Understanding the cyber threat from North Korea

Ed Parsons, Managing Director, UK and Henry Bureau, Research Analyst
April, 2019
5 mins read

Part three of our cyber war series provides insights from F-Secure’s research, threat intelligence and investigations on cyber statecraft, focusing on North Korea.

In the past six years, North Korea has been held responsible for a number of cyber-attacks causing disruption and financial losses on an unprecedented scale. The devastating impact of WannaCry and North Korea’s continuing nuclear weapons program, despite diplomatic efforts and sanctions, suggests the prospect of conflict extending into the cyber domain is closer than ever. Information security professionals are now expected to be foreign policy analysts, capable of interpreting and predicting the threat foreign states pose, and defending themselves accordingly. This article, the third in a short series [1], provides insights from MWR’s research, threat intelligence and investigations on cyber statecraft, focusing on North Korea.

North Korea – exploiting opportunities short of war

North Korea is perhaps the chief contributor to what the academic Lucas Kello has described as an emerging state of ‘unpeace’ [2], where states and organizations are exposed to a range of harms short of armed conflict. Like Russia, North Korea exploits the cyber domain to pursue its foreign policy goals while denying their opponents the ability to respond effectively. At a high level, its national objectives are:

  • Ensuring the survival of the regime,
  • Displaying power and defending the regime’s reputation internationally,
  • Maintaining domestic control.

These aims are manifested across cyber security incidents attributed to North Korea. For over a decade, the regime has been suspected of involvement in a cyber-espionage campaign against the South-Korean defense industrial base. The 2014 attack on Sony Pictures Entertainment remains the clearest example of the regime’s efforts to defend its reputation. Around the same time, UK producers Mammoth Screen identified similar activity while developing a fictional series on a British scientist taken prisoner in North Korea. North Korea has also used cyber tactics to extend its surveillance regime: last year the Hana Center reported the theft of around 1000 records relating to North Korean defectors [3].

Like North Korea’s nuclear weapons program, the ability to launch disruptive cyber-attacks on foreign targets allows the regime to project power and exert influence on the international stage. The WannaCry global ransomware outbreak has since been attributed to North Korea’s cyber force, known as APT38 or Lazarus group [4]. Once misinterpreted as an extortion attempt gone wrong, the attack heralded a new paradigm in cyber statecraft, marked by indiscriminate disruptive attacks impacting victims beyond traditional targets, for example political opponents and supporting industries. The US Department of Justice’s indictment of North Korean hackers is an attempt to kerb the regime’s increasingly aggressive cyber activity by denying perceived benefits such as anonymity (for perpetrators) and plausible deniability [5].

Using cyber tactics to overcome sanctions

In the context of a multi-dimensional power struggle, North Korea’s cyber-attacks on financial services institutions are the latest in a series of efforts to alleviate the economic pressure caused by sanctions imposed by a number of countries and international bodies, in response to its nuclear program. The regime’s well-documented pursuit of alternate revenue streams has featured currency counterfeiting [6], narcotics production and distribution [7], and smuggling [8]. Between 2015 and 2016, APT38 launched a wave of attacks over the SWIFT banking network, generating hundreds of millions of dollars in hard currency. Since then, focus appears to have shifted towards cryptocurrencies, including conning investors through Initial Coin Offerings (ICOs) and attacks on cryptocurrency exchanges. Research by Kaspersky Lab demonstrates the sophistication of APT38’s operations against exchanges, including supply chain compromise and the creation of macOS malware, a first for the group [9]. While the cryptocurrencies remain loosely regulated, attacks are expected to continue.

The targeting and tradecraft demonstrated in these operations suggests the regime is keen to minimize the political fallout from revenue generating operations, in marked contrast to the disruptive attacks mentioned above. North Korea focuses operations in nations that are less determinant in imposing sanctions, or otherwise lack geopolitical leverage over the regime [10]. MWR investigations, corroborated by other security companies, indicate APT38 undertakes meticulous planning and anti-forensic actions (for example, log deletion and remotely wiping infected devices) to undermine attribution.

Yet cyber-attacks are just one of the security challenges created by North Korea’s effort to generate revenue while bypassing international sanctions. Research by the James Martin Center for Nonproliferation Studies (CNS) reveals North Korea’s commercial information technology (IT) industry has operated overseas, largely unnoticed, for decades. Its global network includes a myriad of front companies, intermediaries, and foreign partnerships that facilitated entry into public- and private-sector supply chains worldwide [11].

What should organizations do to defend themselves?

While we are not at (cyber) war, and the prospect of a cyber-attacks escalating into armed conflict is remote, organizations can take steps to mitigate the threat from North Korea:

  • Optimize threat and vulnerability management, including emergency patching, to minimize exposure to automated attacks leveraging publically disclosed vulnerabilities.
  • Develop and utilize intelligence sharing platforms and relationships with law enforcement and cyber security agencies to enrich threat hunts and improve understanding of the latest TTPs.
  • Rehearse organizational response to a disruptive cyber-attack, utilizing recent examples of wormable malware infections.
  • Fintech organizations and others offering cryptocurrency related services should develop the capability to predict and detect attacker behavior commensurate with APT38’s modus operandi.
  • Factor open source intelligence (OSINT) analysis into supply chain risk assessments to determine provenance of third parties.

[2] Kello, L., The Virtual Weapon and International Order (2017), Yale.

[10] Affected regions include Bangladesh, India, Vietnam, Indonesia, Thailand, Latin America, Iraq, and African nations such as Ethiopia, Kenya, Nigeria, South Africa, and Gabon.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs