June 6, 2018
Editor's Note: This post is a product of the work of the C2B team's Asan Academy Fellow, Leekyung Ko. The timeline is built on open-source research and does not represent an exhaustive chronology of events. Our hope is that it provides researchers and other interested parties with an interactive means to observe patterns in North Korean cyber activity. If you feel we are missing important events, please email the event, along with a publicly available source for the event to firstname.lastname@example.org.
Mapping North Korea's Geopolitical and Cyber Incidents
United Nations Security Council Resolution 825 was adopted, which urged North Korea to reconsider its declaration of intent to withdraw from the Non-Proliferation Treaty (NPT).
Kim Il-sung reportedly died on July 8, 1994. Kim Jong-il declared a nationwide mourning period and that the leadership succession had taken place.
North Korea and the United States signed an Agreed Framework. North Korea promised to freeze its nuclear program in exchange for heavy fuel oil and two light-water nuclear reactors.
Inter-Korean summit in Pyongyang between South Korean President Kim Dae-jung and North Korean Chairman Kim Jong-il. The event seemed to be a sign of reconciliation. Border liaison offices reopened and family reunion events were held following the event.
The U.S. President George W. Bush labelled North Korea, Iraq, and Iran the "Axis of Evil", denouncing the countries for alleged activities supporting terrorism and developing weapons of mass destruction (WMDs).
North and South Korean naval vessels engaged in a gun battle near Yeongpyeong Island in the Yellow Sea. Around 30 North Korean and 6 South Korean sailors were killed in the battle.
United Nations Security Council Resolution 1695 condemned North Korea for two Taepodong launches on July 4, 2006. The resolution called on North Korea to return to the six-party talks and prohibited UN member states from selling missile-related technology and materials to North Korea.
Resolution 1718 condemned North Korea's first nuclear test and imposed sanctions. Heavy weaponry, missile-related technology, and luxury goods were among the list of sanctioned products.
Second inter-Korean summit was held in Pyeongyang between South Korean President Roh Moo-hyun and North Korea Supreme Leader Kim Jong-il. They agreed on a declaration of peace and prosperity as well as development of inter-Korea relations.
North Korea scrapped all military and political deals with South Korea. Tension escalated after the announcement.
The United Nations Security Council imposed strengthened sanctions against North Korea after its second nuclear test on May 25, 2009. The resolution authorized the inspection of North Korean cargo, extended an arms embargo, and urged member states to cease financial assistance to North Korea, except for humanitarian causes.
A series of DDoS attacks affected about 35 governmental and commercial websites in the Republic of Korea (ROK) and the U.S. The attack is widely suspected to have been conducted by North Korea.
After former U.S. President Bill Clinton's facilitation, two American journalists were released from North Korea. North Korea also sent a delegation to the funeral of South Korea's former President Kim Dae-jung. There was a mood of reconciliation.
There was an accident during which the Cheonan, a South Korean warship, sank. After South Korea-led international investigations, the cause of the sinking was attributed to a North Korean torpedo attack. 46 South Korean sailors lost their lives in the accident. Tensions spiked on the Korean Peninsula.
North Korean military fired around 170 artillery shells at Yeonpyeong Island, causing widespread damage and casualties. Four South Koreans were killed, including two marines and two civilians, and 19 were injured. The island is along the disputed maritime border of North and South Korea. The incident closely followed an artillery exercise in South Korea.
A DDoS attack targeted websites related to the South Korean government and U.S. military forces in South Korea. The attack is attributed to the Lazarus Group, which is known to be state-supported hacking group of North Korea.
A DDoS attack against Nonghyup agricultural bank. Customers were unable to access their accounts or use online services.
The North Korean state television news agency reported the death of Kim Jong-il. Reportedly he died on December 17th due to a heart attack during a train trip.
Kim Jong-un gradually assumed the tasks of national leader after his father's death. His official inauguration, which elevated him to supreme leader of both the military and the Worker's Party, took place.
Resolution 2087 denounced North Korea's rocket launch in December 12, 2012 and its proliferation activities.
Resolution 2094 imposed harsher sanctions in response to North Korea's third nuclear test on February 12, 2013. The resolution mandated that UN member states freeze or block financial transactions with North Korea.
The computer networks of the two largest South Korean broadcasters were compromised and three major banks became unresponsive in the Dark Seoul incident. The networks were blocked and infected with viruses. It was revealed that Dark Seoul was part of persistent espionage campaign dubbed Operation Troy, which dates back to 2009.
