In early March 2023, the 3rd meeting of the Republic of Korea-United States working group on the North Korean (DPRK) cyber threat met in Washington, D.C. Representatives included but were not limited to U.S. officials from the FBI, Justice, State, Treasury and South Korean officials from Ministry of Foreign Affairs and North Korean Nuclear Affairs. The group convened and exchanged information on the DPRK’s involvement in cybercrime, cyber espionage, and the potential threat of intellectual property and other questionable activities from DPRK information technology (IT) workersstationed in foreign countries. The group has been active since it first convened in August 2022, and again in November that year, a good sign demonstrating a joint commitment toward reigning in the DPRK’s malicious cyber activities. Policy coordination, potential cyber sanction implementation, and the sharing of threat information have been among the topics discussed during these meetings.
Attention given to the DPRK cyber threat ebbs and flows depending on other considerations taking place in the world. The Ukraine conflict is one such crisis that has commanded international attention, and for cyber watchers especially who have eagerly watched and analyzed how a top tier cyber power like Russia has executed its cyber war on Ukraine using state and nonstate assets. Equally, China garners frequent scrutiny from the global community, and has been assessed by the U.S. government as being the “broadest, most active, and persistent” state actor when it comes to leveraging cyberspace to support its national interests. Spy cranes, spy balloons, and its aggressive ongoing cyber theft of sensitive U.S. government and military information have consistently made China the primary cyber threat to U.S. interests. Even Iranhas elbowed its way into international headlines, as well. It’s ongoing cyber war with Israel in which it has shown its willingness to target critical infrastructures impacting civilians is never too far out of mind for U.S. policymakers.
But North Korea has been a different beast altogether, not being taken too seriously as a capable cyber actor until 2014 attack against Sony. Since then, the DPRK has steadily developed its cyber capabilities, a testament to how dedicated resourcing in this area can quickly yield substantial results. The recent Directorate of National Intelligence assessmentacknowledged North Korea’s increasing capabilities to engage in “sophisticated and agile” offensive cyber operations to include crime, espionage, and cyber attacks. As such, the Intelligence Community believes that North Korea can likely conduct temporary disruptions against critical infrastructure and business networks, a logical presumption given its wiper attack against Sony. Nevertheless, despite these traditional state forms of cyber malfeasance, North Korea has been proficient and adept at conducting cybercrime, targeting banks, cryptocurrency exchanges, and ransomware operations in an effort to steal money to circumvent economic sanctions and support its weapons of mass destruction development.
What’s more, the criminal proclivity to DPRK operations facilitates engagement with other prolific cyber criminal elements (especially Russian gangs) that have demonstrated success in stealing large amounts of money and circumventing law enforcement. The extent of this collaboration is not fully understood, as the U.S. National Security Advisor cyber did not provide further comment when asked about it. Still, it is logical to presume DPRK actors may share and/or purchase information, tools, or cooperation with their criminal counterparts depending on the target and any agreed upon renumeration. In this way, the DPRK looks to be the one state actor that uses its cyber capabilities to directly support its regime in a nontraditional way and serve as a possible blueprint for other heavily sanctioned regimes to follow in their footsteps. For example, in 2022, the United States sanctioned a group of Iranians affiliated with the Islamic Revolutionary Guard Corps for conducting ransomware campaigns. Though it is not known if these activities were for personal profit rather than regime advantage, Iran has demonstrated an ability to quickly exploit cyberspace for influence and disinformation operations when it realized the advantages of doing so. As one of the most sanctioned governments in the world, any ratcheting up of these financial punitive actions could easily lead Iran to temporarily turn to cybercrime for similar economic relief.
North Korea is in synch with the rest of the world with what cyberspace affords them: 1) an avenue to project power and conduct asymmetric activities; and 2) a means for collecting sensitive information. Further complicating matters are the DPRK’s increasing cyber capabilities. These actors are already using previously undocumented malware in their current operations, indicating that they have the skillsets to create malware or have the resources to access them. North Korea is no longer a burgeoning power; it’s a state that ranks among the most capable cyber-capable states in terms of using all facets of cyber for state power. However, its focus on cybercrime as a means of sanction easement presents the United States and West an opportunity to mitigate some of the threat it is not able to replicate against other cyber adversaries. U.S. policy favors denuclearization of the Korean peninsula. And while it may not ever be able to deter DPRK’s goals of obtaining a nuclear weapon, severely obstructing its ability to fund it can certainly slow down the process.
Aside from trying to execute a Stuxnet-like attack that could provoke an unpredictable response from Pyongyang and dangerously escalate tensions if exposed, the DPRK situation offers the United States an opportunity to develop a strategy to reduce a nation’s cyber threat because it is so heavily invested in cybercrime to help sustain a hostile regime. Even though the U.S. government has implemented several cyber sanctions against North Korea, it hasn’t been enough to reduce the rogue government’s appetite to engage in this low cost, high reward enterprise. The United States’ new National Cybersecurity Strategy may offer some insight into how the United States could increase its attention on North Korea by focusing on those cryptocurrency exchanges on which cybercriminals rely, focusing anti-money laundering efforts in order to prevent and where appropriate, interdict illicit payments. These actions coupled with a potential United Nations treaty on cybercrime in the not-so-distant future could provide the United States an international collaboration not unlike what’s transpiring in Ukraine to mitigate the North Korean cyber threat. And if that occurs, Washington may find enough arrows in the quiver to achieve some more meaningful results when it comes to reducing one state’s malicious cyber activity.