North Korea Knows How Important Its Cyberattacks Are

North Korea’s cyberattacks became famous in 2014, when Pyongyang’s hackers targeted Sony Pictures, seemingly in retaliation for a satirical movie about North Korean leader Kim Jong Un. But the reclusive regime’s greatly improved cybercapabilities are not a joke. They’re a serious threat to the stability of the global economy and critical infrastructure systems.

North Korean hackers have gone on to bigger and more financially profitable targets. Since 2014, North Korean hackers have attacked Bangladesh’s central bank, the U.K. National Health Service, and, more recently, cryptocurrency exchanges. And the odds are that many more major North Korean cyberattacks are to come in the near future.

In internal regime discourse, Pyongyang proudly refers to its cyberoperations as its “all-purpose sword.” According to testimony from a South Korean intelligence chief, Kim reportedly stated: “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.” Subversive, criminal operations are a style of asymmetric warfare long embraced by the North. The country’s founding leader, Kim Il Sung, earned his nationalist credentials by fighting Japanese colonialists in the 1930s. His guerrilla band later became the political elite of the North Korean state. During the Cold War era, Kim regularly deployed guerrillas to subvert and instigate the South Korean government. North Koreas hackers are the 21st-century version of guerrilla fighters, moving in the dark and striking at the most vulnerable points.

North Korea’s cyberattacks became famous in 2014, when Pyongyang’s hackers targeted Sony Pictures, seemingly in retaliation for a satirical movie about North Korean leader Kim Jong Un. But the reclusive regime’s greatly improved cybercapabilities are not a joke. They’re a serious threat to the stability of the global economy and critical infrastructure systems.

North Korean hackers have gone on to bigger and more financially profitable targets. Since 2014, North Korean hackers have attacked Bangladesh’s central bank, the U.K. National Health Service, and, more recently, cryptocurrency exchanges. And the odds are that many more major North Korean cyberattacks are to come in the near future.

In internal regime discourse, Pyongyang proudly refers to its cyberoperations as its “all-purpose sword.” According to testimony from a South Korean intelligence chief, Kim reportedly stated: “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.” Subversive, criminal operations are a style of asymmetric warfare long embraced by the North. The country’s founding leader, Kim Il Sung, earned his nationalist credentials by fighting Japanese colonialists in the 1930s. His guerrilla band later became the political elite of the North Korean state. During the Cold War era, Kim regularly deployed guerrillas to subvert and instigate the South Korean government. North Koreas hackers are the 21st-century version of guerrilla fighters, moving in the dark and striking at the most vulnerable points.

Historically, guerrillas often depended on banditry and robbery to survive—and one reason for the recent amping up of cyberattacks is financial worries. While Kim Jong Un’s recent missile tests garner international condemnation and head-shaking in Washington and Seoul, Pyongyang’s cyberoperatives work in the shadows. Due to the COVID-19 pandemic, North Korean borders have been sealed shut for the past two years. North Korean trade with China has largely stalled, and many foreign diplomats have left the country, making the already reclusive state even more isolated.

Nonetheless, North Korean hackers work diligently in an effort to bolster the depleted coffers of the party elite. Between 2011 and 2020, North Korea cybercriminals stole more than $1 billion worth of cryptocurrency. In 2021, North Korean hackers allegedly stole close to $400 million worth of crypto coins. The blockchain analysis company Chainalysis wrote in a recent report that “North Korean cybercriminals had a banner year in 2021.” The regime’s investment in its cyberoperations is likely providing a vital economic buffer for the isolated and paranoid leadership. According to an unclassified 2021 report from the U.S. Office of the Director of National Intelligence (ODNI), North Korea’s cybercrime likely funds “government priorities, such as its nuclear and missile programs.”

North Korea is also engaged in more conventional espionage. A cybersecurity firm recently uncovered that the North Korean hacking group Lazarus used two decoy Microsoft Word documents that resembled Lockheed Martin employment information in order to deliver payloads on unsuspecting users. Using spear-phishing attacks, the Lazarus group has increasingly targeted job-seekers in the U.S. defense and aerospace industries with fake documents that are infected with malware.

Despite relatively good relations between Pyongyang and Moscow, North Korean hackers have even targeted Russia’s foreign ministry with malware. In what seems to be a counterstrike against the analysts who uncover their hacking operations, Pyongyang’s cyberagents are using fake social media profiles to infect the computers of cybersecurity researchers with custom backdoor malware.

So, why have foreign-policy experts and policymakers themselves largely ignored North Korea’s increasingly sophisticated cyberoperations? Well, firstly, cyberattacks are less obvious than missile tests. Kim’s numerous missile tests are a frequent and unignorable reminder of his regime’s nuclear arsenal and military capabilities. Cyberattacks take place in the dark corners of the internet and are not always obvious to even the targets.

Secondly, most policymakers struggle with understanding that North Korea is a technological peer nation in cybersecurity. Despite being a deeply impoverished country with a crumbling health care system and less than 10 percent of its non-highway roads paved, the North Korean leadership has attained significant expertise and development in its cybersector. As part of its militaristic worldview, North Korea prioritizes investment in regime stability and the defense industry over economic improvement for its citizens.

North Korea’s asymmetric capabilities have allowed a nation with a GDP roughly equivalent to that of Mozambique to be able to compete with the world superpowers in cyberspace. The stereotype of North Korea’s Kim Jong Un as a buffoonish character on the international stage has impeded U.S. strategic thinking toward North Korea as a very real threat in cyberspace.

And finally, fearing financial loss and public relations fiascos, companies and businesses are hesitant to release information to the public about North Korean cyberattacks. Since many CEOs solely prioritize their company’s bottom line, details of cyberattacks often get swept under the rug. In 2016, the FBI’s Internal Crime Complaint Center estimated that only 15 percent of cybertheft victims in the United States reported their crimes to law enforcement.

So, what can be done to bolster defenses against North Korean hackers? Cyberattacks are part of North Korea’s historical commitment to asymmetric warfare, and it will not change course no matter how much we publicly condemn its actions. Rhetoric won’t work unless it has teeth. Guerrilla warfare, in cyberspace and the physical world, has long been embraced by the regime.

The United States needs to address the role and complicity of the Chinese Communist Party (CCP) in North Korea’s cyberoperations. From hosting North Korean cyberunits in border cities such as Shenyang to training them at Chinese technology universities and research institutes, the CCP enables North Korea’s maliciousness in cyberspace. In 2016, a South Korean cybersecurity researcher estimated that around 600 to 1,000 North Korean cyberwarfare agents operate in China. In addition, most, if not all, of the internet traffic from North Korea runs through Chinese access providers. Many North Korean hackers get their education in China’s tech universities and then bring back their skills to their homeland.

We need to cut off this supply of North Korean hackers and address the fact that the Chinese government knowingly enables North Korea’s malicious cyberoperations. In October 2020, John Demers, then the U.S. assistant attorney general for national security, mentioned at a think tank event that “there is support through Chinese cyberinfrastructure. There’s likely support in terms of sharing expertise and training from the Chinese side.” Since the U.S. national security apparatus seemingly acknowledges this Sino-North Korean cyberpartnership, the U.S. government should sanction the Chinese entities that enable and assist North Korean cybercrime, such as the Harbin Institute of Technology, which hosts North Korean computer science students. In 2019, China’s education minister signed an agreement with the North Korean government on the continuation of educational exchanges and partnerships from 2020 to 2030. The Chinese government will continue to see North Korean cybercapabilities as a useful proxy force to weaken and frustrate U.S. interests.

Finally, U.S. companies and businesses need to share information about North Korean cyberattacks with the general public so that others can act to prepare themselves. As noted in the ODNI report, North Korea “probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.” The last thing anyone needs during the pandemic is an already brittle critical infrastructure to be at the mercy of Kim Jong Un.