Varying assessments over the years have fuelled an ongoing debate on the capabilities and strategic impact of North Korea’s cyber operations. On the one hand, sceptics argue that there are serious limitations to North Korea’s use of cyberspace for political purposes, particularly at the strategic level.
According to this view, North Korea’s cyber capabilities do not provide Pyongyang with significant strategic advantages for achieving political aims, nor are they sufficient to degrade US or any other advanced retaliatory capabilities to ensure regime survival.
The opposing perspective, however, is that North Korea’s cyber capabilities have advanced in scope and sophistication, driven mainly by strategic necessity, giving the regime power and freedom of action in an adversarial strategic environment.
The debate reflects difficulties in assessing North Korea’s cyber capabilities and the strategic rationales underlying them, not only because attribution is a recurring point of contention but also because North Korea’s cyber units and hacker groups have shown considerable diversity in terms of their capabilities and experience—from very low-skilled to high-skilled hacker groups.
Indeed, the varying cyber threat-intelligence reports show a significant overlap in classifying North Korean cyber groups based on tactics, techniques, and procedures (TTPs) – some sources may refer to North Korea‘s cyber units as “Lazarus Group” and to any activity attributed to North Korea, while other sources track North Korean clusters or groups such as Bluenoroff, APT37 (Reaper), and APT38 separately. The US Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.
Based on open-source government and private cybersecurity threat-intelligence reports, however, one could argue that there are a number of North Korean hacking subgroups, with distinct TTPs that should not be mistaken to be all under or being subgroups of Lazarus group.
These hacker groups have been geographically dispersed in China, Russia, Southeast Asia, and even Europe, acting independently or mutually supporting each other based on their specific cyber-missions: from cyber espionage and information manipulation; covert financial extortion; to various disruptive and destructive cyber operations.
The key question now is whether select North Korean hacker groups could test their capabilities in the upcoming US Presidential elections?
In the past decade, North Korea’s cyber units have progressively developed their resources, assets, malware arsenals and coding capabilities based on their experience and lessons learned from pursuing different targets, and collaborating in various cyber campaigns by sharing networking infrastructure and continuously adapting malware code in order to avoid detection.
From 2009-11, North Korea’s cyber operations targeted primarily South Korean government offices, financial industry, as well as US military and defense targets; characterized by hacktivist political messages and threats. The highly publicized attack on Sony in 2014 represented the pinnacle of this activity, marking one of the first times a nation-state targeted a corporate entity for political aims.
From 2012-15, North Korea focused on cyber espionage activities targeting South Korean and US government offices, defense contractors, universities and think tanks, as well as North Korean defectors abroad.
From 2015-18, North Korean hacker groups began to expand the scope and sophistication of their operations, most likely under increasing pressure from financial sanctions, and shifting toward financially motivated cyber operations worldwide to counter international sanctions, while generating resources for North Korea’s economic and military-technological development.
In 2019, the United Nations Panel of Experts on North Korean Sanctions Committee pointed that North Korea “carried out at least five successful (cyber) attacks against cryptocurrency exchanges in Asia between January 2017 and September 2018, resulting in a total loss of $571 million.” In doing so, the report states, “cyberattacks by [North Korea] to illegally force the transfer of funds have become an important tool in the evasion of sanctions and have grown in sophistication and scale since 2016.”
Pyongyang has been also able protect its critical infrastructure from potential reprisals, limiting its online access, dependencies, and vulnerabilities by relying instead primarily on China’s internet infrastructure. This has been augmented only recently with a second internet link to Russian networks, and dispersion of its hackers to select countries worldwide, including India, Nepal, Kenya, Mozambique, and Indonesia.
Meanwhile, North Korea’s military is reportedly developing a quantum encryption technology in an effort to build a highly secure command and control link between Pyongyang and key missile launching sites such as Wonsan, Tonghae, or Sohae. Its purpose is to shield North Korea’s ballistic missiles from cyberwarfare, directed energy, and electronic attacks.
Under these conditions, North Korean hacker groups may potentially up their game by trying to disrupt, degrade, or influence the direction and character of US elections – whether by disrupting US media networks, financial institutions, and political parties.
This is because cyber capabilities in North Korean strategy work as weapons of mass effectiveness alongside weapons of mass destruction as unified means to pressure the United States and the wider international community to impose a decision to recognize its legitimacy without triggering a major armed conflict.
North Korea has already demonstrated a resolve for a cyber-escalation – targeting critical infrastructures of other nation states as well as private corporations and banks for varying political motivations – i.e. retaliation, coercion, or covert intelligence gathering, and increasingly also illicit financial gain to bypass stricter international sanctions. In doing so, it has been undeterred by international norms.
ltimately, the line between low-end and high-end North Korean cyberspace operations has been blurred, and the question is whether they are sufficient to degrade US cyber defenses.
With the ongoing political and economic crisis in the US, however, unrestricted cyber operations may increase the propensity for a strategic surprise.
By Michael Raska
Michael Raska is assistant professor and coordinator of the Military Transformations Program at the Institute of Defense and Strategic Studies, a unit of the S. Rajaratnam School of International Studies, Nanyang Technological University, Singapore. The views reflected in the article are his own. He can be reached at firstname.lastname@example.org