본문 바로가기
IFANS Focus DPRK’s Illicit Cyber Activities: Latest Developments and ROK’s Responses SONG Tae Eun Upload Date 2022-12-08 Hits 306
facebook twitter kakaotalk

Send Email

* All fields are required.

* Recipient email
* Content address
* Title
* Message
Ⅰ. North Korean Cyber Attacks: Latest Developments
Ⅱ. ROK’s Responses: Ongoing Efforts and Tasks Ahead 

The North Korean regime has conducted a record-shattering number of missile tests this year, and the regime’s growing aggression in cyberspace is becoming a dangerous and evolving threat to many countries around the world. North Korea has been using cyber operations to spy on the U.S. and South Korea since at least 2004, and it is estimated that by 2021, the North had conducted as many as 300 times more cyber-attacks than it had in 2004. As data suggest, Pyongyang has launched cyber operations much more frequently than missile or nuclear tests to target its adversaries. And with Pyongyang’s closing of its borders during the Covid-19 pandemic, the regime ratcheted up its cyber operations. In 2021, the Director of National Intelligence (DNI) said North Korean cyber-attacks have stolen vast sums of money from financial institutions around the world as well as millions of dollars worth of cryptocurrency to fund the country’s nuclear and missile programs.
    Deputy National Security Advisor for Cyber & Emerging Technology on the National Security Council Anne Neuberger recently stated that North Korea funds about one-third of its missile and nuclear programs from cryptocurrency theft as well as the illicit activities of North Korean tech workers dispatched overseas. Cryptocurrency theft has arguably become one of the regime’s essential sources of revenue; while the country’s annual coal exports generate slightly more than $400 million, North Korean hackers have stolen $316.4 million worth of cryptocurrency from 30 countries using a malware known as “AppleJeus” since 2018. 
    In early April this year, a panel of experts at the United Nations Security Council Sanctions Committee on North Korea reported that between 2020 and mid-2021, North Korean cyber-attackers stole more than $50 million in digital assets from at least three cryptocurrency exchanges in North America, Europe and Asia. On October 18, 2022, U.S. Homeland Security Secretary Alejandro Mayorkas said in the last two years alone, North Korea has largely funded its weapons of mass destruction programs through cyber heists of cryptocurrencies and hard currencies totaling more than $1 billion. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) refers to  malicious cyber activity by the North Korean government as “Hidden Cobra,” and the fact that the U.S. refers to Pyongyang’s cyber attacks  targeting media, aviation, financial institutions, and major infrastructure around the world with a specific label shows the gravity of this issue in Washington’s wide-ranging efforts to combat cyber operations.  
    As shown by the latest comments from the United Nations and U.S. government officials, forging an aggressive international response to North Korea’s cyber aggression is a critical matter that goes beyond the cyber sphere; a strong joint action could play a significant role in deterring the regime’s nuclear and missile provocations. For this reason, various U.S. government agencies including the FBI, CISA, the U.S. Department of Homeland Security, and the U.S. Department of the Treasury are making ceaseless efforts to provide information on North Korean cyber attacks, and the Department of State’s Bureau of Cyberspace and Digital Policy (CDP) established in April 2022 offers special training program on dealing with North Korean malware to U.S. allies and partner countries. 

Ⅰ. North Korean Cyber Attacks: Latest Developments

Cyber attacks originating from North Korea have rapidly grown in frequency and scale in recent years, with cybercriminals diversifying patterns of attacks to employ cyber operations. The increased scope and frequency of North Korean cyber attacks reveal who is behind the attacks and how they are launched; North Korean cyber attacks are primarily conducted by multiple actors, including the Lazarus group, Kimsuky, the 3rd and 5th bureau of the Reconnaissance General Bureau, the General Staff Department of the Ministry of People’s Armed Forces, and the 4th and 6th bureau of the Ministry of State Security. North Korean cyber attackers also collaborate with foreign tech firms to infiltrate various networks and infrastructures around the world, causing widespread chaos in many parts of the globe. The Lazarus group made its name known in 2016 when it conducted an audacious raid on the Bangladesh Bank. This bold cyber heist conducted by a well-funded squad of computer hackers has revealed that North Korea has a wide network of accomplices spread across Asia, including criminal organizations, brokers, charities, and casinos, or uses a series of sophisticated tools like fake bank accounts, online games, gambling programs, and social engineering tactics to infiltrate its targets. It should be noted that North Korea’s malign cyber activities, at some point, could be emulated by other adversaries of the U.S. or terrorist and criminal organizations with malicious intentions. For this reason, various U.S. government agencies have repeatedly called out North Korea’s growing cyber threats and called for strong measures to confront various attacks emanating from the regime. 
    Since the early 2000s, North Korea has conducted cyber operations to raid or steal information from key infrastructures of a target country, such as military institutions, defense industries, financial networks, and energy facilities. North Korean cyber attacks are also believed to be an important new source of funding for its nuclear and missile program as well as a way to offset the revenue it lost from sanctions. Then struck the Covid-19 pandemic, which prompted the regime to ramp up cyber theft operations and malware attacks and double down on illicit economic activities in the cyber domain. The prolonged closure of the country’s border with China and Russia has made it impossible for North Koreans to trade goods through the black markets located near the border. An extreme shortage of daily necessities and a surge in the prices for these goods followed, prompting the regime to offset the economic fallout of the UN sanctions with revenues generated through cyber operations. 
    Since the outbreak of the COVID-19 pandemic, North Korean hackers have employed an array of sophisticated cyber technologies to hack cryptocurrency exchanges and global payment systems like the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to steal digital assets. As the North Korean regime continues to launder an enormous amount of funds stolen from virtual currency heists targeting numerous countries, blockchain experts now call the country a “crypto superpower.” And on October 12, 2022, at a federal court in New York City, Former Ethereum developer Virgil Griffith was sentenced to 63 months in prison for conspiring to violate the U.S. International Emergency Economic Powers Act by traveling to North Korea’s capital Pyongyang to give a presentation on blockchain technology. 
    On August 8, 2022, Tornado Cash, a popular cryptocurrency service, was sanctioned by the U.S. Treasury Department after North Korean hackers relied on it to launder illicit gains. The platform facilitates anonymous transactions by mixing funds from different sources before transmitting them to the ultimate beneficiary. North Korea’s Lazarus Group has laundered about $455 million through the service. Pyongyang also relies on other cryptocurrency mixers to launder stolen funds, including Blender, and such platforms are now added to U.S. sanctions lists over alleged North Korea links. As shown by North Korea’s involvement in the $100 million hack of Harmony Bridge and in the theft of about $7.8 million from a cryptocurrency platform called Nomad, crypto companies are increasingly becoming the target of North Korea’s cyber theft attempts, and Tornado Cash was used to launder funds in both cases. 
    Microsoft’s threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, warned of growing North Korean cyber-attacks targeting the media, IT services organizations, and defense and aerospace industries in the United States, Britain, and Russia. North Korea had already revealed that its hackers weaponize open-source software to steal political, economic, and military information from its adversaries. A wide range of open-source software including remote access tools and PDF Reader were leveraged to orchestrate such attacks.  Pyongyang is behind an increasingly orchestrated effort at sophisticated social engineering techniques. North Korean state-sponsored hackers pose as recruiters on networking sites LinkedIn and WhatsApp to distribute open-source software and documents containing a backdoor by gaining the trust of targeted victims. 

Ⅱ. ROK’s Responses: Ongoing Efforts and Tasks Ahead 

South Korea boasts the highest level of cyber security capabilities and commitment at a global level. South Korea ranks fourth out of 194 countries in the Global Cybersecurity Index (GCI) released by the International Telecommunication Union (ITU) in 2021. The GCI assesses each country’s level of development along five pillars - (i) legal measures, (ii) technical measures, (iii) organizational measures, (iv) capacity development, and (v) cooperation. With scrupulous attention to detail, however, South Korea’s efforts to implement responses to cyber threats across the defense, public, and private sectors have been fragmented and predominantly defense-oriented as epitomized by “defense by denial.” The Yoon Suk Yeol administration established the Office of Secretary to the President for Cyber Security under the Director of National Security to integrate fragmented responses to create a united, aggressive front against rapidly growing cyber threats, and vowed to develop a legal framework for systematic responses to future threats. In addition, the Yoon administration is seeking to forge cyber alliances with major powers including the U.S. to enhance joint responses to and deterrence against growing cyber threats, codify mutual assistance in cyber security, and strengthen cooperation with like-minded countries across the international community. 
    The ROK, U.S., and Japan decided to discuss various ways to forge and implement joint responses to escalating cyber threats fomented by North Korea such as malware attacks, extortion of virtual assets, and cyber espionage. On October 7, 2022, U.S. Special Representative for the DPRK Sung Kim held a trilateral call with ROK Special Representative for Korean Peninsula Peace and Security Affairs Gunn Kim and Japanese Ministry of Foreign Affairs Director General for Asian and Oceanian Affairs Bureau Funakoshi Takehiro to discuss ways to double down efforts to frustrate North Korea’s nuclear and missile ambitions funded by cryptocurrency theft. In the military domain, the ROK and U.S. governments made substantial progress in cyber security cooperation. The two sides discussed various cyber security cooperation agendas including formulating and implementing plans to facilitate information sharing and regularize threat analysis and joint military drills. As a case in point, the ROK military’s Criminal Investigation Command (CIC) and the U.S. Department of the Air Force Office of Special Investigations (OSI) concurred to enhance cooperation to crack down on cyber crimes and will conduct a joint cyber exercise in December. In addition, the ROK Air Force is also actively taking steps to strengthen space security cooperation with its allies and like-minded partners by participating in multilateral joint drills with the U.S. Air Force and U.S. Space Force (USSF), signing ROK-UK and ROK-Australia space cooperation agreements, and planning to participate in the Global Air and Space Chief’s Conference.
    In May 2022, South Korea became the first in Asia to join the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) as one of the CCDCOE’s five non-NATO members – Finland, Austria, Sweden, and Switzerland. South Korea has participated in the “Exercise Locked Shields,” the world’s largest cyber exercise organized by the CCDCOE since 2018. And it is anticipated that the ROK’s CCDCOE membership will further deepen its cyber security cooperation with NATO. In particular, the Korean and U.S. governments have made significant progress in facilitating their exchanges for cyber security simulation training and strategic planning. The ROK’s Cyber Operations Command signed a memorandum of understanding (MoU) with the U.S. Cyber Command on August 18, 2022, and participated for the first time in the Cyber Flag, the U.S.-led multinational cyber military exercise in Virginia from October 24 to 28, 2022. The annual Cyber Flag, held since 2011, brought together 275 cyber experts from 25 countries. And with Korea’s first participation, the two countries decided to enhance their future cyber training plans.
    With growing cyber threats masterminded by Pyongyang and other international perpetrators, numerous daunting tasks and challenges are ahead for Korea before its efforts on multiple fronts come to fruition. South Korea’s National Intelligence Service (NIS) and Defense Ministry have assumed responsibility for advancing national and cyber security interests. However, more pressing than ever is the need to beef up and diversify the roles of the Ministry of Foreign Affairs of the Republic of Korea in forging and deepening multi-faceted cyber security cooperation with its allies and friendly nations by fleshing out relevant foreign policy initiatives. It is advised that the ROK’s Foreign Ministry align efforts to establish an effective strategic communication system as it will serve as the most foundational instrument in facing down various hybrid threats including cyber-attacks. To formulate feasible cross-government responses to transnational, complex, and simultaneous security challenges including the activities of malicious actors in cyberspace - cyber warfare and disinformation campaigns, the Korean government needs to bolster information sharing and streamline the decision-making process. To that end, it is critical to establish systems for strategic communication and crisis communication. 
    As clearly illustrated by the cyber warfare between Ukraine and Russia, the West and Ukraine could maintain a competitive edge over Russia with offensive capabilities in cyber-attacks, defense, and psychological warfare by closely and promptly cooperating with western IT companies such as Microsoft, Google, and SpaceX, and many other experts and programmers in the private sector. Turning attention to the ROK’s case, government agencies and state-run companies have been easy, frequent targets of cyber attacks from North Korean and international perpetrators because their response capabilities fall short of those of private enterprises. And as private enterprises - media outlets, banks, health and medical institutions, and the defense industry, are outside of the government’s monitoring, it is tricky to assess the scope and extent of cyber attacks targeting these enterprises. In contrast, internet access is strictly limited in North Korea with only a tiny fraction of North Koreans having access to the global internet, which means that Pyongyang can focus most of its resources and efforts on advancing offensive cyber capabilities. 
    Against this backdrop, it is advised that the Korean government dramatically overhaul cyber security efforts in peacetime by facilitating public-private information sharing for better responses to cyber security threats, enhancing interoperability and boosting personnel exchanges, implementing joint research projects, and joining hands with the private sector in participating in international cyber security cooperation. Cooperation with the private sector does not come out fully formed at a single stroke in wartime or in times of crisis. What’s critical is to prime the ROK’s way in peacetime with a long-term perspective by making perseverant efforts at information sharing and close cooperation based on shared threat perception in formulating and implementing responses to cyber threats. Therefore, it is recommended that the Korean government strive to strengthen united fronts and partnerships with trustworthy private sector actors and create opportunities for active exchanges, strategic dialogue, and joint exercises to forge shared national security visions.

*Attached the File
IFNAS FOCUS 2022-28E(송태은).pdf
The U.S. Inflation Reduction Act (IRA) of 2022: Issues and I...
An Overview of China’s “Two Koreas Policy”: China’s Korean P...