Argument

An expert's point of view on a current event.

North Korea Knows How Important Its Cyberattacks Are

Pyongyang’s tradition of guerrilla warfare keeps its “all-purpose sword” sharp.

By , an assistant professor at the Wilder School of Government & Public Affairs.
Workers monitor computer displays in a control room in the Hungnam Fertilizer Complex in North Korea.
Workers monitor computer displays in a control room in the Hungnam Fertilizer Complex in North Korea.
Workers monitor computer displays in a control room in the Hungnam Fertilizer Complex in Hamhung, North Korea, on Feb. 4, 2019. Carl Court/Getty Images

North Korea’s cyberattacks became famous in 2014, when Pyongyang’s hackers targeted Sony Pictures, seemingly in retaliation for a satirical movie about North Korean leader Kim Jong Un. But the reclusive regime’s greatly improved cybercapabilities are not a joke. They’re a serious threat to the stability of the global economy and critical infrastructure systems.

North Korean hackers have gone on to bigger and more financially profitable targets. Since 2014, North Korean hackers have attacked Bangladesh’s central bank, the U.K. National Health Service, and, more recently, cryptocurrency exchanges. And the odds are that many more major North Korean cyberattacks are to come in the near future.

In internal regime discourse, Pyongyang proudly refers to its cyberoperations as its “all-purpose sword.” According to testimony from a South Korean intelligence chief, Kim reportedly stated: “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.” Subversive, criminal operations are a style of asymmetric warfare long embraced by the North. The country’s founding leader, Kim Il Sung, earned his nationalist credentials by fighting Japanese colonialists in the 1930s. His guerrilla band later became the political elite of the North Korean state. During the Cold War era, Kim regularly deployed guerrillas to subvert and instigate the South Korean government. North Koreas hackers are the 21st-century version of guerrilla fighters, moving in the dark and striking at the most vulnerable points.

North Korea’s cyberattacks became famous in 2014, when Pyongyang’s hackers targeted Sony Pictures, seemingly in retaliation for a satirical movie about North Korean leader Kim Jong Un. But the reclusive regime’s greatly improved cybercapabilities are not a joke. They’re a serious threat to the stability of the global economy and critical infrastructure systems.

North Korean hackers have gone on to bigger and more financially profitable targets. Since 2014, North Korean hackers have attacked Bangladesh’s central bank, the U.K. National Health Service, and, more recently, cryptocurrency exchanges. And the odds are that many more major North Korean cyberattacks are to come in the near future.

In internal regime discourse, Pyongyang proudly refers to its cyberoperations as its “all-purpose sword.” According to testimony from a South Korean intelligence chief, Kim reportedly stated: “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.” Subversive, criminal operations are a style of asymmetric warfare long embraced by the North. The country’s founding leader, Kim Il Sung, earned his nationalist credentials by fighting Japanese colonialists in the 1930s. His guerrilla band later became the political elite of the North Korean state. During the Cold War era, Kim regularly deployed guerrillas to subvert and instigate the South Korean government. North Koreas hackers are the 21st-century version of guerrilla fighters, moving in the dark and striking at the most vulnerable points.

Historically, guerrillas often depended on banditry and robbery to survive—and one reason for the recent amping up of cyberattacks is financial worries. While Kim Jong Un’s recent missile tests garner international condemnation and head-shaking in Washington and Seoul, Pyongyang’s cyberoperatives work in the shadows. Due to the COVID-19 pandemic, North Korean borders have been sealed shut for the past two years. North Korean trade with China has largely stalled, and many foreign diplomats have left the country, making the already reclusive state even more isolated.

Nonetheless, North Korean hackers work diligently in an effort to bolster the depleted coffers of the party elite. Between 2011 and 2020, North Korea cybercriminals stole more than $1 billion worth of cryptocurrency. In 2021, North Korean hackers allegedly stole close to $400 million worth of crypto coins. The blockchain analysis company Chainalysis wrote in a recent report that “North Korean cybercriminals had a banner year in 2021.” The regime’s investment in its cyberoperations is likely providing a vital economic buffer for the isolated and paranoid leadership. According to an unclassified 2021 report from the U.S. Office of the Director of National Intelligence (ODNI), North Korea’s cybercrime likely funds “government priorities, such as its nuclear and missile programs.”

North Korea is also engaged in more conventional espionage. A cybersecurity firm recently uncovered that the North Korean hacking group Lazarus used two decoy Microsoft Word documents that resembled Lockheed Martin employment information in order to deliver payloads on unsuspecting users. Using spear-phishing attacks, the Lazarus group has increasingly targeted job-seekers in the U.S. defense and aerospace industries with fake documents that are infected with malware.

Despite relatively good relations between Pyongyang and Moscow, North Korean hackers have even targeted Russia’s foreign ministry with malware. In what seems to be a counterstrike against the analysts who uncover their hacking operations, Pyongyang’s cyberagents are using fake social media profiles to infect the computers of cybersecurity researchers with custom backdoor malware.

So, why have foreign-policy experts and policymakers themselves largely ignored North Korea’s increasingly sophisticated cyberoperations? Well, firstly, cyberattacks are less obvious than missile tests. Kim’s numerous missile tests are a frequent and unignorable reminder of his regime’s nuclear arsenal and military capabilities. Cyberattacks take place in the dark corners of the internet and are not always obvious to even the targets.

Secondly, most policymakers struggle with understanding that North Korea is a technological peer nation in cybersecurity. Despite being a deeply impoverished country with a crumbling health care system and less than 10 percent of its non-highway roads paved, the North Korean leadership has attained significant expertise and development in its cybersector. As part of its militaristic worldview, North Korea prioritizes investment in regime stability and the defense industry over economic improvement for its citizens.

North Korea’s asymmetric capabilities have allowed a nation with a GDP roughly equivalent to that of Mozambique to be able to compete with the world superpowers in cyberspace. The stereotype of North Korea’s Kim Jong Un as a buffoonish character on the international stage has impeded U.S. strategic thinking toward North Korea as a very real threat in cyberspace.

And finally, fearing financial loss and public relations fiascos, companies and businesses are hesitant to release information to the public about North Korean cyberattacks. Since many CEOs solely prioritize their company’s bottom line, details of cyberattacks often get swept under the rug. In 2016, the FBI’s Internal Crime Complaint Center estimated that only 15 percent of cybertheft victims in the United States reported their crimes to law enforcement.

So, what can be done to bolster defenses against North Korean hackers? Cyberattacks are part of North Korea’s historical commitment to asymmetric warfare, and it will not change course no matter how much we publicly condemn its actions. Rhetoric won’t work unless it has teeth. Guerrilla warfare, in cyberspace and the physical world, has long been embraced by the regime.

The United States needs to address the role and complicity of the Chinese Communist Party (CCP) in North Korea’s cyberoperations. From hosting North Korean cyberunits in border cities such as Shenyang to training them at Chinese technology universities and research institutes, the CCP enables North Korea’s maliciousness in cyberspace. In 2016, a South Korean cybersecurity researcher estimated that around 600 to 1,000 North Korean cyberwarfare agents operate in China. In addition, most, if not all, of the internet traffic from North Korea runs through Chinese access providers. Many North Korean hackers get their education in China’s tech universities and then bring back their skills to their homeland.

We need to cut off this supply of North Korean hackers and address the fact that the Chinese government knowingly enables North Korea’s malicious cyberoperations. In October 2020, John Demers, then the U.S. assistant attorney general for national security, mentioned at a think tank event that “there is support through Chinese cyberinfrastructure. There’s likely support in terms of sharing expertise and training from the Chinese side.” Since the U.S. national security apparatus seemingly acknowledges this Sino-North Korean cyberpartnership, the U.S. government should sanction the Chinese entities that enable and assist North Korean cybercrime, such as the Harbin Institute of Technology, which hosts North Korean computer science students. In 2019, China’s education minister signed an agreement with the North Korean government on the continuation of educational exchanges and partnerships from 2020 to 2030. The Chinese government will continue to see North Korean cybercapabilities as a useful proxy force to weaken and frustrate U.S. interests.

Finally, U.S. companies and businesses need to share information about North Korean cyberattacks with the general public so that others can act to prepare themselves. As noted in the ODNI report, North Korea “probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.” The last thing anyone needs during the pandemic is an already brittle critical infrastructure to be at the mercy of Kim Jong Un.

Benjamin R. Young is an assistant professor at the Wilder School of Government & Public Affairs at Virginia Commonwealth University. He is the author of Guns, Guerillas, and the Great Leader: North Korea and the Third World.

Join the Conversation

Commenting on this and other recent articles is just one benefit of a Foreign Policy subscription.

Already a subscriber? .

Join the Conversation

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Not your account?

Join the Conversation

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs. Comments are closed automatically seven days after articles are published.

You are commenting as .

More from Foreign Policy

Oleg Salyukov salutes to soldiers during Russia’s Victory Day parade.
Oleg Salyukov salutes to soldiers during Russia’s Victory Day parade.

Stop Falling for Russia’s Delusions of Perpetual Victory

The best sources on the war are the Ukrainians on the ground.

A fire rages at the Central Research Institute of the Aerospace Defense Forces in Tver, Russia
A fire rages at the Central Research Institute of the Aerospace Defense Forces in Tver, Russia

Could Sabotage Stop Putin From Using the Nuclear Option?

If the West is behind mysterious fires in Russia, the ongoing—but deniable—threat could deter Putin from escalating.

China's Foreign Minister Wang Yi is received by his Kenyan counterpart, Raychelle Omamo, in Mombasa, Kenya.
China's Foreign Minister Wang Yi is received by his Kenyan counterpart, Raychelle Omamo, in Mombasa, Kenya.

While America Slept, China Became Indispensable

Washington has long ignored much of the world. Beijing hasn’t.

A bulldozer demolishes an illegal structure during a joint anti-encroachment drive conducted by North Delhi Municipal Corporation
A bulldozer demolishes an illegal structure during a joint anti-encroachment drive conducted by North Delhi Municipal Corporation

The World Ignored Russia’s Delusions. It Shouldn’t Make the Same Mistake With India.

Hindu nationalist ideologues in New Delhi are flirting with a dangerous revisionist history of South Asia.