A cyber espionage campaign by hacking group Kimsuky targeting the South Korean Ministry of Unification, Sejong Institute, and Korean Institute for Defense Analyses.
Jang Song-thaek, who was a leading figure in the North Korean government and Kim Jong-un's uncle, was publicly accused of treachery, stripped of all his posts, and executed. He was regarded as holding de facto leadership during period of Kim Jong-il's illness and had a different opinion from Kim Jong-un over the nation's economic management. The incident is considered the biggest shake-up in the North Korean regime and functioned as a deterrent to potential opposition groups.
Threat actors compromised networks associated with Seoul's subway system and affected servers of major subway lines for months (from March to August in 2014). South Korea's National Intelligence Service attributed the hack to North Korea.
Threat actors compromised the networks of Sony Picture Entertainment, destroyed data, and publicly released employee emails. The hack is believed to have been an effort to prevent the release of "The Interview"—a film about an assassination plot against North Korean leader Kim Jong-Un. It was the first cyber incident to be officially condemned by a U.S. president.
South Korea's nuclear power plant operator was hacked. Personal data of workers, electricity flow information, reactor designs, and manuals were exposed. The South Korean government blamed North Korea for the cyber attack.
Resolution 2270 condemned North Korea's fourth nuclear test on January 6, 2016 and its launch of a long-range missile on February 7, 2016. The scope of previous sanctions was extended. Significantly, China was involved in the process of crafting the sanctions. The ban on supplying aviation fuel to North Korea was included in the document.
Over 200GB of data from the Defense Ministry networks were exfiltrated, including internal documents and U.S-South Korea military plans in case of war with North Korea. The campaign was traced back to at least August 2016, and the South Korean Defense Department acknowledged the attack in December 2016.
The UNSC strengthened sanctions with the adoption of Resolution 2321, condemning North Korea's fifth nuclear test. The resolution placed a limit on North Korea's main mineral exports and urged member states to close representative offices. It further added specific individuals to travel ban and certain items to financial freeze.
Hackers targeted the worldwide financial transfer mechanism, SWIFT (Society for Worldwide Interbank Financial Telecommunication) to steal funds. It is the first known instance of an actor with state support hacking for financial gain. Perpetrators used stolen credentials to authorize a fund transfer and succeeded in stealing $81 million from Bangladesh Bank accounts.
Impeachment vote of former South Korean President Park Geun-hye took place in the National Assembly and was passed with majority in favor. The impeachment was upheld by a unanimous decision by the Constitutional Court of Korea the next year.
Kim Jong-nam was attacked with a lethal chemical at an airport in Malaysia and died. He was the eldest son of Kim Jong-il and was regarded as a potential rival to his brother for succession. Kim Jong-nam had criticized his family's dynastic rule in North Korea and was living in exile in Macau.
In April 2017, there were incessant hacking attempts targeting multiple cryptocurrency exchange firms in South Korea for the purpose of stealing money. Customer information was breached and a cryptocurrency firm shut down due to the heist.
Moon Jae-in was elected as the president of South Korea following the impeachment of the former president.
Wannacry ransomware encrypted data and demanded ransom for the decryption key. It used an EternalBlue exploit to propagate in organizations that use the Windows operating system. More than 200,000 computers from around 150 countries were affected. The United States, Australia, Canada, Japan, and the United Kingdom denounced North Korea for the attack.
Resolution 2356 extended the number and scope of sanctions against North Korea, condemning North Korea's ballistic missile and nuclear weapon-related activities.
North Korea tested intercontinental ballistic missiles (ICBMs) in July 2017 along with 14 missile tests in the same year. In response, the resolution tightened economic sanctions against North Korea for the sixth time. A comprehensive ban on its mineral and seafood exports was imposed, leading to a significant loss of revenue. The sanctions further expanded financial sanctions and foreign asset freezes.
The U.S. President Donald Trump said he would respond with "fire and fury" if North Korea makes any more threats. Hours later, North Korean government responded by mentioning a possible strike on the U.S. base at Guam.
As a response to North Korea's sixth nuclear test on September 3 2017, Resolution 2375 was adopted. The resolution placed sanctions on oil for the first time, setting a strict quota for oil supply. It also fully banned North Korea from purchasing natural gas and some textiles.
Trump called Kim "Rocket Man" in a tweet. (September 17, 2017)
Kim accused Trump of "mentally deranged behavior." (September 22, 2017) and Trump responded by describing Kim as "obviously a mad man." Trump also used phrases "short and fat", "sick puppy", and "little rocket man" in his tweet. (November, 2017)
North Korea stole $60 million from the Taiwan Far Eastern International Bank, making use of SWIFT network.
