It took only a few years for North Korea to advance its cyber capabilities from solely destructive campaigns to sophisticated technical operations. This shift puts North Korea in competition with top nation-state groups and reveals strategic changes in how it plans to support its regime.
"[To say] I'm intrigued is an understatement by what they've done over the years," says Josh Burgess, technical lead and threat intelligence adviser at CrowdStrike. "I've been watching them at least six to seven years, personally, as they progress through their malware campaigns: how they've grown, how they've evolved, how they've done what they've done."
Its financial motivation sets North Korea apart from other nation-state groups, especially the "Big Four" -- Russia, China, Iran, and North Korea, Burgess notes.
Most other nation-state actors are motivated by national security objectives or national economic objectives, with their activity primarily focused on the nation's overall well-being, adds Jason Rivera, director of CrowdStrike's global strategic advisory group, of the differences.
"What North Korea appears to be doing is really around the well-being of the regime, engaging in financially motivated operations for the regime to continue with certain illicit activities," he says.
But financial gain isn't its only differentiating factor, Burgess points out. While its attacks have grown more sophisticated, North Korea has a history of incorporating destruction into cyber activity from attacks dating back to 2007. This isn't often seen in other nation-states or attack groups.
"Everything has a destructive side to it," he explains. "There's a lot of reasons for that. One of the reasons is sabotage -- smashing stuff to smash stuff. And another part is complicating forensics, making it more difficult to recover. The other side is misattribution -- the idea that it's harder to attribute where the attack is coming from if everything is broken."
A More Intentional Nation-State
North Korea began to shift away from purely damaging cyberattacks after its 2014 attack on Sony and transitioned toward a "dual-pronged approach" that prioritizes both maintaining control for the current regime, along with attacks to boost its economy. Its attack techniques changed alongside its motivation, which has shifted due to economic sanctions and pressures.
"A lot of that came back to the sanctions and a lot of the economic pressure that the United States started putting on North Korea … and the more sanctions you put on them, the harder it is for them to engage in legitimate trade operations, which is, of course, designed to really force them into better international behavior," Rivera explains.
In response, North Korea doubled down on cybercrime. In 2015 and 2016, it began to target financial institutions such as Bangladesh Bank and the SWIFT international interbank messaging system for financial gain. This summer, US law enforcement and government agencies warned of a North Korean government campaign stealing millions in a broad ATM cash-out scheme.
These attacks highlight North Korea's intentionality in targeting, another trait that researchers say differentiates its attackers. Each attack is meant to achieve a specific goal. For example, attacks targeting financial institutions are less bound by geography; however, those meant for national security objectives may target the US, South Korea, or other regional adversaries.
North Korea's cyber capabilities accelerated quickly relative to other nation-state attackers. "The ramp-up period was fairly short. It indicates a lot of focus on their part," Rivera says.
To illustrate this, the researchers point to "breakout time," or the amount of time it takes an attacker to move laterally once inside the network. Data shows North Korea took two hours and 20 minutes to achieve breakout, second only to Russia, which took roughly 19 minutes. In comparison, it took China an average of four hours, and Iran five, to achieve the same goal.
"I would say that really the evolution and the complexity of their attacks evolved along with the motive of their attacks," says Burgess, "which brings us to where we are at today, this dual-pronged approach -- not only the financial element, but also economic espionage, also national security espionage."
To engage in these kinds of espionage, it's not just a "snatch and grab," he continues. Attackers must maintain persistence and return over a period of time, which requires sophistication.
Looking Ahead: What's Next for North Korea?
Burgess and Rivera, who will present their research in an upcoming Black Hat Europe briefing on Dec. 9, say North Korea will leverage its expertise in "cyber brinksmanship," a term used in deterrence strategy: How do you get your opponent to do something without attacking them? How do you take something to the very edge -- to "the very line of all-out war?" as Burgess says.
"I think, in many ways, one of North Korea's primary objectives is to influence the behavior of the US and the rest of the international community," Rivera says of its future activity.
The researchers also anticipate North Korea will continue to focus on its economic objectives and engage in espionage to support those plans. They speculate its attackers may engage in more advanced ransomware operations. While there is no evidence yet to confirm this, it would align with objectives North Korea has tried to achieve in the past.