Toward a Better Understanding of North Korea’s Cyber Operations

The cybersecurity capabilities of the North Korean government are certainly more advanced than a country with such a small economy would traditionally field and should not be underestimated. The commitment of the regime to acquire cybersecurity capacities is consistent with its broader efforts to pursue disruptive technologies such as nuclear, chemical and biological weaponry. While it is assumed that much of the information on North Korea’s cyber capabilities is classified, there is a large amount on their attacks in the public domain, making it relatively easy to unpack and discuss these capabilities abilities (also known as the Lazarus Group, APT37 or Hidden Cobra). A careful reading of this information suggests that while North Korean cyber operations are broadly reported and studied, they are often treated separately from other issues on the peninsula, increasing the risk that decision makers will produce an incomplete analysis of the strategic environment.

North Korean Cyber Operations

The North Korean government regularly engages in cyber attacks against states and institutions all over the world, including places as far apart as Latin America and Eastern Europe. However, the majority of their attacks are more regionally focused. North Korean cybersecurity activities generally fall into four categories:

  1. Financially motivated cyber attacks. This would include attacks on the Bangladesh Bank and Taiwan’s Far Eastern International Bank.
  2. Defense/Intelligence activities. These activities encompass attacks on South Korea’s Ministry of National Defense and other known efforts against defense industry
  3. Ideological/influence operations. This includes, for example, operations against Sony Pictures and those targeted at defectors.
  4. Destructive attacks. This includes such operations as WannaCry.

When North Korea conducts cyber attacks it often does so from already known and well-understood technical networks. To be sure, the networks required to support large-scale cyber attacks are frequently difficult to build and maintain, and used to mask approaches and mitigate against the risk of direct attribution by launching an attack from an identifiable home base. Once established on a network, however, North Korean cyber operations have an identifiable signature from the implants that they use. For example, the regime has used the same wipers and ransomware in the attacks such as WannaCry, Sony Pictures and the Taiwanese bank. Put simply, the industry knows the architecture of North Korean cyber activities quite well and the DPRK generally doesn’t try that hard to obscure their operations. That said, the North recently attempted a very crude effort to disguise some attacks as Russian.

The current state of cyber operations involving North Korea shows two major trends.

Over time, the group has shown a greater preference for softer targets such as cryptocurrency exchanges. Cryptocurrency exchanges are quite terrible at securing themselves and as a result, the group has been able to take a large amount of money through this style of attack. In response, the international banking system has gone to great lengths to fortify its systems. This has by no means been universally successful, but it has made it more difficult for the North to undertake larger heists. For example, during the Taiwanese bank attack, the team in the bank was able to get most of the money back quickly.

The second trend is the interest the group has shown in the development of disruptive, broad-use cyber weapons. WannaCry was an interesting attack that is still not well understood. The deployment of a destructive weapon which appeared to be ransomware was not really expected by cyber experts. However, the danger posed by zero-day worms is real and should other such cyber weapons exist, the attacker could do significant damage to systems with a more weaponized tool.[1]

Accurate Threat Assessment, not Attribution, is the Problem

Tying all of this activity together is often seen as rather difficult. But contrary to conventional wisdom, technical attribution—when done by professionals—can be done quickly and with high confidence. Public attribution is, however, a slightly different story; there is a significant barrier in convincing risk-averse decision makers, who rarely understand the technology, that public attribution is the best course of action. Often, saying nothing is the preferred decision of companies and governments. This is especially the case given the real risk of being subjected to additional attacks as a result of public attribution.

Gaining a more accurate and comprehensive idea of the scope and implications of North Korean cyber operations is far more challenging than attribution. There are several reasons for this.

First, the discussion on North Korea and cybersecurity often appear disconnected because technical specialists typically lack an awareness of the strategic environment on the peninsula. This gap is at the core of the threat assessment problem and has led to significant oversights in understanding. For intelligence analysts of information technology (IT), data is intelligence, but the strategic implications are regularly missed. Practitioners are not doing enough to fully grasp that cyber specialists operate within a specific region and this influences how they analyze and interpret intelligence and systems. At present, subject matter experts in cybersecurity come from different schools and technical disciplines. Policymakers and practitioners often vastly overstate the deficiencies in their knowledge. That said, cyber experts and the policy community speak in different languages and conduct research independently of each other.

Second, stovepipes exist even within the technical disciplines—for example, between hackers who have a good grasp of the development and use of exploitations and blue team operators (who use big data, machine learning and log forensics[2] to hunt for the enemy and defend networks). There are also too many communication barriers between advisory people who understand how to get boards and CEOs to take things seriously and auditors and risk managers. As a discipline, not enough is being done to create common ground for discussions. The different groups in the cyber community rarely attend the same conferences, and when they do, they struggle to speak the same language. Think tanks and universities should look to incorporate elements of each community and create an environment and platforms for common discussion.

Third, there are cognitive difficulties that hinder sound threat assessment. The largest problem is the tendency to think of cybersecurity as being purely related to information technology. However, industrial control systems, fiber optic cables and the manufacturing processes for hardware are all a part of the cybersecurity domain. Military planners, in particular, operate on safe-hands constructed military equipment (such as ships and fighter aircraft) but will think nothing of keeping the plans for this equipment on a laptop that lacks proper security protections. As discussed above, this has led to military planning on the peninsula being exfiltrated from networks by North Korean cyber operators.

Together, these limitations have had a detrimental impact on the assessment and categorization of behaviors related to the escalation of conflict. In war games and workshops the author has attended with senior policy practitioners, North Korean cyber activities were often not correctly interpreted. For example, decision makers understand the escalation chain of nuclear weapons, artillery and special operations; however, when cyber attacks are thrown into the mix, wargaming shows that these events are not sufficiently comprehended and contextualized.[3]

Minding the Gaps

As previously discussed, our current understanding of the potential scope for cyber breaches is limited by thinking purely in terms of the IT dimension. This layer is the easiest to remotely access, but that is only true for now. For a motivated state actor, the manufacturing chain is potentially a lucrative target for more serious breaches. The example of WannaCry and its implications for the British National Health Service indicate the potential strategic implications of these activities as the physical realm and the control systems we use will become a component of cybersecurity. At the moment, the sophisticated cyber threats operate within these gaps in domain knowledge. There are real gains to be made by bringing specialists together from multiple disciplines and incorporating them into the intelligence assessment and threat actor study. North Korean cyber methods are often widely known and analyzed. So far, however, no one has been able, with real confidence, to tie the group to a specific entity within the North Korean government, even if the attribution to the regime is well understood. More analysis of the group by political scientists and intelligence analysts could help narrow this gap.


For all their publicity, North Korean cyber operations do not use a large number of ultra-sophisticated exploitations. Rather, their code base slowly evolves. They rapidly incorporate new knowledge but generally have not shown a flair for unique development. Much of North Korea’s current cyber exploitation kit is composed of modified versions of previous tools that have been slowly refined and set into identifiable patterns of attack and behavior. Analysts have done a great deal of good spadework on the group, and now know the names of a number of the attackers from studying the different patterns of behavior based on the geography they attack from, whether it is China, North Korea itself or elsewhere. However, studies already show that there is a gap between those attacks and their categorization within contemporary decision making. Going forward, the discussion of the North Korean cyber threat needs to become broader and more informed by the strategic context. If it is not, there is a real risk that the cyber element of the strategic environment on the Korean Peninsula will not be integrated into our general understanding of the region’s nuclear, economic and conventional military capabilities.

  1. [1]

    A zero-day vulnerability is a security flaw which doesn’t have a patch to fix the issue. When combined with malicious exploit such as ransomware, the effect can be quite dangerous. A theoretical example of this would include the WannaCry attack if no patch had been available. Such an attack would be difficult to stop and remediate quickly.

  2. [2]

    The evaluation of data produced by machines to investigate what has occurred on systems.

  3. [3]

    There has been some great research on this by Dr. Jacquelyn Schneider who has shown that people perceive cyber risk differently than the risks associated with nuclear weapons and terrorism.

Stay informed about our latest
news, publications, & uploads:
I'm interested in...
38 North: News and Analysis on North Korea