A FireEye report revealed that North Korea attempted phishing attacks against electric companies. Although power delivery was not impacted, the incident heightened the concern with regard to North Korea's interest in attacking critical infrastructure.
Resolution 2397 was adopted condemning North Korea's ballistic missile launch on November 28 2017. It set further limits on refined petroleum imports and metal, agricultural, and labor exports.
North Korea participated in the 2018 Pyeongchang Olympics held in South Korea and suggested summits. North Korea agreed to stop missile tests and provocations during the period of summits.
FireEye researchers named North Korean cyber espionage group APT37 (also called ScarCruft, Group123 and Reaper). It is known for utilizing zero-day vulnerabilities and social engineering techniques in the pursuit of North Korean government interests. Targeted actors include firms in chemical, military, electronics, aerospace, and healthcare in Japan, Vietnam, and the Middle East. The South Korean government was also among the main targets. Activities of APT 37 date back to at least May 2017.
The 2018 Inter-Korean Summit was held at the Inter-Korean Peace House in the Joint Security Area (April 27, 2018). South Korean President Moon Jae-in and North Korean Chairman and Supreme Leader Kim Jong-un attended the meeting. The Panmunjom Declaration was announced after the summit. A follow-on summit between the United States and North Korea was set to be held in June but cancelled by President Trump (May 24, 2018). A surprise fourth summit between North and South Korean leaders took place on May 26, 2018. There is still ambiguity regarding the incident.
Background and Motivation
North Korea (DPRK) has a long history of triggering international responses through displays of national power. These provocations most often fall short of actual armed conflict, and North Korea has sought to instead develop asymmetric tools, as evidenced by its nuclear program and, more recently, the development of offensive cyber capabilities.
North Korea's asymmetric capability dates back to the early 1960s, when North Korea established its first nuclear research center in Yongbyon and started building capacity to develop its own nuclear program. In 2003, North Korea declared its withdrawal from the Nuclear Non-Proliferation Treaty (NPT), announcing “its total freedom from the binding force of the safeguards accord with the International Atomic Energy Agency (IAEA)”, and stating that it had “no intention to produce nuclear weapons and our nuclear activities [...are] confined only to peaceful purposes.” However, evidence of nuclear processing activities was detected few months later, and its first nuclear weapons test in 2006 proved that North Korea was pursuing a nuclear weapons program. Today, North Korea seems to have achieved their goal—at least partly—and is using the threat of nuclear weapons to generate instability in Southeast Asia and beyond, explicitly targeting the U.S.
In addition to its unpredictable nuclear and missile provocations, North Korea’s offensive cyber operations of recent years are increasingly viewed as a source of regional, if not global instability. Since the early 2000s, offensive cyber capabilities have been added to North Korea's toolkit. The Pyongyang regime has frequently conducted distributed denial of service (DDoS) attacks against South Korea, blocking the websites of governmental and financial institutions. The Fourth of July Incident, a DDoS attack against U.S. and South Korean websites in 2009, was one of the most significant attacks of that type attributed to North Korea. Similarly, the hack on Sony Pictures Entertainment in 2014, the SWIFT heists in 2015, and the Wannacry ransomware attack in 2017 were high-profile cases that demonstrated the malicious intention and increasing sophistication of North Korea’s offensive cyber capacity.
In order to understand today’s broader security environment, understanding cyber operations is vital. This is also true of North Korea as it has accumulated offensive cyber capacity and established a willingness to use capability in pursuit of national aims. In an attempt to build greater understanding of how North Korea has utilized offensive cyber capability in connection with broader geopolitical events, the timeline above shows a series of events falling into four categories: (1) North Korea’s nuclear and missile-related events, (2) United Nations resolutions that directly or indirectly relate to the North Korean nuclear program, (3) High-profile political events domestically and in North Korea's relationship with the U.S. and South Korea, and (4) Cyber incidents. The compilation of events in the timeline relies entirely on open-source documentation and may be incomplete.
Cyber activity is a critical part of North Korea’s national strategy, and some cyber events appear to relate to geopolitical events shown in the timeline. However, it is important to note that the timeline does not show a clearly defined correlation between geopolitical events and cyber offenses. Instead, we can observe two trends. First, North Korea has consistently utilized its cyber capability as a way of demonstrating power while incurring less risk of direct retaliation. Second, the recent spike in financially motivated operations suggests that North Korea is increasingly using cyber means for dual purposes— to both exercise political power and raise money to support the regime. A more complete and vivid understanding of the North Korean threat requires an inspection of its cyber capability and its integration as an instrument of national power alongside nuclear and ballistic threats. Currently, North Korea is effectively exploiting a combination of cyber and non-cyber means, maximizing its provocative effect.
As one of the tools in its international strategy, North Korea has developed its nuclear weapons to assure the survival of the regime. North Korean international relations are characterized by nuclear-related events, which are—for the most part — attempts to project power and provoke instability.
Four cyber events are particularly noteworthy and are the ones most widely covered in media. The following is a possible understanding of each event’s background:
Fourth of July Incident (July 2009): Reported to target the U.S. Independence Day celebration. A series of DDoS attacks on governmental, financial, and media websites seemed to bolster propaganda and demonstrate North Korea’s offensive cyber capabilities. The White House, the Pentagon, and the New York Stock Exchange were among those affected in the U.S. In South Korea, the Blue House, several banks, and news agencies experienced similar problems.
Compromise of Sony Pictures Entertainment (December 2014): Targeted cyber attacks against a private company that was planning to release a comedy film about an assassination plot against the North Korean leader. The hacking group released employee information, confidential emails, and wiped the company’s data. The attack featured warning and retaliatory characteristics, and it was the first cyber incident to be officially denounced by a US president.
SWIFT Network Bank Heist (February 2016): A hacker group exploited stolen credentials for access to SWIFT—a worldwide network for transactions between financial institutions—to transfer funds to controlled bank accounts. $81 million was stolen from Bangladesh Bank, and similar heists on banks in Vietnam and Ecuador were attributed to the same group related to North Korea. It was the first known instance in which a state-sponsored actor compromised networks for the purposes of financial gain.
Wannacry Ransomware Attack (May 2017): The ransomware encrypted data and demanded cryptocurrency payments. Exploiting a Windows vulnerability that allowed it to self-propagate, the cryptoworm hit over 200,000 individuals in over 150 countries. The hacker group raised around $140,000 in bitcoin as ransom. Although the offender seems to have made some revenue through the attack, it is generally assumed that the attack was more political than financially driven, given the relatively small amount earned. The incident shows an emerging feature of North Korean cyber operations that integrates with both political and financial objectives. Money-seeking behavior has emerged as a trend in North Korean cyber operations, especially when seen beside recent North Korean attacks on the South Korean cryptocurrency markets.
1. Why does North Korea integrate cyber into their broader geopolitical strategy?
- Cyber operations are relatively low cost with high effectiveness when compared to the procurement and maintenance of conventional military capabilities.
- The limited reliance on the Internet in North Korea serves to diminish vulnerability to and potential consequences of external cyber attacks, whereas the relatively high network dependency of the U.S. and South Korea creates weak points that can be targeted by cyber offenders.
- The military deadlock on the Korean Peninsula also encourages North Korean development of cyber offensive capabilities as a means to exercise national power with relatively low risk of escalation. Cyber operations are marked by characteristic evasion of attribution and bring a relatively low risk of retaliation. North Korean cyber operations can be assessed as “a cost-effective, asymmetric, deniable tool... with little risk of reprisal attacks.”
2. To what extent does the timeline suggest North Korea uses cyber means to respond to broader geopolitical events?
- No clear causal link can be drawn from our data.
- However, it is worth noting that North Korea regards its cyber operations as one tool in of a suite of effective instruments of national power and has every intention to utilize them further. In the Sony Pictures Entertainment hack (2014), North Korea used cyber means against a commercial entity to preempt the firm’s provocative film release.
- North Korea deems cyber capability a useful means of protecting the legitimacy of its regime, along with nuclear weapons and missile technology. Its previous cyber operations include Distributed Denial of Service (DDoS) attacks, data breaches, currency theft and espionage.
3. Does the timeline suggest a relationship between sanctions and North Korean offensive cyber activity? Do more stringent sanctions lead to an increase in North Korean offensive cyber activity?
- An increase in fund-seeking cyber operations is observed in recent cyber offensive activities attributed to North Korea, such as the 2016 SWIFT case and cyber attacks against South Korean cryptocurrency exchanges.
- There was no clear decrease in other cyber operations, suggesting that North Korea is investing more in developing its cyber capabilities overall while making money through ransomware and online bank theft.
- The temporal proximity of the proposal for stricter economic sanctions and an increase in North Korea’s fund-seeking cyber operations suggests a connection between the two. That is to say, financial desperation may cause North Korea to make increased use of cyber activities to raise funds.
