North Korea as a Geopolitical and Cyber Actor

Background and Motivation

North Korea (DPRK) has a long history of triggering international responses through displays of national power. These provocations most often fall short of actual armed conflict, and North Korea has sought to instead develop asymmetric tools, as evidenced by its nuclear program and, more recently, the development of offensive cyber capabilities. 

North Korea’s asymmetric capability dates back to the early 1960s, when North Korea established its first nuclear research center in Yongbyon and started building capacity to develop its own nuclear program. In 2003, North Korea declared its withdrawal from the Nuclear Non-Proliferation Treaty (NPT), announcing “its total freedom from the binding force of the safeguards accord with the International Atomic Energy Agency (IAEA)”, and stating that it had “no intention to produce nuclear weapons and our nuclear activities […are] confined only to peaceful purposes.” However, evidence of nuclear processing activities was detected few months later, and its first nuclear weapons test in 2006 proved that North Korea was pursuing a nuclear weapons program. Today, North Korea seems to have achieved their goal—at least partly—and is using the threat of nuclear weapons to generate instability in Southeast Asia and beyond, explicitly targeting the U.S.

In addition to its unpredictable nuclear and missile provocations, North Korea’s offensive cyber operations of recent years are increasingly viewed as a source of regional, if not global instability. Since the early 2000s, offensive cyber capabilities have been added to North Korea’s toolkit. The Pyongyang regime has frequently conducted distributed denial of service (DDoS) attacks against South Korea, blocking the websites of governmental and financial institutions. The Fourth of July Incident, a DDoS attack against U.S. and South Korean websites in 2009, was one of the most significant attacks of that type attributed to North Korea. Similarly, the hack on Sony Pictures Entertainment in 2014, the SWIFT heists in 2015, and the Wannacry ransomware attack in 2017 were high-profile cases that demonstrated the malicious intention and increasing sophistication of North Korea’s offensive cyber capacity.

In order to understand today’s broader security environment, understanding cyber operations is vital. This is also true of North Korea as it has accumulated offensive cyber capacity and established a willingness to use capability in pursuit of national aims. In an attempt to build greater understanding of how North Korea has utilized offensive cyber capability in connection with broader geopolitical events, the timeline above shows a series of events falling into four categories: (1) North Korea’s nuclear and missile-related events, (2) United Nations resolutions that directly or indirectly relate to the North Korean nuclear program, (3) High-profile political events domestically and in North Korea’s relationship with the U.S. and South Korea, and (4) Cyber incidents. The compilation of events in the timeline relies entirely on open-source documentation and may be incomplete.

Cyber activity is a critical part of North Korea’s national strategy, and some cyber events appear to relate to geopolitical events shown in the timeline. However, it is important to note that the timeline does not show a clearly defined correlation between geopolitical events and cyber offenses. Instead, we can observe two trends. First, North Korea has consistently utilized its cyber capability as a way of demonstrating power while incurring less risk of direct retaliation. Second, the recent spike in financially motivated operations suggests that North Korea is increasingly using cyber means for dual purposes— to both exercise political power and raise money to support the regime. A more complete and vivid understanding of the North Korean threat requires an inspection of its cyber capability and its integration as an instrument of national power alongside nuclear and ballistic threats. Currently, North Korea is effectively exploiting a combination of cyber and non-cyber means, maximizing its provocative effect.

Timeline Implications

As one of the tools in its international strategy, North Korea has developed its nuclear weapons to assure the survival of the regime. North Korean international relations are characterized by nuclear-related events, which are—for the most part — attempts to project power and provoke instability.

Four cyber events are particularly noteworthy and are the ones most widely covered in media. The following is a possible understanding of each event’s background:

1. Fourth of July Incident (July 2009): Reported to target the U.S. Independence Day celebration. A series of DDoS attacks on governmental, financial, and media websites seemed to bolster propaganda and demonstrate North Korea’s offensive cyber capabilities. The White House, the Pentagon, and the New York Stock Exchange were among those affected in the U.S. In South Korea, the Blue House, several banks, and news agencies experienced similar problems.

2. Compromise of Sony Pictures Entertainment (December 2014): Targeted cyber attacks against a private company that was planning to release a comedy film about an assassination plot against the North Korean leader. The hacking group released employee information, confidential emails, and wiped the company’s data. The attack featured warning and retaliatory characteristics, and it was the first cyber incident to be officially denounced by a US president.

3. SWIFT Network Bank Heist (February 2016): A hacker group exploited stolen credentials for access to SWIFT—a worldwide network for transactions between financial institutions—to transfer funds to controlled bank accounts. $81 million was stolen from Bangladesh Bank, and similar heists on banks in Vietnam and Ecuador were attributed to the same group related to North Korea. It was the first known instance in which a state-sponsored actor compromised networks for the purposes of financial gain.

4. Wannacry Ransomware Attack (May 2017): The ransomware encrypted data and  demanded cryptocurrency payments. Exploiting a Windows vulnerability that allowed it to self-propagate, the cryptoworm hit over 200,000 individuals in over 150 countries. The hacker group raised around $140,000 in bitcoin as ransom. Although the offender seems to have made some revenue through the attack, it is generally assumed that the attack was more political than financially driven, given the relatively small amount earned. The incident shows an emerging feature of North Korean cyber operations that integrates with both political and financial objectives. Money-seeking behavior has emerged as a trend in North Korean cyber operations, especially when seen beside recent North Korean attacks on the South Korean cryptocurrency markets.

Questions

1. Why does North Korea integrate cyber into their broader geopolitical strategy?

• Cyber operations are relatively low cost with high effectiveness when compared to the procurement and maintenance of conventional military capabilities. 
• The limited reliance on the Internet in North Korea serves to diminish vulnerability to and potential consequences of external cyber attacks, whereas the relatively high network dependency of the U.S. and South Korea creates weak points that can be targeted by cyber offenders. 
• The military deadlock on the Korean Peninsula also encourages North Korean development of cyber offensive capabilities as a means to exercise national power with relatively low risk of escalation. Cyber operations are marked by characteristic evasion of attribution and bring a relatively low risk of retaliation. North Korean cyber operations can be assessed as “a cost-effective, asymmetric, deniable tool… with little risk of reprisal attacks.”

2. To what extent does the timeline suggest North Korea uses cyber means to respond to broader geopolitical events?

• No clear causal link can be drawn from our data. 
• However, it is worth noting that North Korea regards its cyber operations as one tool in of a suite of effective instruments of national power and has every intention to utilize them further. In the Sony Pictures Entertainment hack (2014), North Korea used cyber means against a commercial entity to preempt the firm’s provocative film release. 
• North Korea deems cyber capability a useful means of protecting the legitimacy of its regime, along with nuclear weapons and missile technology. Its previous cyber operations include Distributed Denial of Service (DDoS) attacks, data breaches, currency theft and espionage.  

3. Does the timeline suggest a relationship between sanctions and North Korean offensive cyber activity? Do more stringent sanctions lead to an increase in North Korean offensive cyber activity?

• An increase in fund-seeking cyber operations is observed in recent cyber offensive activities attributed to North Korea, such as the 2016 SWIFT case and cyber attacks against South Korean cryptocurrency exchanges. 
• There was no clear decrease in other cyber operations, suggesting that North Korea is investing more in developing its cyber capabilities overall while making money through ransomware and online bank theft. 
• The temporal proximity of the proposal for stricter economic sanctions and an increase in North Korea’s fund-seeking cyber operations suggests a connection between the two. That is to say, financial desperation may cause North Korea to make increased use of cyber activities to raise funds.

4. What does the timeline say about the impact the change of leadership from Kim Jong-Il to Kim Jong-Un had on North Korean cyber activity?

• In 2009, Kim Jong-ll pursued a relatively drastic reorganization of North Korea’s ruling body to adapt to a changing environment and secure power for his son. North Korea’s Reconnaissance General Bureau (RGB) was established and undertook the management of clandestine intelligence and provocative missions. Subordinate to RGB, Bureau 121 has functioned as an operational center for cyber activities. The succession of Kim Jong-Il to Kim Jong-Un is estimated to have taken place gradually over the course of two years starting in September 2010, when Kim Jong-Un was appointed as the Vice Chairman of the Central Military Commission (CMC) and as a member of Central Committee (CC) of Workers’ Party of Korea (WPK). Kim Jong-Il died in December 2011 and formal power succession to Kim Jong-Un’s was finalized in April 2012, when Kim Jong-Un was appointed as the First Secretary of the CC and Chairman of the CMC, gaining hold of both administrative and military power. (Chronology of the North Korean events)
• Following the power transition, North Korean cyber capabilities appear to have progressed significantly. Until 2014, the majority of experts were dubious about North Korean offensive cyber capacity. Many experts acknowledged the growing threat of its cyber operations, but were unsure whether the nation possessed capabilities strong enough to pose a significant threat to adversaries and broader global stability. The 2014 Sony Pictures hack has led some experts to reassess this claim.
• Judging from prominent cyber attacks attributed to North Korean actors, which are global in scale, the Kim Jong-Un regime has committed considerable investment to developing cyber operations. North Korea strategically makes use of cyber capabilities in combination with sporadic demonstrations of nuclear threats in pursuit of regime survival and power projection. However, the North Korean government has supported boosting cyber capabilities as an effective asymmetric measure since the Kim Jong-Il period. General technological development and greater geopolitical constraints on other instruments of national power now make the nation more heavily dependent on offensive cyber operations.
• Nonetheless, Kim Jong-un is alleged to support strengthening cyber war capabilities, saying: “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”

5.     What can the timeline tell us about the effectiveness of responses to North Korean offensive cyber activity? 

• The attribution of cyber attacks is fraught with uncertainty, making it difficult to draw connections between cyber attacks and state actors. However, parts of the international community have officially denounced North Korean cyber attacks since 2014. While sanctions and denouncements have been a common response to malicious state-sponsored cyber activities, we have yet to observe kinetic military action in retaliation to stand-alone cyber attacks. Responses to cyber attacks so far have been disproportionate (on the low end) and ineffective, appearing to fall short of hindering or preventing further cyber operations.  
• A comprehensive evaluation of the effectiveness of the U.S. and South Korean responses to North Korean cyber attacks has not been conducted (at least not publicly). Such an evaluation would be of supreme utility, but must carefully consider the potential escalatory dynamics on the Korean peninsula.
• Short of this comprehensive evaluation, no course of action appears to have been effective enough to halt North Korean cyber operations. The relative weakness of responses may embolden North Korea to develop and deploy more sophisticated cyber means in pursuit of political and financial objectives. It is worth noting that these trends are not unique to North Korea and raise broader questions of why and how malicious state actors favor the use of cyber means as instruments of national power.

Conclusion

North Korea has used—and will continue to use—cyber capabilities for offensive operations and in response to external events. As is reflected in the organizational structure of North Korea’s RGB, cyber capability is considered a critical part of its broader military strategy.

Because the North Korean public is not generally connected to the global network, the domain is open for government dominance, which it utilizes for malicious purposes. North Korean cyber operations can be regarded as provocative, with malign intentions and should not be viewed separately from military and political provocations. They function both as effective tools for disruption and power projection, as well as sources of income.

The fundraising function of North Korean cyber operations should be considered when designing future responses. North Korea will continue exercising power through cyberspace because of its asymmetric nature, and provocative operations in cyberspace cannot be prevented completely because of North Korea’s closedness and low reliance on the Internet and connectivity. Instead, external actors should consider additional means for tightening North Korea’s sources of revenue including that earned through cyber attacks. For example, a focus on securing global financial and military networks could be a critical part of defense against North Korean offensive cyber activity. More focus must be placed on addressing the vulnerability of networks in order to prevent exploitation by unlawful aggressors. In addition, interested parties must develop a playbook to assign attribution and increase the cost to North Korea of conducting cyber attacks. This playbook should incorporate all facets of national power and not be constrained to just cyber countermeasures.