Report

‘You Live With a Degree of Paranoia’

Inside North Korea’s campaign to penetrate the U.N. sanctions experts’ wall of secrecy.

North-Korea-un-sanctions-foreign-policy-illustration
Foreign Policy illustration/Getty Images

Aaron Arnold, an American investigating sanctions violations for the United Nations in North Korea, received what seemed to be an innocuous email last October. James Sutterlin, a U.N. official in the office that manages sanctions experts, ostensibly forwarded a link to what was described as the U.N. Security Council’s forecast of its activities for the month, according to a copy of the email reviewed by Foreign Policy. Only, Sutterlin had not written the email, and the link, they would later discover, was part of a phishing attempt by the North Korean government.

Over the past decade, North Korea has developed an elaborate system for evading U.N. sanctions, deploying an army of front companies, secret bank accounts, and ransomware attacks to evade scrutiny and amass billions of dollars in cash revenue. But North Korea’s premier intelligence agency, the Reconnaissance General Bureau, has also taken a particular interest in snooping on U.N. sanctions experts and the U.N. bureaucrats and diplomats who oversee their work.

Sanctions have never been more popular, but the system for enforcing them at the United Nations is breaking down. In this two-week series, FP looks at why that is and what can still be done to fix it.

Foreign Policy illustration/Getty Images

Aaron Arnold, an American investigating sanctions violations for the United Nations in North Korea, received what seemed to be an innocuous email last October. James Sutterlin, a U.N. official in the office that manages sanctions experts, ostensibly forwarded a link to what was described as the U.N. Security Council’s forecast of its activities for the month, according to a copy of the email reviewed by Foreign Policy. Only, Sutterlin had not written the email, and the link, they would later discover, was part of a phishing attempt by the North Korean government.

Over the past decade, North Korea has developed an elaborate system for evading U.N. sanctions, deploying an army of front companies, secret bank accounts, and ransomware attacks to evade scrutiny and amass billions of dollars in cash revenue. But North Korea’s premier intelligence agency, the Reconnaissance General Bureau, has also taken a particular interest in snooping on U.N. sanctions experts and the U.N. bureaucrats and diplomats who oversee their work.

“The attacks can range from simple to sophisticated,” Arnold said, who stepped down from the panel earlier this year. “It is something the panel has to be aware of and has to deal with on a weekly and monthly basis.”

The cyberattacks against the panel of experts began several years ago with a series of clumsy email phishing attempts, rife with misspellings and mysterious, easy-to-spot email addresses. But the efforts have grown increasingly sophisticated as North Korea’s hackers succeeded in penetrating the experts’ personal and U.N. accounts as well as developed a deeper understanding of the inner workings of the sanction specialists. Today, the experts receive as many as three or four hacking attempts a month, via email, LinkedIn, Facebook, and other social media platforms, disguised as messages from Chinese diplomats, journalists, colleagues, and others.

“The North Koreans have definitely stepped up efforts in the past two to three years,” said Jenny Town, a senior fellow at the Stimson Center and director of the North Korea news site 38 North who has been the target of North Korea hacking efforts since around 2014. Her email address was slightly amended by North Korean hackers to breach the accounts of U.N. sanctions experts. “They used to be really clumsy. You could always tell because they used bad grammar, typos, and it was obvious they were not written by a proficient English speaker.”

The onslaught of cyberattacks underscores the challenges faced by an ad hoc team of financial, maritime, and weapons experts with varying degrees of experience with cyber measures as well as a wobbly U.N. information technology system that lacked the capacity to ferret out intrusions for years. Several former panel experts have expressed frustration with what they see as the U.N.’s inadequate training and protective measures, leaving it to the experts themselves to devise their own security arrangements to prevent the North Korean government as well as powerful U.N. Security Council members like China and Russia from spying on their work. The U.N.’s IT department never implemented basic safeguards, including two-step verification and encrypted U.N. laptop computers, until late 2017 and early 2018.

“You live with a degree of paranoia,” said William Newcomb, a former U.S. Treasury Department economist who served on the panel of experts from 2011 to 2014. “During the three years I was on the panel, we never felt secure on any information we stored on our office computers,” noting the experts would leave their U.N. quarters to discuss sensitive matters off campus. “We weren’t secure having confidential discussions in our office. We felt everything was vulnerable.”

The threats were not coming only from North Korea. Experts were also concerned about leaks of their internal findings to China and Russia, which each had a representative on the panel. “Everything that came into the panel was immediately shared with the Russians and Chinese,” said Stephanie Kleine-Ahlbrandt, a former U.S. member of the panel.


South Korean military soldiers take part in live fire exercise as they prepare for possible threats in Pocheon on Oct. 20, 2006, after a nuclear test by North Korea.

South Korean military soldiers take part in live fire exercises as they prepare for possible threats in Pocheon, South Korea, on Oct. 20, 2006, after a nuclear test by North Korea. Chung Sung-Jun/Getty Images

The U.N. Security Council first imposed sanctions on North Korea on Oct. 14, 2006, just days after Pyongyang conducted its first nuclear detonation. The measures targeted the export of conventional weapons, weapons of mass destruction, and missile-related goods as well as luxury goods. They also restricted the travel of North Koreans engaged in banned activities. The council established a panel of experts in June 2009 to ensure compliance with the previously leaky sanctions. The panel is composed of experts from the Security Council’s five veto-wielding permanent members—Britain, China, France, Russia, and the United States—and other key regional powers, including Japan and South Korea. They have documented North Korea’s efforts to evade sanctions.

The spate of cyberattacks coincides with concerns among U.S. policymakers that U.N. sanctions against North Korea are not being fully implemented. Washington points to the Security Council sanctions committee’s refusal to act on dozens of U.S. requests to sanction individuals, entities, or vessels, many of which are linked to China.

Asked if a recent barrage of North Korean missile tests merited an increase in sanctions, U.S. Ambassador to the U.N. Linda Thomas-Greenfield recently said: “Look, we already have a sanctions regime in place. We just need to be more serious about the implementation of that regime. Frankly, the [North Korea sanctions] committee is not doing its job. We need to enforce these violations. We need to ramp up the implementation of the sanctions. And we’ve not done that.”

The sanctions panels, which conduct highly sensitive investigations into sanctions evasions by governments and other groups, have always been a target-rich environment for foreign snooping. But the United Nations has little capacity to protect the inspectors from foreign spying. Since its inception, the North Korea panel has devised its own system for securing its investigation materials. Several experts said they received little support from the U.N. Secretariat, which lacked the skills to detect breaches.

“I pitched up at the U.N. in June 2014, and on my first day, I saw my desk with an ancient computer with no virus protection software,” said Hugh Griffiths, who stepped down as the coordinator of the North Korea panel of experts in 2019.

The first major intrusions were detected by the FBI, which warned the inspectors about breaches to their accounts, and later by Microsoft, which discovered soon after that panel members had been hacked.

“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” the email read.

“They identified two accounts were being hacked, and all the emails were being forwarded [to a North Korean account],” Griffiths said. “The truth of the matter is that we got warned by the FBI, and the Secretariat did nothing.”

A May 2017 letter to the sanctions committee from Griffiths warned that the experts were facing a “sustained cyber campaign,” according to the email, which was reported by Reuters. Griffiths wrote that one of the expert’s computers had been breached on May 8 of that year.

“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” the email read. Griffith also noted that a number of government representatives on the U.N. sanctions committee, which oversees the work of the experts, had also been the target of a 2016 attack.

The U.N. Secretariat has also introduced a number of other security measures, including withholding the identity of U.N. panel experts on public websites, routine sweeps for bugs in their offices, the provision of locked office doors, and the installation of sound-proofing equipment in the experts’ conference room. Arnold said the U.N.’s current strategy for detecting cyber intrusions has improved, and it is now “relatively good.”

“I think there is a much better awareness of the cyberthreat,” he added. “Its important to remember, however, that [North Korea] is not a naive actor and is quite good at adapting their modus operandi.”


North Korean leader Kim Jong-Un inspecting the test fire of an intercontinental ballistic missile Hwasong-14 at an undisclosed location in an image taken and released on July 4, 2017,. by North Korea's official Korean Central News Agency.

North Korean leader Kim Jong Un inspects the test fire of an intercontinental ballistic missile, Hwasong-14, at an undisclosed location on July 4, 2017. KCNA/AFP via Getty Images

North Korea’s Reconnaissance General Bureau manages Pyongyang’s cyber activities through two hacking branches, including the Lazarus Group, which is responsible for generating income through cyber heists and sanction evasion. A second branch, the Kimsuky group, which was established in 2013 and oversaw a number of cybercells, focused on Korean targets and the wider U.N. community.

Jenny Town recalls the crude phishing attempts beginning around 2014 and 2015, when hackers would urge recipients to click links in broken English or toss up an institutional email address next to a fake one. By 2017 and 2018, hackers had evolved, honing their phishing techniques, cutting and pasting her email text from another hacked email, and sending them to targets with an infected link. Their English had also improved.

“It’s been gradually escalating, not just for the U.N. panel of experts,” Town said. “It’s a huge problem in the whole policy community, and it’s gotten worse in the last couple of years.”

In September 2019, France’s National Cybersecurity Agency issued a report indicating that North Korea may have been targeting accounts of five countries on the Security Council: Belgium, China, France, Peru, and South Africa. They identified one email address, allegedly belonging to a Chinese diplomat, Sun Lei, who oversaw U.N. sanctions in North Korea.

The following month, according to the U.N. panel, members of the Kimsuky group sent at least eight spear-phishing emails to the official and personal accounts of current and former Security Council members, including an infected “concept note” for a supposed briefing on “the promotion and strengthening of the rule of law in the maintenance of international peace and security: international humanitarian law.”

In January 2020, the United States also informed the panel that at least three of its experts were being targeted by North Korean hackers. The activities have continued unabated, but the panelists have grown increasingly alert to the threat. In the case of the October phishing attempt, Arnold and his colleagues quickly determined the email was fake.

In an effort to identify the sender, Arnold fired off an email reply: “Great to hear from you! Thanks for sending. In preparation for our meeting on Tuesday, here’s the investigative summaries for the cases the Panel is currently working on.”

The email didnt include the summaries but rather a link that directed the hacker to the experts’ public website. The email also included an IP address logger. The hacker took the bait, clicking the link and enabling the experts to identify the sender’s IP address.

“It’s funny that it actually worked,” Arnold said. “Someone at the other end clicked on the link, twice.”

Colum Lynch is a senior staff writer at Foreign Policy. Twitter: @columlynch

Join the Conversation

Commenting on this and other recent articles is just one benefit of a Foreign Policy subscription.

Already a subscriber? .

Join the Conversation

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Not your account?

Join the Conversation

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs. Comments are closed automatically seven days after articles are published.

You are commenting as .

More from Foreign Policy

An illustration of a captain's hat with a 1980s era Pepsi logo and USSR and U.S. flag pins.

The Doomed Voyage of Pepsi’s Soviet Navy

A three-decade dream of communist markets ended in the scrapyard.

Demonstrators with CASA in Action and Service Employees International Union 32BJ march against the Trump administration’s immigration policies in Washington on May 1, 2017.

Unionization Can End America’s Supply Chain Crisis

Allowing workers to organize would protect and empower undocumented immigrants critical to the U.S. economy.

The downtown district of Wilmington, Delaware, is seen on Aug. 19, 2016.

How Delaware Became the World’s Biggest Offshore Haven

Kleptocrats, criminals, and con artists have all parked their illicit gains in the state.