4. What does the timeline say about the impact the change of leadership from Kim Jong-Il to Kim Jong-Un had on North Korean cyber activity?
- In 2009, Kim Jong-ll pursued a relatively drastic reorganization of North Korea’s ruling body to adapt to a changing environment and secure power for his son. North Korea’s Reconnaissance General Bureau (RGB) was established and undertook the management of clandestine intelligence and provocative missions. Subordinate to RGB, Bureau 121 has functioned as an operational center for cyber activities. The succession of Kim Jong-Il to Kim Jong-Un is estimated to have taken place gradually over the course of two years starting in September 2010, when Kim Jong-Un was appointed as the Vice Chairman of the Central Military Commission (CMC) and as a member of Central Committee (CC) of Workers' Party of Korea (WPK). Kim Jong-Il died in December 2011 and formal power succession to Kim Jong-Un’s was finalized in April 2012, when Kim Jong-Un was appointed as the First Secretary of the CC and Chairman of the CMC, gaining hold of both administrative and military power. (Chronology of the North Korean events)
- Following the power transition, North Korean cyber capabilities appear to have progressed significantly. Until 2014, the majority of experts were dubious about North Korean offensive cyber capacity. Many experts acknowledged the growing threat of its cyber operations, but were unsure whether the nation possessed capabilities strong enough to pose a significant threat to adversaries and broader global stability. The 2014 Sony Pictures hack has led some experts to reassess this claim.
- Judging from prominent cyber attacks attributed to North Korean actors, which are global in scale, the Kim Jong-Un regime has committed considerable investment to developing cyber operations. North Korea strategically makes use of cyber capabilities in combination with sporadic demonstrations of nuclear threats in pursuit of regime survival and power projection. However, the North Korean government has supported boosting cyber capabilities as an effective asymmetric measure since the Kim Jong-Il period. General technological development and greater geopolitical constraints on other instruments of national power now make the nation more heavily dependent on offensive cyber operations.
- Nonetheless, Kim Jong-un is alleged to support strengthening cyber war capabilities, saying: "Cyberwarfare, along with nuclear weapons and missiles, is an 'all-purpose sword' that guarantees our military's capability to strike relentlessly."
5. What can the timeline tell us about the effectiveness of responses to North Korean offensive cyber activity?
- The attribution of cyber attacks is fraught with uncertainty, making it difficult to draw connections between cyber attacks and state actors. However, parts of the international community have officially denounced North Korean cyber attacks since 2014. While sanctions and denouncements have been a common response to malicious state-sponsored cyber activities, we have yet to observe kinetic military action in retaliation to stand-alone cyber attacks. Responses to cyber attacks so far have been disproportionate (on the low end) and ineffective, appearing to fall short of hindering or preventing further cyber operations.
- A comprehensive evaluation of the effectiveness of the U.S. and South Korean responses to North Korean cyber attacks has not been conducted (at least not publicly). Such an evaluation would be of supreme utility, but must carefully consider the potential escalatory dynamics on the Korean peninsula.
- Short of this comprehensive evaluation, no course of action appears to have been effective enough to halt North Korean cyber operations. The relative weakness of responses may embolden North Korea to develop and deploy more sophisticated cyber means in pursuit of political and financial objectives. It is worth noting that these trends are not unique to North Korea and raise broader questions of why and how malicious state actors favor the use of cyber means as instruments of national power.
North Korea has used—and will continue to use—cyber capabilities for offensive operations and in response to external events. As is reflected in the organizational structure of North Korea’s RGB, cyber capability is considered a critical part of its broader military strategy.
Because the North Korean public is not generally connected to the global network, the domain is open for government dominance, which it utilizes for malicious purposes. North Korean cyber operations can be regarded as provocative, with malign intentions and should not be viewed separately from military and political provocations. They function both as effective tools for disruption and power projection, as well as sources of income.
The fundraising function of North Korean cyber operations should be considered when designing future responses. North Korea will continue exercising power through cyberspace because of its asymmetric nature, and provocative operations in cyberspace cannot be prevented completely because of North Korea's closedness and low reliance on the Internet and connectivity. Instead, external actors should consider additional means for tightening North Korea’s sources of revenue including that earned through cyber attacks. For example, a focus on securing global financial and military networks could be a critical part of defense against North Korean offensive cyber activity. More focus must be placed on addressing the vulnerability of networks in order to prevent exploitation by unlawful aggressors. In addition, interested parties must develop a playbook to assign attribution and increase the cost to North Korea of conducting cyber attacks. This playbook should incorporate all facets of national power and not be constrained to just cyber countermeasures.