Assessing North Korea’s Cyber Evolution
Ali Crawford has an M.A. from the Patterson School of Diplomacy and International Commerce where she focused on diplomacy, intelligence, cyber policy, and cyber warfare. She tweets at @ali_craw. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
Title: Assessing North Korea’s Cyber Evolution
Date Originally Written: September 17, 2019.
Date Originally Published: November 25, 2019.
Author and / or Article Point of View: The author believes that the international community’s focus on addressing North Korea’s nuclear capability sets the conditions whereby their cyber capabilities can evolve unchecked.
Summary: Despite displaying a growing and capable cadre of cyber warriors, North Korean cyber prowess has been overshadowed by threats of nuclear proliferation. While North Korea remains extremely isolated from the global community, it has conducted increasingly sophisticated cyber attacks over a short span of time. In a relatively short period of time, North Korea has cultivated a cyber acumen worth recognizing as threatening as its nuclear program.
Text: As the internet quickly expanded across the globe and changed the nature of business and communication, Western nations capitalized on its capabilities. Authoritarian regimes felt threatened by the internet’s potential for damaging the regime’s power structure. In the 1990s, Kim Jong-il, father of current North Korean leader Kim Jong-un, restricted internet access, usage, and technology in his country. Eventually, Kim Jong-il’s attitude shifted after recognizing the potential benefits of the internet. The North likely received assistance from China and the Soviet Union to begin training a rudimentary cyber corps during the 80s and 90s. Cyber was and still is reserved explicitly for military or state leadership use.
The expansion of North Korea’s cyber program continued under Kim Jong-un, who today seeks to project military might by displays of a capable nuclear program. But Kim Jong-un, who possesses a degree in computer science, also understood the potential for cultivating cyber power. For North Korea, cyber is not just an asymmetrical medium of warfare, but also a method of surveillance, intelligence-gathering, and circumventing sanctions. Within the last decade, North Korea has demonstrated an impressive understanding and application of offensive cyber competence. Several experts and reports estimate North Korean cyber forces range from 1,800 to upwards of 6,000 professionals. Internet access is reportedly routed through China, which lends added difficulty to attribution but provides a measure of defense. North Korea is largely disconnected from the rest of the world and maintains a rudimentary internet infrastructure. The disconnect between the state and the internet leaves a significantly small and less vulnerable attack surface for other nations to exploit.
Little information is available regarding the internal structure of North Korea’s cyber forces. What is thought to be known suggests an organizational hierarchy that operates with some autonomy to achieve designated mission priorities. Bureau 121, No. 91 Office, and Lab 110 report to North Korea’s Reconnaissance General Bureau (RGB). Each reportedly operate internally and externally from Pyongyang. Bureau 121’s main activities include intelligence gathering and coordinating offensive cyber operations. Lab 110 engages in technical reconnaissance, such as network infiltration and malware implantation. No. 91 Office is believed to orchestrate hacking operations. Other offices situated under Bureau 121 or the RGB likely exist and are devoted entirely to information warfare and propaganda campaigns.
In the spring of 2013, a wave of cyber attacks struck South Korea. A new group called Dark Seoul emerged from North Korea armed with sophisticated code and procedures. South Korean banks and broadcasting companies were among the first institutions to endure the attacks beginning in March. In May, the South Korean financial sector was paralyzed by sophisticated malware. Later in June, marking the 63rd anniversary of the beginning of the Korean War, various South Korean government websites were taken offline by Distributed Denial of Service (DDoS) attacks. Although Dark Seoul had been working discreetly since 2009, its successful attacks against major South Korean institutions prompted security researchers to more seriously consider the North Koreans as perpetrators. The various attacks against financial institutions would be a prequel to the massive cyber financial heists the North would eventually manage, possibly making South Korea a testing ground for North Korea’s code and malware vehicles.
North Korea’s breach of Sony Pictures in 2014 catapulted the reclusive regime to international cyber infamy. Members of an organization calling themselves the Guardians of Peace stole nearly 40 gigabytes of sensitive data from Sony Pictures, uploaded damaging information online, and left behind a bizarre image of a red skeleton on employees’ desktop computers. This was the first major occurrence of a nation-state attacking a United States corporation in retribution for something seemingly innocuous. While the Sony hack was an example of how vague rules for conducting cyber war and crime differ between nations, the attack was more importantly North Korea’s first true display of cyber power. Sony executives felt compelled to respond and sought counsel from the U.S. government. The government was hesitant to let a private company respond to an attack led by the military apparatus of a foreign adversary. Instead, President Barack Obama publicly named North Korea as the perpetrator and vaguely hinted at a potential U.S. response, becoming the first U.S. president to do so.
Cyber crime also provides alternative financing for the regime’s agenda. In February 2016, employees at the Bank of Bangladesh were struggling to recover a large sum of money that had been transferred to accounts in the Philippines and Sri Lanka. The fraudulent transactions totaled $81 million USD. Using Bangladesh Bank employee credentials, the attackers targeted the bank’s SWIFT account. SWIFT is an international money transfer system used by financial institutions to transfer large sums of money. After-action analysis revealed the malware had been implanted a month prior and shared similarities with the malware used to infiltrate and exploit Sony in 2014. The Bangladesh Bank heist was intensively planned and researched, which lent credence to the North’s growing cyber acumen. As of 2019, North Korea has accumulated an estimated $2 billion USD exclusively from cyber crime. Security assessments indicate the Sony attack, the Bangladesh Bank hack, and the WannaCry attacks are related which lends some understanding to how North Korean cyber groups operate. In 2018, the United States filed criminal charges against a North Korean man for all three cyber crimes as part of a grander strategy for deterrence.
Finally, it is important to consider how North Korea’s cyber warfare tactics and strategies will evolve. North Korea has already proven to be a capable financial cyber crime actor, but how would its agencies perform in full-scale warfare? In terms of numbers, the North Korean military is one of the largest conventional forces in the world despite operating with rudimentary technology. Studies suggest that while the North may confidently rely on its nuclear program to win a conventional war, it is unlikely that North Korea would be able to sustain its forces in long-term war. North Korea would need to promptly engage in asymmetric warfare to disorient enemy forces to gain a technological advantage while continuously attempting to attack enemy systems to disrupt crucial communications. The regime could conduct several cyber operations against its adversaries, deny responsibility, then use the wrongful attribution as grounds for a kinetic response. North Korea has threatened military action in the past after being hit with additional sanctions.
Despite North Korea’s display of a growing and expansive cyber warfare infrastructure coupled with a sophisticated history of cyber attacks, the international community remains largely concerned with the regime’s often unpredictable approach to nuclear and missile testing. With the international community focused elsewhere, North Korea’s cyber program continues to grow unchecked. It remains to be seen if someday the international community will diplomatically engage North Korea regarding their cyber program with the same intensity as their nuclear program.
This article appeared originally at Divergent Options.
 David E. Sanger, The Perfect Weapon, Crown Publishing, 2018, p. 127
 The Perfect Weapon, p.127-128; and Eleanor Albert, Council on Foreign Relations: North Korea’s Military Capabilities, 25 July 2019, retrieved from https://www.cfr.org/backgrounder/north-koreas-military-capabilities
 David Sanger, David Kirkpatrick, Nicole Perloth, New York Times: The World Once Laughed at North Korean Cyberpower. No more, 15 October 2017, retrieved from https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html
 Ibid; and 1st Lt. Scott J. Tosi, Military Review: North Korean Cyber Support to Combat Operations, July/August 2017, retrieved from https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20170831_TOSI_North_Korean_Cyber.pdf
 1st Lt. Scott J. Tosi
 David Sanger, David Kirkpatrick, Nicole Perloth
 1st Lt. Scott J. Tosi; and Kong Ji Young, Lim Jong In, and Kim Kyoung Gon, NATO CCDCOE:The All-Purpose Sword: North Korea’s Cyber Operations and Strategies, 2019, retrieved from https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
 Symantec Security Response, Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War, 26 June 2013, retrieved from https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war; and Kong Ji Young, Lim Jong In, and Kim Kyoung Gon, NATO CCDCOE Publications, The All-Purpose Sword: North Korea’s Cyber Operations and Strategy, 2019, retrieved from https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
 Kim Zetter, Wired: Sony Got Hacked Hard: What We Know and Don’t Know So Far, 3 December 2014, retrieved from https://www.wired.com/2014/12/sony-hack-what-we-know/
 Kim Zetter, Wired: That Insane, $81M Bangladesh Bank Heist? Here’s What We Know, 17 May 2016, retrieved from https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/
 Michelle Nichols, Reuters: North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report, 5 August 2019, retrieved from https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX
 Christopher Bing and Sarah Lynch, Reuters: U.S. charges North Korean hacker in Sony, WannaCry cyberattacks, 6 September 2018, retrieved from https://www.reuters.com/article/us-cyber-northkorea-sony/u-s-charges-north-korean-hacker-in-sony-wannacry-cyberattacks-idUSKCN1LM20W
 Eleanor Albert, Council on Foreign Relations, What Are North Korea’s Military Capabilities?, 25 July 2019, retrieved from https://www.cfr.org/backgrounder/north-koreas-military-capabilities
 1st Lt. Scott J. Tosi, Military Review: North Korean Cyber Support to Combat Operations, July/August 2017, retrieved from https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20170831_TOSI_North_Korean_Cyber.pdf
 Jack Kim and Ju-min Park, Reuters:Cyber-attack on South Korea may not have come from China after all, 22 March 2013, retrieved from https://www.reuters.com/article/us-cyber-korea/cyber-attack-on-south-korea-may-not-have-come-from-china-after-all-regulator-idUSBRE92L07120130322