February 22, 2024

SHARE |

IntelBrief: The Threat Landscape of North Korea’s Cyber Arsenal

AP Photo/Ahn Young-joon

On February 7, Reuters reported that independent sanction monitors at the United Nations (UN) would investigate more than fifty-eight suspected cyberattacks launched by North Korea between 2017 and 2023, yielding approximately $3 billion in revenue. This illicit income has been laundered and channeled by North Korea to fund its nuclear weapons program, which the UN Security Council heavily sanctions. Although North Korea has one of the world’s lowest internet penetration rates, the U.S. intelligence community considers it one of the leading cyber threat actors, alongside Russia, China, and Iran. With a minimal online presence, North Korea has fewer vulnerabilities than its internet-reliant adversaries, allowing its hackers to make aggressive use of offensive cyber operations for espionage, cybercrime, and disruptive attacks without fear of equivalent online retribution. According to a UN panel of independent sanctions monitors, North Korea is increasingly targeting defense companies and supply chains. However, one of the regime’s primary sources of income remains cyber activities targeting the blockchain and cryptocurrency industry. Cryptocurrencies are virtual currencies that operate on decentralized networks based on blockchain technology. Unlike traditional currencies issued by governments, cryptocurrencies are not controlled by any central authority. According to Chainalysis, a U.S.-based blockchain analysis firm, 2023 saw a record high of twenty North Korea-linked cyberattacks on cryptocurrency platforms. Additionally, Microsoft and OpenAI reported on February 14 that North Korean cybergroup Emerald Sleet (THALLIUM) has been leveraging ChatGPT to facilitate its cyberattacks — highlighting the connection between rapidly advancing artificial intelligence (AI) and machine learning (ML) applications and cyberattacks by malicious actors.

In addition to funneling heisted cryptocurrency to its nuclear program, North Korea has increasingly executed attacks targeting critical infrastructure, especially in the United States and South Korea. A coalition of government entities, including the U.S. Cybersecurity and Infrastructure Agency as well as the National Intelligence Service of South Korea, have noted an uptick in ransomware attacks against healthcare and public health sector organizations, often demanding these entities pay ransoms in the form of cryptocurrency. These kinds of attacks serve multiple purposes. They simultaneously provide much-needed revenue streams to the isolated regime while also sending a deterrent signal that North Korea can disrupt its state adversaries’ critical infrastructure at will. North Korean cybercriminal groups such as Lazarus Group were also responsible for cyber espionage attacks on COVID-19 research facilities and pharmaceutical companies like AstraZeneca at the height of the search for a vaccine.

While cyberattacks are primarily financially driven to prop up the heavily sanctioned regime, some North Korea-backed cyberattacks demonstrate its cyber strategy is deeply political as well. In 2014, for example, a cyberattack on Sony Pictures Entertainment was an attempt to stop The Interview, a satirical movie about a plot to assassinate North Korean leader Kim Jong Un, from being released. While the film was released on streaming services, threats to theaters resulted in a limited release on the big screen in only 300 venues across the U.S. Additionally, spear-phishing emails have been identified as a method used to extract information from notable figures possessing knowledge about North Korea. According to observations made by Microsoft, the group known as Emerald Sleet impersonates respected academic organizations and non-governmental organizations (NGOs) to elicit expert opinions and commentary on foreign policy matters concerning North Korea. North Korea has also launched cyberattacks to spy on the activities of defectors who have sought asylum abroad, as well as organizations that help defectors.

Amid escalating tensions on the Korean Peninsula, characterized by North Korea's accelerated nuclear and missile development and recent move to cut ties with South Korea, cyberspace will remain an essential arena for hostile exchanges short of armed conflict. Further exacerbating tensions, Russia and North Korea continue to form an increasingly close security partnership – as reflected by the munitions and missiles North Korea has supplied to Russia for its ongoing war in Ukraine. This growing partnership may result in closer collaboration between Moscow and Pyongyang in cyberspace than what has been previously observed. In response to the proliferation of cyberattacks coordinated by North Korea, the United States, Japan, and South Korea agreed to coordinate more closely to address the cyber threats emanating from the so-called Hermit Kingdom. During a December meeting in Seoul, the national security advisers from these countries unveiled new trilateral initiatives aimed at countering various forms of cyber aggression by North Korea, including cybercrime, cryptocurrency money laundering, and provocative missile tests. Cooperation between Japan and South Korea is notable given their historically frosty diplomatic relations. With the upcoming parliamentary elections in April of 2024 in South Korea, it is likely North Korea will try to disrupt the elections using gray-zone tactics, including cyberattacks and disinformation campaigns. The announced further partnership between the United States, Japan, and South Korea in cyber matters will be critical to pool resources and mitigate this rising threat.