Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:30 PM
Connect Directly

Inside North Korea's Rapid Evolution to Cyber Superpower

Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.

It took only a few years for North Korea to advance its cyber capabilities from solely destructive campaigns to sophisticated technical operations. This shift puts North Korea in competition with top nation-state groups and reveals strategic changes in how it plans to support its regime.

Related Content:

Alexa, Disarm the Victim's Home Security System

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

"[To say] I'm intrigued is an understatement by what they've done over the years," says Josh Burgess, technical lead and threat intelligence adviser at CrowdStrike. "I've been watching them at least six to seven years, personally, as they progress through their malware campaigns: how they've grown, how they've evolved, how they've done what they've done."

Its financial motivation sets North Korea apart from other nation-state groups, especially the "Big Four" -- Russia, China, Iran, and North Korea, Burgess notes.   

Most other nation-state actors are motivated by national security objectives or national economic objectives, with their activity primarily focused on the nation's overall well-being, adds Jason Rivera, director of CrowdStrike's global strategic advisory group, of the differences.

"What North Korea appears to be doing is really around the well-being of the regime, engaging in financially motivated operations for the regime to continue with certain illicit activities," he says. 

But financial gain isn't its only differentiating factor, Burgess points out. While its attacks have grown more sophisticated, North Korea has a history of incorporating destruction into cyber activity from attacks dating back to 2007. This isn't often seen in other nation-states or attack groups.

"Everything has a destructive side to it," he explains. "There's a lot of reasons for that. One of the reasons is sabotage -- smashing stuff to smash stuff. And another part is complicating forensics, making it more difficult to recover. The other side is misattribution -- the idea that it's harder to attribute where the attack is coming from if everything is broken."

A More Intentional Nation-State
North Korea began to shift away from purely damaging cyberattacks after its 2014 attack on Sony and transitioned toward a "dual-pronged approach" that prioritizes both maintaining control for the current regime, along with attacks to boost its economy. Its attack techniques changed alongside its motivation, which has shifted due to economic sanctions and pressures.

"A lot of that came back to the sanctions and a lot of the economic pressure that the United States started putting on North Korea … and the more sanctions you put on them, the harder it is for them to engage in legitimate trade operations, which is, of course, designed to really force them into better international behavior," Rivera explains. 

In response, North Korea doubled down on cybercrime. In 2015 and 2016, it began to target financial institutions such as Bangladesh Bank and the SWIFT international interbank messaging system for financial gain. This summer, US law enforcement and government agencies warned of a North Korean government campaign stealing millions in a broad ATM cash-out scheme.

These attacks highlight North Korea's intentionality in targeting, another trait that researchers say differentiates its attackers. Each attack is meant to achieve a specific goal. For example, attacks targeting financial institutions are less bound by geography; however, those meant for national security objectives may target the US, South Korea, or other regional adversaries. 

North Korea's cyber capabilities accelerated quickly relative to other nation-state attackers. "The ramp-up period was fairly short. It indicates a lot of focus on their part," Rivera says.

To illustrate this, the researchers point to "breakout time," or the amount of time it takes an attacker to move laterally once inside the network. Data shows North Korea took two hours and 20 minutes to achieve breakout, second only to Russia, which took roughly 19 minutes. In comparison, it took China an average of four hours, and Iran five, to achieve the same goal.

"I would say that really the evolution and the complexity of their attacks evolved along with the motive of their attacks," says Burgess, "which brings us to where we are at today, this dual-pronged approach -- not only the financial element, but also economic espionage, also national security espionage." 

To engage in these kinds of espionage, it's not just a "snatch and grab," he continues. Attackers must maintain persistence and return over a period of time, which requires sophistication.

Looking Ahead: What's Next for North Korea?
Burgess and Rivera, who will present their research in an upcoming Black Hat Europe briefing on Dec. 9, say North Korea will leverage its expertise in "cyber brinksmanship," a term used in deterrence strategy: How do you get your opponent to do something without attacking them? How do you take something to the very edge -- to "the very line of all-out war?" as Burgess says.

"I think, in many ways, one of North Korea's primary objectives is to influence the behavior of the US and the rest of the international community," Rivera says of its future activity. 

The researchers also anticipate North Korea will continue to focus on its economic objectives and engage in espionage to support those plans. They speculate its attackers may engage in more advanced ransomware operations. While there is no evidence yet to confirm this, it would align with objectives North Korea has tried to achieve in the past.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.