While North Korean Missiles Sit in Storage, Their Hackers Go Rampant

They’ve stolen billions of dollars, according to the U.S. Department of Justice. They’ve paralyzed the United Kingdom’s National Health Service, according to the U.K. Foreign, Commonwealth, and Development Office. And they’ve apparently hacked India’s newest nuclear power plant to steal its designs.

North Korean hackers have gone from spying on and disrupting their South Korean adversaries to stealing large sums of money, robbing cutting-edge technology, and causing havoc. While senior U.S. and Japanese officials are meeting this week to discuss regional security—especially with a focus on North Korea’s missiles—many experts say Pyongyang’s hackers are potentially a bigger threat than the massive rockets North Korean leader Kim Jong Un parades around every year.

“When comparing hackers to missiles, I definitely think that these guys are a bigger threat,” Simon Choi told Foreign Policy. He founded and runs IssueMakersLab, a nonprofit that specializes in infiltrating and tracking North Korean hacker groups. “They’re ready to use [missiles], but they haven’t done it yet. But hacking, we see it happen every day, all around us,” he added.

His organization has logged the activities of several different hacker groups linked to different parts of North Korea’s government, including its army and intelligence services. The trend line is clear, Choi said: They’re becoming more active and more proficient. 

“They have been growing immensely recently. In the past, they used the same techniques that China and the United States have, based on open-source information. But recently, they’ve been showing progress in finding the weakness of the targets,” Choi said.

“Pyongyang developed advanced cyber warfare prowess surpassed by only a few nations.”

For example, North Koreans have recently found zero-day exploits in Google, which means they found a vulnerability and exploited it before it was discovered and fixed. 

The Lazarus Group, perhaps the most notorious North Korean state-backed group, posed as security researchers to infect users’ Chrome browsers.

“When it comes to that, finding vulnerabilities, [North Korea] can be one of the top three in the world,” Choi said.

Mike Pompeo, former U.S. secretary of state, said last year that North Korea is a bigger threat than Russia when it comes to cyberattacks, and its growth is reminiscent of previous developments coming out of Pyongyang.

“Experts were initially dismissive of North Korea’s cyber capabilities, as they had been of the regime’s nuclear and missile programs,” said Bruce Klingner, a former CIA Korea deputy division chief who is now at the Heritage Foundation. “Pyongyang developed advanced cyberwarfare prowess surpassed by only a few nations. The regime improved its cyber programs to create a robust and global array of disruptive military, financial, and espionage capabilities,” he added.

North Korean hackers can’t do more damage than a nuclear weapon, of course. But the big difference is that Pyongyang can unleash its hackers, even in peacetime, while keeping its nuclear-tipped arsenal in wait. 

“The difference is in usability,” said Benjamin Read, director of analysis and threat intelligence at the cybersecurity company Mandiant. Cyber capabilities, whether North Korean or Chinese, can help tip the balance of power even below the threshold of war.

In the meantime, Pyongyang has used cybercrime to secure hard currency for the heavily sanctioned country, and, according to CNN, a lot of that money is being siphoned into its weapons program. It’s not warfare—but it funds potential warfare. 

“There’s an argument to be made that this sort of cybertheft enables [nuclear weapons], and if you judge North Korea to be risk tolerant enough to be the most likely country to use those to hit the U.S., that calculus gets you to them being the biggest threat,” Read said.

North Korea’s propensity to use its hackers for crime stands in contrast to other U.S. adversaries.

North Korea’s propensity to use its hackers for crime—robbing banks and emptying cryptocurrency wallets, according to the U.S. Department of Justice—stands in contrast to other U.S. adversaries like Iran, Russia, and China. Iran used cyber capabilities to take aim at Saudi Arabia’s oil production, for instance. Russia has used cyber capabilities to unsettle states in its orbit, especially Georgia and the Baltic states. 

“Russia and Iran will do some destructive stuff but less crime,” Read said. “China has some overlaps with criminal groups but has not done as much cyber disruptive stuff. They certainly could, but they just haven’t.”

North Korea, in contrast, doesn’t seem to respect those boundaries. It launched several disruptive attacks against South Korea—including a huge theft of South Korean military secrets—and is believed to be responsible for the WannaCry ransomware attack that locked hundreds of thousands of people out of their computers and sent several U.K. hospitals offline in 2017. Pyongyang’s willingness to mix crime with state-directed cyberthreats makes it almost uniquely problematic.

“North Korea does not seem to respect many boundaries. They’ve been heavily into crime, but they historically have had no problem crossing that kind of dotted line,” Read said.