Cyber operations in North Korea are becoming increasingly sophisticated.
Cyber operations in North Korea (DPRK) are more diverse, aggressive and capable than often realized. According to the cyber security firm FireEye, “There is no question that DPRK has become increasingly aggressive with their use of cyber capabilities. They are not just focused on espionage — we’ve seen them use it for attack, we’ve seen them use it for crime. …They are showing up in places outside South Korea [and] continuing to expand capabilities.” DPRK cyber warriors regularly exploit so-called zero-day vulnerabilities — undiscovered flaws in operating systems that allow a breach of defenses.
Moreover, cyber experts in DPRK are now capable of stealing documents from vital computer networks isolated from the internet — air-gapped — such as military servers and power plant control systems. Now even air-gapped networks can be infiltrated, because even computers not connected to the internet still leak electromagnetic radiation during operation. By measuring those emanations, a cyber warrior can “extract the whole secret key by monitoring the target’s electromagnetic field for just a few seconds,” according to a recently published paper.
The DPRK cyber warfare program has clearly advanced over the past few decades. In the early 1990s, when computer networks were beginning to reach a level of maturity, a group of North Korean computer scientists proposed using the internet to spy on and attack enemies. These computer scientists were introduced to cyber military purposes by observing other countries’ uses of the internet as they traveled abroad. The DPRK program began by identifying promising young students for training in China’s top computer science programs.
By the late 1990s, the FBI noticed that DPRK officials assigned to work at the United Nations in New York were also enrolling in university computer programming courses there. The DPRK’s cyberwarfare program continued to gain in priority after the 2003 US invasion of Iraq. After watching the American “shock and awe” campaign, Kim Jong-un’s father, Kim Jong-il, asserted, “If warfare was about bullets and oil until now, warfare in the 21st century is about information.” Pushing the DPRK’s cyber units to dramatically level up in capability again and building on his father’s observation, Kim Jong-un allegedly said, “Cyber warfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”
Institutions and Individuals
North Korea’s cyber operations are run by the clandestine Reconnaissance General Bureau (RGB) and by the military’s General Staff Department (GSD). The RGB is the center of the DPRK cyber activity as well as more traditional subversive and clandestine activity. Formed in 2009 from various intelligence and special operations units — tasked with unconventional and political warfare, subversion, propaganda, kidnappings and assassinations, intelligence and special operations — the RGB combined these units into one organization. General Kim Yong-chol was the founding director of the RGB from 2009 to 2016. The Japanese press speculates that the new director of the RGB could be an official named Jang Kil-su, while others speculate that the new director could be General No Kwang-chol.
Regardless of its de jure reporting status, the RGB de facto answers directly to the National Defense Commission and Kim Jong-un in his role as supreme commander of the military. Notable examples associated with the RGB, and the offices that were combined to create it, are subversive provocations short of armed conflict, such as the 2010 sinking of the South Korean Cheonan naval vessel, as well as its extensive cyber activities.
The GSD, the military wing of cyber operations and broadly comparable to the US Joint Chiefs of Staff, oversees operational aspects of the entire DPRK military as well as having authority over numerous operational cyber units. GSD units are tasked with political subversion, cyber warfare and operations such as network defense. So far the DPRK does not seem to have organized these units into an overarching cyber command. Specifically, the GSD’s Operations Bureau has been attributed with conducting cyber operations and perhaps propaganda/psychological warfare using cyberspace as a medium, but information about the nature of these operations, as well as the subordinate unit conducting them, has been sparse.
The DPRK’s cyberattacks often emanate from third party countries and use hijacked computers. Those ordering and controlling the attacks communicate to cyber warriors and hijacked computers from within North Korea. In an attempt to interfere with the connection between the internal commands and external attack sites, the US Cyber Command carried out denial of service (DoS) attacks against the DPRK in an attempt to limit their access to the internet.
In part as a response to DoS attacks and attempts to shut down its main international internet access, the DPRK has moved to increase its capability to conduct cyberattacks by diversifying its access to the internet. Initially, the DPRK’s internet traffic was handled via China Unicom under a 2010 deal. The DPRK opened a second internet connection with the outside world in October 2017, this time via Russia. Dyn Research, which monitors international internet traffic flows, saw the Russian telecommunications company Trans Telecom routing the DPRK traffic. The Russian internet provider now appears to be handling roughly 60% of the DPRK internet traffic, while the Chinese internet provider transmits the remaining 40%. “This will improve the resiliency of their network and increase their ability to conduct command and control over those activities,” a Dyn Researcher executive said.
Emerging as a significant cyber warrior with both its clandestine and military organizations exercising substantial capability to conduct cyber operations, the DPRK strategy emphasizes asymmetric and irregular operations in its state of constant military preparedness in both low-intensity conflict and high-intensity conflict to counter adversaries’ military strength. The DPRK’s low-intensity conflict strategy is to launch unconventional operations to disrupt the status quo without escalating the situation to a level the DPRK cannot control or win. However, if high-intensity kinetic war breaks out, the “quick war, quick end” strategy is to launch extensive irregular operations, which include cyberwarfare, to exploit the adversary’s vulnerabilities and target command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) in a military blitzkrieg.
In support of its cyber strategy, the DPRK maintains an information technology base that serves as a general research and developmental foundation for computer technology and programming. The existence of a software and computer industry means that the DPRK’s cyber industries are increasingly advanced. This research and development means the DPRK is capable of sophisticated cyber operations in conjunction with psychological operations, military exercises and missile tests.
While other countries, like New Zealand, Singapore and Canada, have complained about cyberattacks from the DPRK, most of North Korea’s cyber focus is on South Korea and the US. The DPRK’s most famous strike was an unconventional attack in 2014, against Sony Pictures Entertainment, to block the release of a political farce movie, The Interview, which satirized an attempt to “kill” DPRK leader Kim Jong-un. What has been less publicized is that the DPRK also unconventionally attacked a British television network a few weeks earlier in 2014 to stop the broadcast of a drama about a nuclear scientist kidnapped in Pyongyang. This type of unconventional cyberattack is different than most countries’ cyber strategy, but similar to cyberattacks on South Korea’s television station in 2013.
The DPRK has also conducted a serious of cybercrimes to both disrupt the international system and to gain much needed foreign currencies. US intelligence officials linked the DPRK to the WannaCry ransomware attack in May 2017. The WannaCry attack involved an outbreak of malware that infected more than 230,000 computers in over 150 countries.
Although the findings have not been independently verified, researchers in South Korea say attacks in 2017 on virtual currency exchanges have the digital fingerprints of the DPRK cyber forces. South Korea is home to some of the world’s largest virtual currency exchanges and accounts for 15% to 25% of world bitcoin trading. On December 18 and 19, 2017, a virtual currency company, Youbit, suffered two cyberattacks that cost it 17% of its assets, forcing the exchange to halt operations and file for bankruptcy. Similarities between the December cyberattacks and an April 2017 cyberattack included the use of malicious code previously used by the DPRK.
Even more seriously, a South Korean lawmaker revealed in 2017 that the DPRK had successfully broken into the South’s military networks to steal war plans, including for the “decapitation” of the DPRK leadership in the opening hours of a theoretical war on the Korean peninsula. There is also evidence the DPRK planted so-called digital sleeper cells in South Korea’s critical infrastructure that could be activated to paralyze power supplies and military command and control networks. Additionally, the DPRK stole F-15 fighter jet wings’ blueprints from its neighbors computers.
The DPRK’s Hidden Cobra program was created to deploy cyberattacks against enemy states. Since 2009, the DPRK has conducted cyberattacks and infiltrated US aerospace, telecommunications, financial industries and critical infrastructure sectors in both the US and around the world. Hidden Cobra includes Volgmer and FALLCHILL. US Homeland Security and the FBI released technical details of the DPRK cyberattacks in alerts containing IP addresses associated with Volgmer, one of the backdoor Trojans the DPRK has used for years.
They similarly released information on a DPRK malware titled FALLCHILL. FALLCHILL gains entry into a computer when a user unwittingly downloads it from an infected website or as a secondary payload from another malware that had infected the system. FALLCHILL can retrieve information as well as execute, terminate and move processes and files; it is hard to detect because it can also clean up after itself. Hidden Cobra is the same program that claimed responsibility for the Sony Pictures cyberattack in 2014.
Cyber operations in the DPRK are becoming quite sophisticated. In designing these cyberattacks, DPRK strategy emphasizes asymmetric and irregular operations in both peacetime and wartime to counter adversaries’ military strength. Peacetime strategy is to launch low-intensity unconventional operations like cyberattacks and wartime strategy is to use cyber capabilities in hybrid blitzkrieg operations.
While keeping abreast of international cyber capabilities, the DPRK maintains a national information technology base that conducts and creates the national research and developmental necessary for its cyber operations. This should leave the international community in no doubt that not only is the DPRK a significant actor in cyberwarfare, but also that the North Korean leadership is committed to further development of their operations and capabilities.
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.