Bora Park, a research fellow at the Institute for National Security Strategy, analyzes the evolving North Korean cyber threat since the Gulf War in 1991 and discusses South Korea’s response measures. Park argues that cyberattacks have significantly diversified following the adoption of six UN Security Resolutions in 2016, coupled with strengthened international sanctions during the Park Geun-hye administration. The author elaborates that DPRK has employed malicious codes and other covert means not only for cyber espionage but also to damage South Korean economy and promote domestic polarization. Park urges the South Korean government to enact legal measures to counter the escalating DPRK cyber threat and recommends the establishment of a comprehensive cybersecurity system encompassing both the public and private sectors.
North Korea’s cyberattacks have become one of the key global security agenda as North Korea continues to target cyberspace to evade sanctions imposed by the international community. North Korea has exploited cyberspace to not only make up for the economic damage caused by sanctions against North Korea, but also to collect funds for their nuclear and missile programs. Most sanctions against North Korea began since the adoption of the United Nations Security Council Resolution 1695 (2006), which aimed to condemn the multiple ballistic missile launches by North Korea on July 5, 2006. Although North Korea primarily uses cyberspace as a means to evade sanctions, its recognition of the importance of cyberspace dates back much earlier.
Background and Organizations
North Korea witnessed the power of the electronic warfare during the Gulf war in 1991. Along with its command and communication network, one of the world’s best Iraqi air defense systems was incapacitated by the multinational forces, leading to the victory of the multinational force. This made North Korea recognize the importance of electronic warfare in modern warfare. For this reason, North Korea established the “Command Automation Bureau” under the General Staff Department of the Korean People’s Army and “Electronic Warfare Research Institute” in each corps in the army, then adopted and developed cyber warfare capabilities as a national strategy. The General Staff Department does not carry out direct cyberattacks, but it supports military operations in cyberspace. The “Command Automation Bureau” takes responsibility of developing hacking and communication programs with “Unit 31 (malware programs),” “Unit 32 (military software programs),” and “Unit 56 (military command and control programs).”
In addition, North Korea established a cyber warfare guidance unit, known as “Bureau 121” in 1998 and “Unit 204” for a cyber psychological warfare in 1999, respectively. For this purpose, North Korea has trained professionals capable of conducting cyber warfare at its universities. It is estimated that nearly 300 students, whose expertise is in hacking, are trained and deployed in these bureaus each year after graduation. It was in 2009 that North Korea’s cyberattack capability developed dramatically with the establishment of the Reconnaissance General Bureau (RGB), which serves as North Korea's foreign and Republic of Korea intelligence agency. In particular, the core cyberattacks are carried out by “Bureau 121.” As of 2016, it is known that there were approximately 6,000 full-time agents in “Bureau 121,” which has been pointed out as the mastermind behind North Korean hacking organizations. Most of its hackers operate overseas, including in Belarus, China, India, Malaysia, and Russia. Compared to the past, this represents a significant expansion in the scope of their hacking activities.
Trend in Cyberattacks
With the establishment of cyber infrastructure, North Korea initiated cyberattacks for espionage against the ROK government and critical infrastructures in 2003. North Korea primarily used malicious code, employing a sneak and covert operational style rather than conducting large-scale attacks. During the Lee Myung-Bak administration, North Korea’s cyberattacks intensified and expanded. They targeted not only public sectors but also civil sectors, with a focus on news media and the financial facilities. What is important is that North Korea has been conducting psychological warfare against the civil society in the Republic of Korea since then. This showed a change in tactics and objectives in North Korea’s cyberattacks, moving from cyber espionage to damaging the economy and undermining national cohesion.
North Korea’s cyberattacks have become more diverse since the Park Geun-Hye administration. First and foremost, they began targeting not only “traditional targets” (e.g. government agencies and facilities, new media agencies, think tanks or political parties), but also “new targets” like entertainment companies and cryptocurrency. Furthermore, North Korea targeted overseas financial facilities as well as domestic ones. The purpose of their attacks has also evolved. North Korea has attempted to steal not only information but also cryptocurrencies, with the latter becoming a more attractive target due to the sanctions. In other words, it was because of the the shortage in Kim Jong Un’s “ruling funds” that North Korea shifted its focus in cyberattacks from system destruction and information theft to financial assets, including virtual ones. After North Korea announced the “completion of nuclear force” in January 2016, sanctions from the international organizations like the United Nations and the European Union, as well as independent sanctions from the United States, Japan, the United Kingdom, and others also followed suit.
More specifically, the UN Security Council adopted six resolutions against North Korea following the fourth nuclear test in 2016. (UNSCR 2270, UNSCR 2321, UNSCR 2356, UNSCR 2371, UNSCR 2375, and UNSCR 2397). All of these sanctions imposed a comprehensive embargo on North Korea’s economy, including imports and exports. In addition to these resolutions, the United States issued two executive orders (No. 13722 and No. 13810) and passed two separate laws on sanctions against North Korea. Presidential executive order No. 13810 imposed a ban on foreign financial transactions with North Korea (a.k.a. “secondary boycott”), significantly enhancing the effectiveness of sanctions against North Korea. As a result, the main resource of income for Kim’s ruling funds, exports, plummeted drastically. For these reasons, North Korea had to seek ways to generate revenue to evade the sanctions, leading them to target cryptocurrencies through hacking as their top option.
Another notable feature of North Korea’s cyberattacks during the Park administration is that North Korea has utilized psychological warfare in cyberspace against South Korean civil society. North Korea sought to create societal confusions and internal conflicts among ROK citizens by exploiting domestic political and social issues. They also mobilized social network services by taking advantage of the pro-North Korea websites in alignment with their propaganda campaign against the Republic of Korea through the operation of “Bureau 225.”
This trend continued into the Moon Jae-In administration. North Korea utilized a mixed approach to cyberattacks, involving cyber spying and theft of cryptocurrencies. North Korea attempted to obtain information prior to U.S.-DPRK summits and ROK-DPRK summits for negotiation purposes. Following the breakdown of U.S.-DPRK talks, their attacks aimed at securing financial profits for economic development increased. Experts in think tanks and in the field of diplomacy and security were also major targets, as North Korea sought to obtain information on ROK strategy and the inter-Korean dialogues.
The COVID-19 pandemic was another catalyst for the surge in North Korea’s cyberattacks. North Korea attacked the global or domestic pharmaceutical companies to access technologies related to COVID-19 vaccines and treatments. In 2021, Kim announced a new “5-year nuclear strength and economic development plan,” prompting North Korea to conduct omnidirectional cyberattacks focused on emerging technologies to advance its nuclear weapons program.
A Way Forward
A recent analysis has revealed that over the past 10 years, North Korea has carried out cyberattacks in at least 29 countries, including the Republic of Korea and the United States. The majority of North Korea’s cyberattacks were concentrated in Asian regions (77%), followed by North America and Europe), each accounting for about 10% of the attacks.
Among the targeted countries, the Republic of Korea recorded the highest number of attacks (65.7%), followed by the United States at 8.5%. Despite the increasing trend in attacks aimed at stealing money over the past four to five years, totaling approximately 50 cases, North Korea continues to focus primarily on information collection activities, accounting for 71.5% of the attacks, which is more than 180 cases. Given the fact that Republic of Korea has been North Korea’s primary target for cyberattacks, it is expected that the Republic of Korea will remain a high-priority target in the future, especially with the continued growth in attacks against the financial sector.
Governments of the countries targeted by North Korea’s cyberattacks have responded to these threats. For instance, the United States imposed independent sanctions on “Lazarus,” while the Republic of Korea imposed sanctions on “Kimsuky.” The United States has established a new organization dedicated to addressing North Korea's cyberattacks. The EU is strengthening cyber sanctions against North Korea in line with laws enacted in 2019. Additionally, there is a growing emphasis on multilateral and bilateral cooperation among relevant countries, exemplified by initiatives such as the “Ransomware Response Conference,” initiated by the United States.
However, the international cooperation system against North Korea’s cyberattacks is yet to be fully developed. In this context, it is highly remarkable that the Republic of Korea, the United States, and Japan have agreed to create a working group to deter North Korea’s cyber threats, as stated in the “Spirit of Camp David.” Moreover, a high-level consultative group on countering North Korea’s cyber activities was launched in early November, with the three nations agreeing to hold quarterly meetings under this new framework for the consultative group.
The lack of legal measures to counter North Korea’s cyberattacks is still a matter of concern. According to the National Intelligence Services, nearly 70% to 80% of the hacking attacks against public facilities for the past five years (2015-2020) were attributed to North Korea. While North Korea’s cyberattacks against the public facilities have been gradually decreasing, attacks against private sectors, especially in the cryptocurrency domain, are on the rise. In fact, the National Intelligence Services also reported that the attacks against the private sector in 2023 were twice as frequent as those against the public sector.
As North Korea is indiscriminately targeting both public and the private sectors, it is evident that the current presidential decree, “Operational Regulation on Cyber Security,” is not fully equipped to support the countermeasures effectively. Considering these limitations, the government must take steps toward establishing a national cybersecurity system that integrates the public and private sectors through the enactment of a comprehensive law on national cybersecurity. Fruitful discussions are expected regarding the legislative notice on the General Law on National Cyber Security of 2022.
References
Hwang, Jihwan. 2017. “North Korea’s Cyber Security Strategy and the Korean Peninsula”, East and West Studies 29, 1: 139-159.
Kwon, Hyeok chun. 2020. “A Comparative Study on North Korean Cyberattack Patterns: Focusing on the Three Governments of Roh Moo-hyun, Lee Myung-bak and Park Geun-hye.” Ph.D. Dissertation, Graduate School of Konkuk University.
Lee, Seungyeol. 2023. “Evolution of North Korea’s Cyberattack Strategy: Cyber Strategy as a Means of Earning Foreign Currency to Evade Sanctions against North Korea.” Unification Policy Studies 32, 1: 323-353.
Shin, Choong Geun and Sangjin Lee. 2013. “A Study of Countermeasure and Strategy Analysis on North Korean Cyber Terror.” Journal of Police Science 13, 4: 201 – 226.
Chainalysis. 2023. “Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns.” September 14. https://www.chainalysis.com/blog/north-korea-russia-crypto-money-laundering/ (Accessed: November 20, 2023)
___________. 2023. “The Chainalysis 2023 Crypto Crime Report.” Chainalysis Annual Report.
Insikt Group. 2023. “North Korea’s Cyber Strategy.” The Recorded Future. June 23. https://www.recordedfuture.com/north-koreas-cyber-strategy (Accessed: November 21, 2023).
The White House. 2023. “The Spirit of Camp David: Joint Statement of Japan, the Republic of Korea, and the United States.” August 18. https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/18/the-spirit-of-camp-david-joint-statement-of-japan-the-republic-of-korea-and-the-united-states/ (Accessed: November 25, 2023).
■ Bora Park is a research fellow at the Institute for National Security Strategy.
■ Typeset by Jisoo Park, Research Associate
For inquiries: 02 2277 1683 (ext. 208) | jspark@eai.or.kr