At a recent threat intelligence conference, a briefer asked the audience to briefly describe the Democratic People’s Republic of Korea (DPRK)’s cyber program. I heard the words “dangerously erratic”, “developing”, “destructive”, “aggressive”, and my personal favorite “hilariously terrifying.” As a cyber threat intelligence (CTI) analyst, the DPRK has always been on my radar as an adversary, but I must admit that there was a time that I would dismiss it as a lower tier threat. Sure, they are part of the 4+1 model, but I always considered them the least dangerous and pervasive threat of the group. Well, time to eat those words.
The DPRK is occasionally covered in the media as a backwards country run by an unstable leader, rich material to be mined for jokes, Internet memes, and major motion pictures. The more accurate picture is a much darker, more desperate portrayal of life under the authoritative regime of Kim Jong-un. This blog will not go into the political environment within the DPRK, but it is important to know that the will of Pyongyang (i.e. Kim Jong-un) absolutely drives cyber operations.
So how good is the DPRK at conducting cyber operations? In the last few years, CTI analysts like me have seen more and more reason to worry: “Crap, these guys are getting better every day” is a common refrain. Though active since 2009, DPRK cyber operators, commonly identified as the Lazarus Group, once primarily targeted regional adversaries in South Korea and Japan.[i] Open source reporting indicates that since its inception in 2009 and up to 2014, the Lazarus Group has successfully compromised upwards of 30,000 assets within the banking and broadcasting sector in South Korea.[ii]
The Lazarus Group began making their mark in the U.S. in 2014 when they successfully compromised Sony Pictures Entertainment and deployed destructive malware that resulted in nearly $35 million in damages.[iii] As a CTI analyst, I was aware of the DPRK cyber capabilities and motivations, and I was still caught flat-footed when DPRK actors launched such a publically destructive attack against the U.S. (Personal note: Don’t get me started on the response from the U.S. on this. It’s one of my triggers.)
After the DPRK was hit with additional international sanctions that severely impacted the North Korean economy and threatened the image of Kim Jong-Un, the Lazarus Group was linked to a series of cyber attacks targeting the SWIFT banking network in 2015 and 2016.[iv] The DPRK cyber actors successfully exploited vulnerabilities in the systems of member banks that allowed the operators to gain control of the banks’ SWIFT credentials, which were then used to make fraudulent requests for funds to accounts owned by the attackers. This cyber operation resulted in more than $100 million in stolen funds.[v]
In my opinion, these operations represented a turning point in DPRK cyber operations. Previously, the DPRK cyber mission was dedicated to regime stability and politically motivated attacks.[vi] In the case of Sony, it was retaliation for a comedic film regarding the assassination of Kim Jong-un.[vii] Based on available evidence, during this time the DPRK began to launch cyber operations with the sole mission of generating or stealing currency in order to provide revenue for the government and circumvent international sanctions.[viii]
As a result, DPRK cyber actors began heavily targeting financial institutions and banking organizations all over the world. In 2016, Kaspersky Labs announced that the Lazarus Group successfully compromised the Bangladesh Central Bank and stole approximately $81 million via cyber operation.[ix] This heist was one of a string of financially motivated attacks at the time, in which DPRK cyber operators targeted banks, financial and trading companies, casinos and digital currency businesses in at least 18 countries.
Moving forward, in 2017 the ransomware WannaCry successfully compromised nearly 300,000 targets worldwide and resulted in nearly $140,000 in bitcoin paid before the accounts associated with the attack were emptied in August of that same year.[x] From a CTI perspective, there is quite a bit of speculation as to mean, motivation, and execution of this operation and, even now, there are significant intelligence gaps. Some researchers argue that reason WannaCry was so broad was due to an error in its execution and that the operators never intended the operation to reach such scope.[xi] Others postulate that the use of ransomware was just a bonus and that true intent of the operation was to cause global havoc.[xii] Personally, I believe what I see in this case: a country relying on cyber operations as a source of revenue launched a global campaign in the hopes of generating anonymous currency in order to circumvent international sanctions.
In the same year, the DPRK turned its sights on cryptocurrency exchanges, especially those situated in South Asia. According to a report from the United Nations, the DPRK launched at least five successful cyber operations against these exchanges between early 2017 and late 2018 that resulted in a loss of more than $570 million dollars in cryptocurrency.[xiii] These types of operations are a direct result of the international sanctions imposed on the country, and these illicit funds are likely being used to continue funding for the country’s nuclear and missiles programs.[xiv]
In early 2019, a highly publicized summit between U.S. President Donald Trump and Kim Jong-un collapsed due to disagreements regarding international sanctions.[xv] As sanctions have historically driven DPRK cyber operations, the DPRK will likely conduct “fundraising” cyber attacks. There has been an increase in cyber attacks targeting the cryptocurrency sectors, likely in attempt to exploit the vulnerable systems, hijack the systems, and steal anonymous currency. The U.N. released a report that outlined likely DPRK cyber actors successfully compromising an Indian bank in order to disseminate $13.5 million dollars in 14,000 simultaneous ATM transactions in 28 countries.[xvi] South Korean media reported an increase in ransomware attempts targeting South Korean government and financial organizations that appear to be originating from the DPRK.[xvii] Security researchers have published assessments that indicate a growing targeting of U.S. defense contractors and South Asian organizations with a new strain of malware known as HOPLIGHT, a powerful backdoor trojan.[xviii] To illustrate the pervasiveness of the DPRK’s ongoing campaigns, the Department of Homeland Security has already released 16 malicious software reports this year.[xix]
In summation, I think it is safe to say that the DPRK has recognized the value in deploying cyber operators to execute missions the generate revenue for the nation. As these operations are likely a response to the international sanctions, it is highly unlikely that DPRK cyber actors will not cease these types of missions while the sanctions still stand. As U.S. and DPRK political relations continue to flux, I imagine that the DPRK’s favorite fundraisers will be busier than ever.