North Korea Does More Cyberspying Than You Think

A mention of North Korean hackers typically conjures images of either crippling cyberattacks or, more often, massive cryptocurrency heists. But a new report on the authoritarian state’s capabilities and tendencies paints a different picture.

The report, prepared by cyber-intelligence firm Recorded Future and shared exclusively with Foreign Policy, labels espionage as the predominant motive of North Korea’s cyberprogram. Recorded Future analyzed 273 cyberattacks over a 14-year period linked to North Korean state-sponsored groups and found that information collection was the primary motivation for more than 70 percent of them.

“The narrative seems to be that North Korea is a bunch of cybercriminals that are backed by a state, but they’re just pulling off all of this financially motivated cybercrime, and that is one aspect of their strategy,” said Mitch Haszard, a senior threat intelligence analyst at Recorded Future and lead author of the report.

“But what this report shows is that they’re still heavily focused on information collection, or cyber-espionage, and they conduct more of those operations than they do financially motivated or financial theft operations.”

Pyongyang predominantly seeks to use cyber-operations to either “gain insight into how its adversaries think” or “access to information on technologies” that will help it in a conflict with those adversaries, the report said. Government entities are the most frequent targets, followed by cryptocurrency, media, finance, defense, and nongovernmental organizations.

“North Korea’s leadership appears to be much more interested in learning about what others think of them, gathering information that can help them develop nuclear and ballistic missile technology, and stealing money to fund their regime,” the report added.

However, North Korea’s obsession with cryptocurrency is unique, and the country’s cyber-operations are one of its biggest avenues to prop up its nuclear arsenal. Anne Neuberger, the White House’s cyber czar, said at an event in Washington last month that half of the regime’s missile program is funded by cryptocurrency and cyberheists.

“There aren’t really any other states or countries that are trying to steal cryptocurrency, so North Korea is unique in that perspective, but they still do a lot of things that other states do,” Haszard said.

The heists tend to make headlines, with North Korean hackers linked to thefts worth billions of dollars from cryptocurrency exchanges around the world in recent years, with two high-profile attacks on exchanges in Estonia and California so far this year. Beyond crypto, North Korea has been linked to larger and more disruptive global attacks, starting with the crippling of Sony Pictures just under a decade ago that put its cybercapabilities on the map. That was followed by a hack of Bangladesh’s central bank that compromised the global financial transfer system known as Swift, and a crippling of the United Kingdom’s National Health Service.

However, Haszard and his colleagues found that the vast majority of North Korea’s cyberactivity goes after targets much closer to home. Nearly 80 percent of the attacks for which geographic information is available took place in Asia, according to the report. Most of that is in its immediate neighborhood: South Korea accounted for just over 65 percent of the targets among the 29 countries where attacks took place. The United States is a distant second, at 8.5 percent, and no other country accounted for more than 3 percent of North Korean attacks.

Recorded Future found that Lazarus, the most notorious and high-profile hacking group linked to the authoritarian regime, tends to go after more global targets but is not the most common perpetrator of cyberattacks. That distinction belongs to a group called Kimsuky, which mainly targets Asian government and civil society entities and accounted for more than one-third of total attacks. According to multiple U.S. law enforcement agencies, Kimsuky hackers pose as South Korean journalists, exchanging emails with their targets on the pretext of setting up interviews before sending them a link or document embedded with malware. That malware, known as BabyShark, gives hackers access to the victims’ device and communications. “Kimsuky actors have also been known to configure a victim’s email account to quietly auto-forward all emails to another actor-controlled email,” a joint cybersecurity advisory by the FBI, National Security Agency, and South Korean authorities earlier this month said.

While Pyongyang has established its ability to disrupt critical infrastructure in the West and conduct ransomware attacks, it is increasingly less likely to conduct those types of attacks compared to other cyber-capable adversaries such as Russia and China. It prefers to go smaller, faster, and more frequently, deploying more basic techniques such as stealing passwords or phishing emails, which infect systems with viruses by fooling users into clicking on dodgy links.

“The thing that I see in my tracking of North Korean threat actors is an incredible amount of activity that is generally low-sophistication in nature,” Haszard said, adding that that’s likely a matter of strategy rather than ability. “They’re achieving a lot of success doing the kind of lowest-common-denominator cyberattacks. So if it were me, why would I change?”