscation. For example, only one North Korean national has ever been extradited to the United States to face money laundering charges, and this was an extraordinarily rare case. Additionally, North Korean hackers have demonstrated steady improvements in the complexity of their hacks and laundering operations, including the use of cryptocurrency mixers and over-the-counter brokers to hide the origin of the stolen crypto and the initial hack.

The cornerstone of why North Korean hackers continue to outpace U.S., South Korean, and other democratic nations’ cybersecurity strategies is surprisingly simple. While Washington and other nations tasks their intelligence and defense agencies with a wide range of domestic and foreign security issues, Pyongyang instructs its own agencies with a much narrower set of duties: support the Kim regime at all costs through information and economic espionage. As such, the report suggests that U.S. policymakers should invest more resources and research into analyzing the strengths and weaknesses in Pyongyang’s cyber capabilities. Since potential gains from cyber intrusions targeting financial institutions and new financial technology significantly outweigh the potential punitive risks for North Korean hackers, Pyongyang will likely increase its illicit cyber operations. 

In response, the CNAS report provided eight total policy recommendations to strengthen cyber resilience against North Korean hackers, highlighting the various roles of domestic and foreign policymakers and the private sector. One recommendation includes the executive branch designating specific research on state-sponsored cybercrime groups within the new National Cryptocurrency Enforcement Team (NCET). The Department of Justice recently appointed a seasoned prosecutor, Eun Young Choi, to lead the new crypto unit, signaling government efforts to jumpstart research on cryptocurrency-related crime after four months of inactivity following the establishment of the NCET in October 2021.

Another recommendation calls for the Treasury Department to expand sanctions designations to any individual or entity supporting and/or facilitating North Korean cybercrime, including telecommunication companies providing technical services, know-how, and equipment to North Korea that its hackers use to conduct malicious cyber operations. Major Russian and Chinese telecommunication companies have indirectly supported North Korean cybercrime by providing increased internet bandwidth and connectivity to North Korean operatives, and some reports indicate North Korean hackers have even operated inside China-based hotels. An important note is that sanctioning telecommunication companies that help provide internet connection to Pyongyang will likely not impact the civilian population in North Korea. Unless given specific permission by the North Korean regime, accessing the internet is illegal and ordinary North Koreans instead access the country’s intranet, known as the Kwangmyong. Lastly, the report also calls for both Washington and Seoul to include cryptocurrency-related illicit activity within the ongoing U.S.-ROK cyber working group discussed during the 2021 summit between President Joe Biden and President Moon Jae-in.

Pyongyang continues to defy miscalculated expectations regarding its cyber capabilities by successfully employing a series of sophisticated cyberattacks that target new and developing financial technology. As North Korea will likely continue to adapt its cybercrime tactics targeting cryptocurrency to circumvent obstacles presented by economic sanctions, the United States and its allies must increase joint efforts to counter this grave threat.