Over the past 10 years, the escapades of various nation-state actors in the cyber realm have exploded onto the pages of top-tier media, and into prime time network news. Russian espionage against political targets during the 2016 US presidential election, wide reaching Chinese espionage against Western commercial targets, disruptive attacks against the US financial sector associated with Iran, and the destructive attacks against Sony Pictures Entertainment (SPE) are some of the premier examples of mainstream coverage of ‘cyber.’ Behind every single offensive cyber action conducted in the interest of the capable nation-states is a doctrine, and North Korea, like many other nation-states, has incorporated cyber operations within their own broader military doctrine and has conducted numerous offensive operations in the furtherance of their national agenda. What is particularly alarming about DPRK operations is their willingness to initiate escalatory actions, such as their likely connections to the now infamous WannaCry ransomware, and their targeting of the global financial system. North Korea’s disregard for the consequences of its actions sets them apart from other nation-states, and is particularly dangerous.
North Korean offensive cyber operations have been conducted to collect sensitive political and military intelligence information, to lash out at enemies who threaten their beliefs and interests, and most interestingly, to generate revenue. This revenue generation aspect of North Korean operations was thrust into the international spotlight when, in early 2016, unauthorized transfers of funds from the Bangladesh Central Bank were issued using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network for global banking. The attempted transfers amounting to over $950 million USD sought to move funds to entities in locations such as Sri Lanka and the Philippines; ultimately $81 million USD in funds disappeared into the ether. The subsequent investigation revealed that the perpetrators of the attack used tools to securely delete records from the SWIFT terminals that would alert Bangladesh Central Bank employees of the transfers. Commonly referred to as a “wiper,” this secure deletion tool contained code that was linked by many in the computer security industry to one used in attacks associated with North Korea, notably the attack on SPE through a US Computer Emergency Response Team (USCERT) alert. The revelation that a state would engage in such a flagrant violation of international norms came as a surprise to many in the information security arena. North Korea watchers were, of course, not surprised as the currency generation activities benefiting the Kim family and their isolated nation have been well understood for some time.
The 2016 SWIFT attacks associated with North Korea are part of the broader currency generation operations of DPRK cyber actors and intelligence organizations. Botnets associated with espionage activity targeting South Korea have been used to generate revenue through a variety of schemes for almost 10 years. Recent DPRK activity suggests an interest in obtaining cryptocurrency, such as bitcoin, through extortion and targeting of cryptocurrency exchanges. In the third quarter of 2017, for instance, malicious emails containing weaponized documents were used to target international financial organizations, as well as bitcoin exchanges. The ultimate goal of these attacks, which were tracked by the information security community under names such as Stardust Chollima and BlueNoroff, is yet unknown, however theft and sabotage are likely.
Bitcoin provides attractive benefits to the isolated nation due to a lack of regulation and the ability to subvert international sanctions. In May 2017, ‘WannaCry’ exploded across the internet, encrypting sensitive material and holding the keys to decrypt the files for a ransom to be paid in bitcoin. This attack, too, had North Korean fingerprints embedded in the code used to execute the attack, as did the tools that were used to develop that code.
Attribution is a particularly sensitive subject in the cyber domain. Technical artifacts from the executable code that was used to conduct the WannaCry attack overlaps with code used in attacks against South Korean nuclear power plants and the SPE attack of 2014. While the technical artifacts can provide some measurable connections between the attacks, they require deep technical understanding to interpret. Other linkages, such as targeting and operational procedures, are the product of intelligence assessments and have been disputed by various parties muddying the water surrounding the assigning of attribution.
North Korea is an exception to the classical understanding of how most nations implement offensive cyber operations in that they incorporate espionage, disruptive/destructive attacks and financially motivated operations using the same computer code and infrastructure. The value of cyber operations is likely recognized by North Korea’s most senior leadership through the State Affairs Commission (SAC), the General Staff of the Korean People’s Army, and Kim Jong Un himself. Subordinate units, notably the Reconnaissance General Bureau (RGB), Bureau 121, and the Command Automation Bureau (CAB), are likely responsible for executing the specific operations. The individual units may have a charter to self- finance their operations, or to contribute financial gains back to the regime, but it seems clear that various offensive operations are conducted by differing groups with their own approach and missions. For example, one group may have a primary focus on revenue generation, targeting South Korean banks and SWIFT and conducting extortive attacks, while another group might focus on intelligence collection, while a third conducts sabotage and destructive attacks.
Finally, the maturity of North Korean offensive cyber operations has been demonstrated through the integration of destructive attacks by cyber units during military exercises executed in the midst of escalating tension with South Korea. For instance, following the December 2012 launch of the Kwangmyongsong-3 satellite via the Unha-3 satellite launch vehicle, tensions on the Korean peninsula were high. That March, following the passing of UN Security Council Resolution (UNSCR 2087) and B-52 strategic bomber overflights in South Korea, North Korea responded with a particularly aggressive disruptive attack against South Korea. This massive wiper attack targeted South Korea’s financial and media sectors and coincided with provocations by North Korean military and escalating political rhetoric. This pairing allowed for maximum psychological impact, while demonstrating North Korea’s ability to integrate offensive cyber activities into well-developed military doctrine. During these attacks, the Korea Broadcasting System (KBS), Munhwa Broadcasting Corporation (MBC), Yonhap Television News (YTN) and several Korean financial institutions reported disruptions. With the threat of military escalation on the table, many in South Korea would have depended on the media outlets for breaking news. Disruption of ATM networks and financial institutions would further add to the chaos as word of media disruptions began to spread.
As tensions are once again escalating between North Korea and the international community, more attacks perpetrated by DPRK cyber actors are likely. The recent increase in financial sector targeting associated with these actors may illustrate the potential for disruptive attacks to demonstrate both the capability of the North Korean actors, as well to achieve objectives in line with their broader military doctrine. While North Korea’s isolation may be detrimental to its economy and international relations, it is an effective shield from which to launch offensive cyber operations against a connected and delicate global system.
In order to establish some common definitions, we can look to the United States Department of Defense, who established Computer Network Operations (CNO) as a component of the broader Information Operations (Information Warfare) arena. CNO is further categorized into Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defense (CND). Offensive cyber operations conducted by nation-states using this model would be considered CNE and CNA. The use of CNE can be roughly characterized as espionage, whereas CNA would be used to degrade, deny, disrupt, or destroy the network based systems of an adversary. This model can help provide a clear delineation of how various military, intelligence community, and law enforcement agencies with their authorities are able to conduct operations. China, Russia, Iran and virtually every nation-state in the world conduct CNE/CNA operations in accordance with their legal authorities and national interests.