North Korea Proves You Barely Need Computers to Win a Cyberwar
Pyongyang's attacks are proving that cybercrime can pay when you have nothing to lose.
Evidence is mounting that the perpetrator of last month’s WannaCry cyberattack that paralyzed 300,000 computers in 150 countries was North Korea’s hacker army, a highly sophisticated network of hackers trained to compromise foreign militaries, corrupt network systems, and conduct cyberheists of financial institutions. It may seem strange that a country as underdeveloped as North Korea has decided to invest its meager resources in such high-tech capabilities. It shouldn’t. Cyberspace has long been North Korea’s preferred battlefield precisely because of its own developmental weaknesses.
For decades, North Korea’s overarching military strategy has focused on asymmetric attacks and limited provocations. Cyberwarfare is only the newest frontier for this doctrine. North Korea first began developing its cybercapabilities as early as 1986, when it hired 25 Russian instructors to train students at the Mirim Command Automation College. It then opened a research facility in 1990 called the Korea Computer Center, using a recruitment process borrowed from China called the “thousand grains of sand” technique. Under this system, promising students are identified as early as elementary school and then trained through university in coding and hacking. As a result of continued investment and focus from the regime, experts believe that the size of the country’s hacking units has ballooned, with a 2014 report from the Center for Strategic and International Studies estimating them to be about 5,900 strong. North Korean hacking units are spread across a number of agencies such as Reconnaissance General Bureau (RGB) and the Korean People’s Army (KPA).
North Korean strategists came to realize that cyberwarfare was especially favorable terrain for military and criminal activity. Unlike conventional provocations, cyberattacks such as WannaCry allow North Korea to maximize its profits while maintaining some level of deniability, thus avoiding the likelihood of retaliation.
For instance, North Korea knows it can target the information architecture that developed economies rely on without fearing any direct, symmetrical response. Attacks such as the 2003 software glitch that left 55 million Americans without power, the February 2015 attack on American insurance company Anthem that gained access to 80 million customer records, and the series of attacks on the SWIFT global messaging network that underpins trillions of dollars in funds transfers daily are serious worries for Americans but not issues for the isolated and disconnected North. South Korea, the most common target of North Korean cyberattacks, is extremely connected and exceptionally vulnerable, as outlined in a 2016 Deloitte report.
“North Korea has nothing to lose in a cyberbattle,” Korea University professor Kim Seung-joo told the Associated Press. The isolated nation already suffers regular blackouts, nearly nonexistent internet access, and a disconnected, cash-based financial system. It thus stands to lose much less in cyberwarfare, increasing the regime’s appetite for online conflicts.
North Korea also benefits from the ambiguity of online attacks. When the South Korean warship Cheonan was struck by a torpedo and sunk in March 2010, killing 46 seamen, the physical evidence led an international investigation team to finger North Korea for the attack. But cyberattacks can be shrouded in secrecy — or at least plausible deniability. While the Sony hack in 2014, the cyberheist of Bangladesh’s central bank in 2016, and May’s global WannaCry ransomware attack are widely believed to be linked back to North Korea’s hackers via digital forensics, the evidence remains inconclusive due to the possibility that hackers may have instead deliberately posed as North Koreans. By upping the pace of such attacks, Pyongyang creates a powerful incentive for others to imitate them as camouflage, fostering the ambiguity both criminals and Pyongyang depend upon.
And unlike military operations that happen in real time, malicious code can burrow deep into the enemy’s territory, allowing the attacker to extract important military or financial data in the process. A watering hole campaign in February that targeted organizations in 31 countries — most notably a bank in Poland — had planted malware inside the targets since at least October 2016.
Money is another powerful motivation for a regime increasingly strapped for cash. The Bangladesh case and the WannaCry attack highlight the financial lure as traditional methods of procuring foreign currency feel the bite of international sanctions. The regime’s use of overseas laborers is being cut down by behind-the-scenes diplomacy by Washington and Seoul. Illicit streams such as drugs, weapons, and counterfeiting have also been hit by improved sanctions implementation and enforcement. Once reliable trade with China is being squeezed as Beijing grows increasingly wary of Pyongyang’s recklessness.
North Korea’s low-intensity conventional offensives like the Cheonan sinking and the shelling of Yeonpyeong Island can be useful reminders of its military capabilities. But they cannot fill the regime’s coffers. The cyberheist of Bangladesh’s central bank in the Federal Reserve Bank of New York, however, netted the attackers $81 million, nearly the amount of total trade between China and North Korea this past April. If the attack on the SWIFT network had been fully successful, it would’ve collected nearly $1 billion, or approximately 8 percent of North Korea’s GDP in 2015.
The sophistication of Pyongyang’s cyberarsenal presents a challenge for the United States and its allies. Kaspersky Lab, a world leader in cybersecurity that has extensively researched North Korea’s cyberarmy, has stated that the scale of operations is “shocking.” But a separate Kaspersky report stated that the North Koreans routinely commit operational mistakes, such as exposing a North Korean IP address in the WannaCry attack. This is because the country’s cyber contingent is “so large that one part doesn’t always know what the other is doing.” Such slip-ups create opportunities for swift and effective response.
The U.S. Treasury should move to implement secondary sanctions on any individuals and entities related to North Korea’s cyberoperations based on a March 2016 executive order that targets any entities known “to have engaged in significant activities undermining cybersecurity through the use of computer networks or systems against targets outside of North Korea.”
One vulnerability that the United States could exploit is North Korea’s reliance on its connections with shady enterprises in China as a launching pad for its cyberattacks due to the country’s limited internet capacity. A report by the C4ADS nonprofit and the Asan Institute for Policy Studies has linked Chinese-North Korean joint ventures to North Korea’s primary email relay service and IT firms that produce software with “possible military and regime applicability.” The Chilbosan Hotel in Shenyang, China, a venture of the now sanctioned Chinese company Liaoning Hongxiang, was “alleged to be the staging area” for the North’s elite cyberwarriors. No Chinese individuals or entities have been sanctioned in relation to North Korea’s cyberoperations so far.
Juan Zarate, the former assistant secretary of the treasury for terrorist financing and financial crimes, has suggested that “Congress should consider providing victims of North Korean cyber attacks the right to sue and seek damages from entities and actors that have facilitated or knowingly benefited from North Korean cyber activity.” While bringing North Koreans to a court of law is unlikely, this would raise the risk calculus of the Chinese involved, and the threat of legal action could serve as an inducement for Beijing to cooperate with the United States.
Such cooperation would also be in the Chinese government’s direct interest. WannaCry infected nearly 30,000 IP addresses in mainland China and froze 10,000 schools, hospitals, and government agencies. Gas stations, credit card and online payment systems, and tax bureaus were similarly affected. Using the 2015 agreement on cybercrime between China and the United States as a springboard, the Donald Trump administration could take advantage of the growing unease in China with Pyongyang’s actions.
The North Koreans are rapidly finding their footing in cyberspace. As their abilities improve, they could become able to steal on a grand scale without leaving a trace and might be able to hold hostage or damage systems architecture that millions of people depend on worldwide. Before that point is reached, we need to find a way both to defend against such attacks and to deter Pyongyang from continuing down that path.
Photo Credit: JUNG YEON-JE/AFP/Getty Images
Brian R. Moore is a Resident Fellow at Pacific Forum CSIS and a graduate student at Georgetown’s School of Foreign Service in the Asian Studies Program.