Recently, the United States, South Korea, and Japan convened its third trilateral dialogue focused on countering the cyber threat posed by North Korea (DPRK). The three governments reiterated the need to collaborate to address North Korea’s offensive cyber activities that have continued to increasingly evolve over the past decade. Nearly 20 government agencies were represented in discussions that covered the use of diplomacy, autonomous sanction imposition, and private sector efforts to curb North Korean cyber malfeasance that ranges from cryptocurrency heists to cyber espionage to using third-party facilitators to launder stolen money. Though the meetings concluded in a positive tone with the three governments fundamentally in accord that their continued cooperation was essential in addressing these matters, little was provided as to what the next steps would be, if any.
The U.S. government has been actively keeping the cyber threats posed by China, Iran, North Korea, and Russia in the public’s eye, publishing numerous advisories about ongoing offensive cyber operations conducted by state actors from each of these governments. North Korea has garnered recent attention for its continued development of its cyber program, expanding its activities far beyond the theft of money and cryptocurrency, which has been nothing short of remarkable. For a country nearly isolated from the rest of the world with limited Internet access, and a tech industryreliant on itself and one whose advanced technology development lags behind the rest of the world, North Korea has proven itself innovative in overcoming its shortcomings.
This is especially seen in its cyber capabilities, which extend beyond the usual cyber theft/cyber disruption playbook that most state actors are known to conduct. In fact, North Korea has demonstrated to be on the forefront of successfully using its cyber capabilities in other areas like crypto theft and using ransomware to as a money-making tactic, providing other states a blueprint that can be replicated. In fact, looking at some of the more prominent cyber events linked to North Korean state actors have not only shown a progression toward more sophistication in how they operate, but also some ingenuity in the tactics they employ. The following list is representative of this maturation, further illustrating the versatility of this asymmetric capability:
- In 2024, North Korea deceived a U.S. security company by having a spy infiltrate the company under the guise of employee recruitment. The insider threat convincingly portrayed themselves as a U.S. citizen working from the United States and was able to download malware onto the company’s computer. Though detected early, the activity showed further evolution of North Korea’s attempts of using cyber as a means to reach its goals.
- Also in 2024, North Korean actors demonstrated that they embrace cyber espionage as a viable tactic to obtain sensitive information to support the government’s national objectives. In this instance, this group targets defense, aerospace, nuclear, and engineering organizations to obtain the intellectual property to advance the government’s nuclear program.
- The 2022 North Korean ransomware attacks saw DPRK actors target healthcare and public health industry for the purposes of extorting large ransoms, presumably to continue to fund its weapons of mass destruction program. This effort was a marked improvement over 2017’s WannaCry ransomware attack that proved to be not a remunerative as was intended.
- A CISA advisory disclosed North Korea’s ongoing interest in targeting blockchain technology and the cryptocurrency industry, including cryptocurrency exchanges, decentralized finance protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency for the purposes of generating and laundering funds.
- In 2020, an advisory detailed the activities of North Korean cyber actors dedicated to robbing banks via remote Internet access and have attempted to steal nearly USD $2 billion since at least 2015. More concerning is that these actors have manipulated the critical computers systems at banks and other financial institutions, according to the advisory.
- In 2014, North Korean actors conducted an attack on Sony and successfully deployed wiper malware on its network, in addition to stealing intellectual property from the company.
The challenge of countering North Korea cyber operations is that they are a blend of typical state operations and cybercrime, interchanging tactics and procedures freely, and consistently evolving and seen recently exploiting a browser zero-day vulnerability to support its cryptocurrency theft. Use of such a valuable vulnerability and one expensive to obtain reinforces the priority that the North Korean regime has placed on stealing money to support regime projects. There have been several initiatives that have disrupted North Korea cryptocurrency theft, such as imposing sanctions on those entities that facilitate and enable criminal activities, and bringing legal charges against individuals creating havens for large scale money laundering that support these state-driven activities. The effects of this kind of enforcement have yielded positive results, at least temporarily. Whether it be North Korea or more traditional cyber criminals’ elements, these hostile actors are finding alternatives to continue what they’re doing. Disruption is not destruction, and unless authorities continue to hound these perpetrators there will be enough reprieve for them to regroup and start again.
Notably, in the takeaway summaries of the trilateral, nothing was specifically mentioned that the United States would commence U.S. Cyber Command-led “hunt forward” operations in tandem with either Japan or South Korea to address North Korean cybercrime activities. After all, according to the general in charge of them, CYBERCOM has at least one team, possibly more, dedicated to North Korean actors, as well as other state adversaries. This may be due to the fact that legal means may be a better approach, at least with respect to privately owned “mixing services” that enable so much of cyber-criminal activity. Still, North Korea’s state cyber assets engage in both cybercrime and more traditional cyber espionage, and while taking down a privately owned and operated entity may test the boundaries of permissible legal actions, the infrastructure used by these actors should be fair game. Whether this speaks to the desire to use hunt-forward ops in this capacity or if this is more of a reflection on the commitment of this trilateral remains to be seen. Platitudes make for great public statements, but rarely translate into an effective and actionable multi-participant international policy.
But if the trilateral is a strong body, there is an opportunity for the United States, Japan, and South Korea to address North Korea in much the same way the Quad is trying to counter China’s cyber activities. The common denominator between these two groups is the United States, even if the adversary is different. This trilateral has one thing to its advantage the Quad does not – there are not many countries tightly economically intertwined with North Korea with the exception of China, its largest partner, so it wouldn’t be difficult to reproach Pyongyang without suffering an international consequence. With this in mind, U.S./Japan/South Korea trilateral could become a blueprint for how partnerships among limited stakeholders can make a difference in actually stemming hostile cyber activity of a specific state. However, it will likely take a full toolbox of options (political/economic/cyber) being used in interchangeably and in concert with one another at a continuous tempo to be punitive enough to get North Korea’s attention, and consequential enough to make them alter some of its behavior. Short of this, successes will be short lived as a winning hand in a game of cards. The deck may be reshuffled, but the game will go on.