North Korea, officially the Democratic People’s Republic of Korea (DPRK), is one of the leading cyber threat actors out there today. The cyber capabilities are an extension of the state’s national objectives and military strategy. The lack of global safeguards, low-cost and low-risk with potentially high yield makes cybercrime a natural choice for the North Korean regime, who successfully pioneered a new model of state-sponsored cybercrime that could create a dangerous blueprint for other rogue states to follow.
As a nation that is under great international financial and political pressure, North Korea has a long history of bringing capital into the country via illicit means and strongly relied on illegal activities to evade sanctions, such as counterfeiting, smuggling of metals, gems, cash, arms trading, gambling and illegal shipping operations. Cybercrime is merely an expected extension of this strategy and corresponds with the state’s larger approach and national goals. As such, cybercrime has become a primary means of revenue generation for North Korea, helping the state to work outside international sanctions and ensure the continuation of the Kim Jong-Un regime. This North Korean leader sees cyberwarfare as “an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.”
North Korean advanced persistent threat (APT) groups leverage cybercrime to finance the state’s nuclear development side by side with the intelligence collection and espionage campaigns. North Korean APT groups have carried out countless of cyberattacks in over 30 countries, with a reported 300% increase in the volume of activity since 2017. The attack campaigns were against several sectors, including energy, finance, government, industry, technology and telecommunications. Since January 2020, North Korean threat actors have targeted these sectors in Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States.
Some estimates suggest that cybercrime profits for North Korea may amount to as much as $1 billion each year. According to the UN Security Council as much $2 billion is already making its way directly into the nation’s weapons program.
The cybercrime model of North Korea could create a blueprint for other nations to develop similar programs. Without international action, this could result in escalating cyber guerrilla warfare, putting all nations at significant risk.
As I mentioned in a media alert today, “The world needs to start taking this threat more seriously. North Korean attacks are often more brazen and reckless than those sponsored by other states because they are not afraid of getting caught—this makes them particularly dangerous. North Korea has thrown the entire rule book out the window and that gives the cybercriminals it sponsors free reign to engage in highly destructive, global attacks, such as the WannaCry ransomware attack on Windows users worldwide, which was the first destructive attack at that scale, affecting more than 200,000 users across at least 150 countries. North Korea is setting an example that other rogue states can follow; states such as Belarus can see that cybercrime offers them a way of countering the worst effects of sanctions, while making themselves more of a threat to the wider community.”
Sporadic and opportunistic attempts from other rogue countries have been already reported. Chinese state-backed APT groups, like APT27 and APT41, are known to monetize their targets using ransomware or other means as part of larger cyberespionage campaigns. In Russia, some evidence suggests that Russia’s military cyber units use military resources and infrastructure to create cash flow and funds to corrupt individuals in the military. Although these are most likely motivated by personal financial gain or hobbyist interests and are not part of a larger national strategy policy—it may only be a matter of time until they adopt the North Korean model.
DPRK cyber operators support operations for multiple APT groups that likely share malware and resources through its military-affiliated ‘Reconnaissance General Bureau’ (RGB), including Lazarus Group, APT37, APT38 and Kimsuky that are known to target business and governments worldwide via targeted and destructive attacks. Some of the groups’ operations are focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities, using methods such as ransomware, ATM cashout schemes, cryptomining and cryptocurrency theft, and even cyber bank heists. For example, we saw the $101 million heist of the Bangladesh Bank via the SWIFT banking system.
Several of these attacks are characterized by their use of code signing certificates, which serve as machine identities making it possible for businesses to trust the software they use. North Korea is one of the top threat actors out there. Being part of the national strategy, its cyber capabilities are very advanced—making the use of machine identities and complicated supply chain attacks only natural.
In a campaign published in November 2020, Lazarus Group used stolen code signing certificates to execute a sophisticated supply chain attack on financial services and governmental website users in South Korea. Lazarus, active since 2009 and reportedly responsible for the attack against Sony Pictures Entertainment in 2014, leveraged stolen code signing certificates from two legitimate South Korean security companies—one of which was issued to the US branch of a South Korean security company and executed a novel supply chain attack involving a software required for South Korean users when accessing government or financial services banking websites.
North Korea’s use of code signing machine identities makes its attacks particularly hard to defend against. Stealing code signing machine identities equips North Korean cybercriminals with the ability to pass off their own malicious software as legitimate software from a genuine developer. It also enables them to execute devastating supply chain attacks. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in the software supply chain. Without more co-ordination and collaboration among businesses and governments to address the tactics used by North Korean cybercriminals, these threats will only get worse, and other global pariahs will sense their own opportunities.