Why North Korea Hacks

The motivation behind Democratic People’s Republic of Korea hacking is rooted in a mix of retribution, paranoia, and the immature behavior of an erratic leader.

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave

January 15, 2015

4 Min Read
(Image: Michael Day, "North Korea Is Best Korea," uploaded by russavia, <a href="http://commons.wikimedia.org/wiki/File%3ANorth_Korea_is_best_Korea_(6647205139).jpg"target="new">via Wikimedia Commons</a>)

Second in a series on the motivations that compel nation-states to hack. 

The Democratic People’s Republic of Korea (DPRK) is about as far from a democratic republic as a country can get. It is certainly not a government “of” its citizens. The country has been dominated by a small group that exercises complete control over every aspect of North Korean society. Leading the handful of power brokers has been the “Supreme Leader,” a title which has belonged to three men since Korea was partitioned following World War II.

The first two “Supreme Leaders,” Kim ll-sung and Kim Jong-il, established cults of personality among North Koreans and were viewed as eccentric on the world stage. Throughout their reigns, the DPRK was involved in a number of incidents, most of which involved some form of military action intended to provoke a reaction from the Republic of Korea (ROK), and her most steadfast ally, the United States. There have been over 150 incidents between the DPRK, the ROK, and the US since the Korean Conflict. Some of those conflicts have resulted in the deaths of South Korea citizens, military personnel, and US service members.

The current Supreme Leader, Kim Jong-un, has continued his predecessor’s legacies of maintaining a large and imposing conventional military, and has established a militaristic presence in the cyberdomain. However, Kim Jong-un is somewhat hampered in his efforts to establish the DPRK as a dominant player in the cyberworld, because DPRK cyber capability is rudimentary, particularly compared to the other nations we will discuss. In spite of resource constraints, the DPRK is working hard to establish a credible cyber capability. Like the Chinese Government, the DPRK is believed to be building a cyberarmy, and it is widely known that it has invested heavily in an elite cyber espionage group called Bureau 121.

The motivation behind DPRK hacking is rooted in an interesting mix of paranoia and retribution. The paranoia is similar to the Chinese Government’s view of the United States as a military and economic threat because it perceives the US as meddling in Eastern Pacific affairs. In the case of the DPRK, the paranoia is amplified to the extreme. The deep distrust that the DPRK harbors toward the West and the ROK, its neighbor to the south, is rooted in the Korean Conflict, which ended with an armistice in 1953. The ROK and DPRK are literally still at war, and both countries have maintained a wartime footing since the armistice. As the aggressor, the DPRK doesn’t hesitate to provoke the ROK whenever it serves its purpose. As an example, the DPRK is alleged to have conducted cyberattacks on ROK government and media organizations, coincident with the Korean Conflict Anniversary in 2013.

The recent cyberattack on Sony Pictures is particularly interesting because it appears to go further than what we typically see from the hacktivist community. Generally, hacker groups attempt to make visible statements expressing their displeasure with an organization or government by defacing a website or temporarily disrupting business operations. In the Sony case, the group identified as the Guardians of Peace, and allegedly affiliated with the DPRK, was responding to a discrete event and identified a specific desired short-term outcome, i.e.: Don’t release the movie The Interview. This was a remarkable and unprecedented demand facilitated in cyberspace.

Find out more in How NOT To Be The Next Sony: Defending Against Destructive Attacks.

North Korea’s response to the release of the movie was both impulsive and excessive by democratic standards. But the response is not surprising given the previous erratic and adolescent behavior of Kim Jong-un. (Anyone who enjoys the antics of Dennis Rodman can’t possibly be mature enough to lead a country -- I had to say it.) It is as if the Supreme Leader, by proxy, lashed out on a playground like a young child, “getting back” at a playmate for name-calling. In this case, the “lashing out” is the hack, and “getting back” is Sony’s harsh economic loss. Generally unknown, the Guardians of Peace allegedly drove the behavior of a major motion picture corporation and successfully disrupted the corporation’s business operations. In military parlance, that’s called a soft kill, which can be every bit as effective as a hard kill.

Perhaps most interesting, and at the same time most concerning, is the notion that the Sony hack was an act of terrorism, which reasonable people may conclude. The FBI defines terrorism as “an act that appears to be intended to intimidate or coerce a civilian population; and to influence the policy of a government by intimidation or coercion.” If we substitute the word “corporation” for “government” in the definition, we have a terror act intended to intimidate and coerce the Sony Pictures Corporation into ending distribution of the movie. While we can’t say with certainty that the Sony hack was actually an act of terror, the event may have validated the idea that terrorism in the cyberdomain can be successful, a point that won’t be missed by terror groups.

More on this topic:


About the Author(s)

Mike Walls

Managing Director Security Operations & Analysis, EdgeWave

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyberreadiness assessments across the Navy cyber infrastructure.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights