While it has not launched any new missiles since July, North Korea instead demonstrated its hostility with cyber-attacks throughout 2020. Pyongyang’s latest targets were several pharmaceutical companies developing coronavirus vaccines. Overall North Korea’s cyber operations continue increasing in sophistication to pose more complex security challenges for the United States and its allies.
North Korean cyber capabilities have evolved since Pyongyang’s first reported attacks in July 2009. Initially focused on disrupting websites, servers, and computer networks in South Korea and the United States, the Kim regime now uses cyber operations to conduct global espionage and evade sanctions. One North Korean hacking group alone has compromised financial institutions in as many as thirty countries, generating “substantial revenue” for the regime, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The Trump administration has deployed a range of tools attempting to limit the impact of North Korean cyber operations and to impose costs on those who conduct malicious campaigns. CISA has served an instrumental role in strengthening U.S. cyber defenses against North Korea through its publication of detailed technical alerts and reports regarding North Korea’s newest malware and cyber tactics. These alerts and reports provide valuable information to industries and companies so that they can reinforce their network infrastructure against hackers.
As General Paul Nakasone, the head of U.S. Cyber Command and the National Security Agency, explained, publicly releasing enemy malware “makes that malware less effective because defenses can be tuned to detect and defeat it.”
Additionally, the Trump administration has sought to disrupt Pyongyang’s cyber activities and punish those responsible for attacks by pressing charges and restricting access to financial assets.
For instance, in September 2018, the U.S. government imposed financial sanctions and unsealed an indictment against a North Korean computer programmer, Pak Jin Hyok, for his role in numerous cyberattacks. A year later, Treasury sanctioned the Lazarus group, a state-backed North Korean hacking unit, and the Blueneroff and Andariel groups, both Lazarus subsidiaries. In March 2020, the Treasury Department sanctioned and the Justice Departments indicted two Chinese currency traders, Tian Yinyin and Li Jiadong, for helping North Korean hackers launder stolen virtual currencies to traditional fiat currency.
The United States has also employed offensive cyber operations to dismantle the infrastructure of North Korean cyber campaigns. In 2017, U.S. Cyber Command reportedly conducted operations to cut off the regime’s internet access. Two years later, the FBI and the Air Force Office of Special Investigations mapped and disrupted a botnet used by North Korean hackers.
Collectively, the Trump administration’s campaign against North Korea provides a robust framework for Washington to confront North Korea’s malicious cyber operations. And yet, to date, they have failed to stem the attacks. For example, after pressing charges in March against the two Chinese currency traders Tian and Li, the Justice Department found that the traders pulled their remaining funds from their virtual currency accounts. Tian and Li went on to continue laundering North Korean funds through highly sophisticated and deceptive techniques aimed at evading detection.
Likewise, while the 2017 U.S. cyber-attack did initially overwhelm North Korea’s internet connection, North Korea overcame this hurdle by establishing a new internet connection through a Russian telecommunications company called TransTelecom. Recorded Future, a U.S-based cyber security company, assessed that North Korea’s domestic internet usage increased by 300 percent since 2017 partially because of TransTelecom’s internet connection.
One reason why the United States has been unable to stem North Korea’s cyber operations is that earlier offensive efforts missed critical targets. Thus far, Treasury has targeted only a North Korean programmer and three government-backed hacking organizations. Earlier U.S. sanctions have demonstrated the capabilities of U.S. intelligence and law enforcement to attribute cyberattacks to individuals and organizations directly linked to the Kim regime. The sanctions have also provided useful information from a network defense perspective. However, these measures have been more symbolic than substantive.
Sanctions can have a meaningful impact on North Korea’s cyber capabilities by closing off their lines of funding. But to achieve that objective, they must target the front companies and banks that finance these hackers’ activities.
The designation of the two Chinese cryptocurrency traders in March was a good first step. The next step is for Treasury and Justice to investigate the banks that these individuals used to launder stolen North Korean money. The Justice Department revealed that these traders moved their illicit funds through nine different Chinese banks. Treasury should reach out to these banks to ensure they have blocked any suspicious transactions and were not complicit in illegal activity. If Treasury were to find these or other financial institutions continuing to launder North Korea’s stolen cyber funds, it should impose penalties, including fines and sanctions.
To make U.S. cyber policy toward North Korea more effective, Treasury should also publish technical advisories to inform banks and cryptocurrency exchanges about the unique deceptive tactics Pyongyang’s crypto-launderers employed to disguise their illegal activity. These advisories would differ from CISA’s, which focus on resolving computer security issues. Treasury’s advisories would provide information about money laundering techniques to equip compliance officers at banks and cryptocurrency exchanges to detect suspicious activity. Collectively, these efforts can disrupt North Korea’s cybercrime operations at their final stage, when the hackers are trying to cash out on their spoils.
Moreover, along with sanctions, the United States should continue offensive cyber campaigns. However, these operations should focus less on dismantling Pyongyang’s cyber infrastructure, but on imposing costs on the Kim regime. The aforementioned U.S. offensive in 2017 shows how North Korea can recover and even strengthen its limited internet network capacity after these cyber disruption campaigns. Instead, the offensive cyber operations most likely to be costly for Kim and impact regime decision-making are cyber-enabled information campaigns.
The Kim regime considers the influence of foreign media and information as a major threat to its survival, because such content directly undermines its propaganda justifying the Kim regime’s legitimacy. These information campaigns should provide North Koreans with insight on “attractive alternatives to their current way of life” to sow doubt in the regime’s current policies, according to Andrei Lankov, a renowned expert on North Korea. Such messages could encompass topics such as the universal human rights and civil liberties that the regime fails to respect.
Cyber-enabled information campaigns provide a unique opportunity for the United States and its allies to influence a small yet influential segment of North Korea’s populace. In North Korea, only elite citizens in the ruling political party or the military have internet access. If these efforts succeeded in widening social fissures between North Korea’s elite and Kim Jong-un, the Biden administration could gain enormous leverage when engaging North Korea not just on cyber issues, but also on efforts to achieve denuclearization.
North Korea will not stop with its persistent cyber intrusions until there is a more assertive response from the United States and its allies. The incoming Biden administration therefore must continue building upon its predecessors’ efforts. The Trump administration provided its successor with a robust framework to confront North Korea. It is now up to the Biden administration to refine and enhance this strategy.
Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew, CEFP, and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.