Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:30 PM
Connect Directly

Inside North Korea's Rapid Evolution to Cyber Superpower

Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.

It took only a few years for North Korea to advance its cyber capabilities from solely destructive campaigns to sophisticated technical operations. This shift puts North Korea in competition with top nation-state groups and reveals strategic changes in how it plans to support its regime.

Related Content:

Alexa, Disarm the Victim's Home Security System

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

"[To say] I'm intrigued is an understatement by what they've done over the years," says Josh Burgess, technical lead and threat intelligence adviser at CrowdStrike. "I've been watching them at least six to seven years, personally, as they progress through their malware campaigns: how they've grown, how they've evolved, how they've done what they've done."

Its financial motivation sets North Korea apart from other nation-state groups, especially the "Big Four" -- Russia, China, Iran, and North Korea, Burgess notes.   

Most other nation-state actors are motivated by national security objectives or national economic objectives, with their activity primarily focused on the nation's overall well-being, adds Jason Rivera, director of CrowdStrike's global strategic advisory group, of the differences.

"What North Korea appears to be doing is really around the well-being of the regime, engaging in financially motivated operations for the regime to continue with certain illicit activities," he says. 

But financial gain isn't its only differentiating factor, Burgess points out. While its attacks have grown more sophisticated, North Korea has a history of incorporating destruction into cyber activity from attacks dating back to 2007. This isn't often seen in other nation-states or attack groups.

"Everything has a destructive side to it," he explains. "There's a lot of reasons for that. One of the reasons is sabotage -- smashing stuff to smash stuff. And another part is complicating forensics, making it more difficult to recover. The other side is misattribution -- the idea that it's harder to attribute where the attack is coming from if everything is broken."

A More Intentional Nation-State
North Korea began to shift away from purely damaging cyberattacks after its 2014 attack on Sony and transitioned toward a "dual-pronged approach" that prioritizes both maintaining control for the current regime, along with attacks to boost its economy. Its attack techniques changed alongside its motivation, which has shifted due to economic sanctions and pressures.

"A lot of that came back to the sanctions and a lot of the economic pressure that the United States started putting on North Korea … and the more sanctions you put on them, the harder it is for them to engage in legitimate trade operations, which is, of course, designed to really force them into better international behavior," Rivera explains. 

In response, North Korea doubled down on cybercrime. In 2015 and 2016, it began to target financial institutions such as Bangladesh Bank and the SWIFT international interbank messaging system for financial gain. This summer, US law enforcement and government agencies warned of a North Korean government campaign stealing millions in a broad ATM cash-out scheme.

These attacks highlight North Korea's intentionality in targeting, another trait that researchers say differentiates its attackers. Each attack is meant to achieve a specific goal. For example, attacks targeting financial institutions are less bound by geography; however, those meant for national security objectives may target the US, South Korea, or other regional adversaries. 

North Korea's cyber capabilities accelerated quickly relative to other nation-state attackers. "The ramp-up period was fairly short. It indicates a lot of focus on their part," Rivera says.

To illustrate this, the researchers point to "breakout time," or the amount of time it takes an attacker to move laterally once inside the network. Data shows North Korea took two hours and 20 minutes to achieve breakout, second only to Russia, which took roughly 19 minutes. In comparison, it took China an average of four hours, and Iran five, to achieve the same goal.

"I would say that really the evolution and the complexity of their attacks evolved along with the motive of their attacks," says Burgess, "which brings us to where we are at today, this dual-pronged approach -- not only the financial element, but also economic espionage, also national security espionage." 

To engage in these kinds of espionage, it's not just a "snatch and grab," he continues. Attackers must maintain persistence and return over a period of time, which requires sophistication.

Looking Ahead: What's Next for North Korea?
Burgess and Rivera, who will present their research in an upcoming Black Hat Europe briefing on Dec. 9, say North Korea will leverage its expertise in "cyber brinksmanship," a term used in deterrence strategy: How do you get your opponent to do something without attacking them? How do you take something to the very edge -- to "the very line of all-out war?" as Burgess says.

"I think, in many ways, one of North Korea's primary objectives is to influence the behavior of the US and the rest of the international community," Rivera says of its future activity. 

The researchers also anticipate North Korea will continue to focus on its economic objectives and engage in espionage to support those plans. They speculate its attackers may engage in more advanced ransomware operations. While there is no evidence yet to confirm this, it would align with objectives North Korea has tried to achieve in the past.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...