The North Korean sideshow: Why missiles shouldn't be the only security concern

September 22, 2017 | 2 minute read

With the leaders of the U.S. and North Korea exchanging threats and personal insults and the escalating global tension around the Democratic People’s Republic of Korea (DPRK) missile tests, the reclusive nation’s cyber program is likely to spin into high gear and include destructive retaliatory strikes.

The exchange of threats actually plays into North Korea’s propaganda machine and is likely viewed as a blessing by the country’s elites. The overt threat of nuclear war will reinforce the regime’s narrative that North Korea is under constant threat from the U.S. and all the ills facing the nation’s population are a direct result of these foreign powers.

The new UN sanctions levied against North Korea as a result of its missile tests cannot be ignored. If the sanctions take full effect and are fully enforced, North Korea would face unprecedented financial pressure. The country’s GDP could be reduced by one third, with potentially catastrophic consequences to a regime barely able to provide essential services to its citizens.

If this scenario plays out, the result will likely be a large boost in illicit activity in an attempt to raise revenue to compensate for the sanctions. The global financial industry is likely to see a large spike in hacking activity while traditional scamming operations against online gaming communities will increase. North Korea will likely increase its attempts to hack cryptocurrency exchanges given the recent string of successful heists. The regime’s immediate need to bolster their finances will likely lead to a decrease in North Korea’s operational capacity to conduct destructive attacks and traditional espionage. As the sanctions impact North Korea’s finances, the country will look to operate more like a Narco state with its income derived from the sale and execution of cyber intrusions instead of drugs.

Today, DPRK’s cyber activity is often been talked about in terms of radical actions and Bond-style plots. However, the nation’s activity appears to be driven by three rational motives: spying, attacking and racketeering.

Spying: Traditional espionage takes place on a regular basis, although these activities are hardly ever talked about. Earlier this year, a group was caught sending remote access trojans to U.S. defense contractors. This type of activity is often overshadowed by North Korea’s other cyber goals.

Attacking: Charting the instances of North Korean destructive cyber activity shows that the regime uses destructive cyber attacks to retaliate for perceived provocations. The satirical portrayal of North Korean leader Kim Jong-Un in the movie The Interview was widely cited as the motivation for the 2014 Sony Pictures attack. The March 2013 DarkSeoul attack against South Korea that crippled news stations, financial institutions and government websites was a direct response to military exercises hosted by the U.S. and South Korea earlier in the month.

Racketeering and money generation: North Korean hackers have been conducting low-level activity for over a decade to generate hard currency for a regime constantly under economic sanctions. The most spectacular example of this activity was the 2016 Bangladesh Central Bank, which resulted in adversaries making off with $81 million. The hackers employed by the North Korean government are under significant pressure to create a steady stream of remittances back to the country’s government. This makes North Korea the only country to knowingly sponsor and task hackers who conduct all three types of activity, spying, attacking and racketeering.

Ross Rustici
About the Author

Ross Rustici

Ross Rustici is Cybereason's Senior Director of Intelligence Services.