The war between Russia and Ukraine has drawn considerable attention to international concerns that Russia may use cyberattacks to retaliate against sanctions and how the conflict and its consequences may reshape Russia’s strategy in cyberspace. One central reference point in those debates is North Korea, which has long been a complicated aggressor in cyber conflicts with attacks that mix both economic and political motivations and show little concern for collateral damage or unintended consequences. A recent threat intelligence report from security firm Truesec hypothesized that the sanctions directed at Russia may cause it to function as an “isolated rogue state”; align its offensive cyber strategy more with North Korea’s; and use cyberattacks to steal money, as well as intelligence.
Ever since the 2014 breach of Sony Pictures, North Korea has been regarded as a formidable adversary in cyberspace. This is not because North Korea’s state-sponsored cyberattacks are particularly sophisticated, but because its attacks are designed to do as much damage as possible even when there is no clear, direct benefit to North Korea. For instance, the high-profile breach of Sony Pictures, which involved wiping the computers of all of their data and also leaking much of that stolen data to the press in order to publicly humiliate the company, was intended as retaliation against the entertainment company for making a movie about the fictional assassination of Kim Jong-un. But unlike most other state-sponsored cyber intrusions that center on intelligence gathering, espionage, or strategic sabotage of adversaries’ infrastructure, North Korea’s targeting of Sony Pictures offered no real benefit to North Korea and appeared to serve no clear political purpose beyond revenge.
In contrast to the cyber-espionage campaigns attributed to China, and the attacks on critical infrastructure attributed to Russia, North Korea’s cyberattacks appeared less targeted and more reckless, but also less valuable to the perpetrators themselves as either signals or mechanisms for acquiring useful information or strategic advantages. This makes it more difficult to predict how North Korea will exercise its capabilities in cyberspace and also speaks to how complicated North Korea’s cyber strategy is: the country relies on cyber operations for so many different and unconventional aims, including retaliating against its adversaries and generating revenue.
While the Sony Pictures breach helped shine a spotlight on North Korea’s cyber capabilities, the country’s willingness to cause widespread damage through cyberattacks and mixed motives for launching them came into focus more clearly in 2017, when the country released the WannaCry ransomware. WannaCry caused significant computer outages worldwide, including at the United Kingdom’s National Health Service, FedEx, Telefonica, and Boeing, among many other companies. What was most perplexing about WannaCry was that it appeared to be financially motivated—the malware demanded roughly $300 worth of cryptocurrency to recover each infected device—but it was surprisingly unprofitable for such widespread malware. Estimates later suggested that the actual profits for the attackers were less than $1 million, even though the cost of the damaged caused by WannaCry was estimated in the billions.
By launching such a widespread, attention-grabbing cyberattack, North Korea had seemingly undermined its ability to profit off the attack, perhaps because there was so much attention on restoring the affected systems, or perhaps because attribution to North Korea raised legal questions about whether victims were permitted to pay the demanded ransoms. Notably, WannaCry also relied on the EternalBlue vulnerability in the Windows operating system that was stolen from the U.S. government, suggesting that North Korea’s strength in the cyber domain came not from its own technical expertise so much as its ability to leverage others’ tools and techniques. This contributed to the sense that North Korea’s reliance on cyber operations stemmed in part from its ability to have an outsize impact in the cyber domain, as compared to other realms of international conflict.
WannaCry and Sony Pictures are far from the only cyberattacks that have been attributed to North Korea—an indictment released by the Department of Justice last year lists many other cybercrimes perpetrated by North Korean military hackers, including several attempts to steal cryptocurrency and initiate fraudulent bank transactions. The Justice Department alleged that these cyberattacks aimed to steal and extort more than $1.3 billion of money and cryptocurrency, suggesting that one of North Korea’s main motivations in developing cyber capabilities is using them to steal money in a variety of ways ranging from ransomware to developing malicious cryptocurrency applications.
Money and making the most of limited resources have been central to North Korea’s cyber strategy in every regard—many of the nation’s cyberattacks seem designed to offer the country the most cost-effective strategy of retaliating against adversaries or trying to generate financial reserves. But while North Korea has been successful in trying to make a name for itself as an aggressor in cyberspace, it is less clear that the country has succeeded in profiting financially off its cyberattacks. Meanwhile, it does not appear to have acquired sufficiently sophisticated, unknown technical knowledge to be able to engage in the kinds of covert cyberespionage that have characterized China’s cyber capabilities for the past decade, or even some of the more covert Russian cyber operations, like the SolarWinds compromise. Overall, North Korea’s cyber operations have been splashy and high-profile, but not especially sophisticated, targeted, or profitable, pointing to how limiting the country’s resources are even in the cyber domain.
Josephine Wolff is an associate professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy.