April 18, 2017
A Primer on North Korean Targeted Digital Attacks

As tensions rise between North Korea and the United States, Secretary of Homeland Security, John Kelly, proclaimed North Korea currently is a more probable cyber threat than a kinetic threat. Given North Korea’s inclination to use digital weapons over the past few years, this is not a controversial statement, but it should not be assumed that this is a matter simply contained to the governments. If past behavior is any indication, should North Korea opt for a digital response, the private sector, not the public sector, may be disproportionately targeted.

 

Abridged Summary of North Korean Digital Behavior

The Sony attack is perhaps the most well-known public attribution of a North Korean digital attack, and more specifically the hacking group Lazarus. In late 2014, a combination of targeted spear phishing - including scraping social networks and password reuse of even those with low-level privileges -  and technical vulnerabilities resulted in significant reputational as well as financial losses for Sony. For many, Sony served as an inflection point, manifesting the real-world and existential impact a digital attack can have on a corporation. A 2015 60 Minutes segment summarized this perceived inflection point triggered by the Sony attack, noting,“you don't have to be a superpower to inflict damage on U.S. corporations.”

In addition to the Sony attack, North Korth has also been blamed for digital attacks targeting South Korean corporations, including media and financial institutions. South Korea also has blamed North Korea for an attack on the energy sector, including nuclear reactors run by the Korea Hydro and Nuclear Power Co, again often using large-scale phishing campaigns targeting thousands of employees to gain access. North Korea has also been accused of digital attacks targeting defense and high-tech companies in both South Korea and Japan.

More recently, North Korea has been linked to the 2016 digital attacks targeting the SWIFT payment system, which resulted in an $81 million heist from the Bangladesh Central Bank. Some of the code used in the Bangladesh heist appears to have been repurposed from the Sony attack. It is currently believed that the attackers gained access using stolen credentials, again demonstrating the various fileless attack vectors increasingly employed.  Recently, several North Korean banks, which were already blacklisted by United Nations sanctions, have been banned from the SWIFT system as well.

 

Diversifying the Economy and Targets

Pyongyang continues to be impacted by international sanctions and the limitations of a centrally planned economy, forcing the government to diversify tactics and revenue streams. Digital attacks are an efficient revenue stream and means to achieve strategic objectives against larger powers. The group most-frequently associated with North Korean high profile attacks, Lazarus, is affiliated with North Korea’s elite hacking group, Bureau 121. Largely believed to be located in China, the size of Bureau 121 is not certain, but may be comprised of 1800 specialists according to one defector, while others estimate the overall size of North Korea’s hacking groups to closer to 6800, with a revenue of $860 million prior to the SWIFT heist.

They also have global reach. In addition to targeting the United States and South Korea, North Korea is also targeting institutions in eighteen different countries, largely in developing economies across the globe. However, while globally North Korea remains focused on the banking system, within the United States and South Korea the target set is much broader, focusing on media companies, financial institutions, and critical infrastructure.

 

Geopolitical Spillover

State-sponsored and affiliated attacks are increasingly targeting the private sector and thanks to both social and technical vulnerabilities, are likely to successfully compromise networks. While missiles and nuclear capabilities have understandably garnered the most attention in the rising tensions between the United States and North Korea, it would be myopic to overlook the potential impact of digital attacks.

Past behavior strongly indicates North Korea’s propensity to employ digital weapons given the asymmetric advantages and their growing expertise. The recent initial reports speculating that the North Korean missile test failed due to sabotage by the United States is only amplifying the situation. With the regime increasingly cornered by an existential threat, North Korea may well lean on past success and ratchet up targeted digital attacks at a range of corporations as tensions persist with the United States.