Amidst Vladimir Putin’s war in Ukraine, countless national security analysts and cybersecurity experts have been warning about the dangers of increased Russian cyberattacks on U.S infrastructure. Lesser known are the ties between Russian-language cyber actors and the North Korean government. On March 22, U.S national security advisor Jake Sullivan brought this connection to the national spotlight when he said, “North Korea’s cyber capabilities have been manifest in the world and they work with all kinds of cybercriminals around the world, including Russian cybercriminals.” Sullivan’s statement confirms that Russia’s shadowy network of cybercriminals has found allies in the North Korean government, which uses cyber activities to circumvent heavy international sanctions and bolster Kim Jong-un’s coffers.
Moscow’s cyber ties to Pyongyang stretch back to 2017, when it was first reported that a Russian telecommunications company had started providing North Korea with a second Internet connection. Previously, North Korea had solely accessed the worldwide web via Chinese servers. In 2020, cybersecurity firm Intel 471 discovered that Lazarus, an elite North Korean hacking unit, was working together with a Russian malware operation. Intel 471 noted in its report that “DPRK threat actors likely are active in the cybercriminal underground and maintain trusted relationships with top-tier Russian-speaking cybercriminals." The report also indicated that North Korean-made malware was offered for sale on underground Russian marketplaces. A North Korean cyber unit was also reportedly found working in the Russian Far East.
Due to their technical skills and ability to conduct cyberattacks on Western enterprises, Pyongyang’s cyber agents see Russia’s cybercriminals as beneficial partners. The Kremlin is passive towards its domestic cybercriminal underworld and sometimes works in tandem with Russian cybercriminals. For North Korean hackers, working with Russian cybercriminals provides unprecedented access to Western financial institutions and consistent opportunities for low-level financial crime. For the Russian cyber underworld, working with North Korean hackers offers an opportunity for big paydays. North Korean hackers are well-known for their ability to hack into robust financial institutions and generate large amounts of revenue.
For most casual observers, the idea of the stodgy socialists in North Korea working with the Russian cybercriminal underground seems odd or out of the place. However, this fits into a historical pattern first established by former North Korean leader Kim Jong-il. Under the guidance of the “Great Leader,” North Korean government officials in the 1980s and 1990s were encouraged to generate revenue for the Korean Workers’ Party by any possible means. These illicit funds were then used to develop the regime’s nuclear arsenal and support the luxurious lifestyles of the North Korean elite. This meant that North Korean agents were encouraged by the leadership to engage in contraband trade with the Asian criminal underworld. In order to generate revenue for the heavily sanctioned regime, North Korean agents sold drugs to Chinese triads, Taiwanese gangs, the Russian mafia, and the Japanese yakuza. According to a Wall Street Journal report, “between 1999 and 2001, Japanese authorities seized more than 2,400 pounds of amphetamines en route from North Korea, 34 percent of Japan's total seizures of the drug.” In December 2002, the Japanese Coast Guard sank a North Korean ship that was trafficking amphetamines to Japanese gangs. During Kim Jong-il’s reign, North Korea gained a global reputation for its smuggling activities and drug trafficking operations.
North Korea’s long-established links to international criminal organizations have now shifted into cyberspace. The ties between Russian cybercriminals and the Kim family regime may seem new, but they are in fact part of a long-term North Korean strategy to align organized crime with Pyongyang’s priorities. In the North Korean system, supporting and upholding the dignity of the supreme leader overrides all other concerns. There is also concern that North Korea’s cyber activities will inspire other rogue nations to follow suit. Cybersecurity researcher Yana Blachman notes that “the cybercrime model of North Korea could create a blueprint for other nations to develop similar programs. Without international action, this could result in escalating cyber guerrilla warfare, putting all nations at significant risk.
The North Korean state refers to its cyber activities as its “all-purpose sword,” and Kim Jong-un uses state hackers for both political and financial espionage. The turn to cybercriminal activities reflects the changing international situation and geopolitical dynamics facing the Kim family regime. Cybercrime is a low-risk and high-reward activity for the regime. Due to heavy international sanctions and COVID-19 border closures, North Korea has never been as isolated as it is now. While much of this is due to Kim Jong-un’s own decisions, it has meant that North Korean cyber operations are increasingly seen by the regime as one of the few sources of foreign revenue generation for the Workers’ Party elite.
The intelligence community needs to continue to keep a close eye on the emerging linkages between the cybercriminal underworld and North Korean state-affiliated hackers. Looking forward, we are likely to see a proliferation of North Korean cyber espionage that aligns with the regime’s nuclear provocations.
Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK.