State-Sponsored Cyber Threats: North Korea

State-sponsored cyber attacks are on the rise. Motivated by patriotic devotion or the draw of lucrative careers, many hackers now lend their skills to military and intelligence services seeking to infiltrate the private networks of their enemies. Data breaches now increasingly target sensitive personal information of government employees, valuable intellectual property of industry-leading corporations, as well as vulnerable critical infrastructure.

This blog begins a series of in-depth profiles on the world’s leading cyber powers— nations with demonstrated offensive cyber capabilities. We begin with an examination of North Korea’s infamous Bureau 121.

Despite grinding poverty, pervasive electricity outages, and chronic food shortages; North Korean leaders have poured countless resources into developing a sophisticated cyber warfare unit, called Bureau 121. Founded in the 1980s, Bureau 121 has grown exponentially to become one of the world’s largest cyber organizations. It is based in Pyongyang, but also reportedly works out of the basement of a highly rated North Korean hotel and restaurant in Shenyang, China. The unit is estimated to have recruited nearly 6,000 programmers.

Capabilities

Turning the country’s extremely limited Internet infrastructure into an advantage, Bureau 121 uses North Korea’s air gapped Intranet and a single outward facing Internet connection provider to deter external reconnaissance and mask their offensive and defensive cyber capabilities. For example, a May 2015 Reuters report found that five years ago, US intelligence agents were unable to penetrate North Korean networks. The 2010 attempt to deliver the Stuxnet virus was part of a simultaneous attack on the Iranian and North Korean nuclear programs.

A 2014 investigative report by Hewlett Packard identified Bureau 121 as being able to deliver multi-staged, coordinated attacks that could spread malware and disable or evade antivirus protections. The bureau specializes in sophisticated distributed denial of service (DDoS), encryption obfuscation, spear phishing, watering holes, and zero day attacks. Experts believe the unit will soon begin conducting cyber attacks capable of inflicting damage on critical infrastructure.

North Korean leader Kim Jong-Un retains tight control over the country’s Internet infrastructure; therefore all attacks originating from the country are almost certainly state-sponsored.

Victims

North Korea has directed the bulk of its cyber attacks at South Korea and the United States; focusing on military installations, banks, broadcasting companies, financial institutions, and government DNS servers. In 2013, North Korea was reportedly behind a widespread attack on three South Korean broadcasters and a major bank. The attack froze thousands of news broadcasters’ computers and rendered ATMs across the country unable to disperse cash. In March 2015, South Korean authorities blamed North Korea for a mass data breach on Korea Hydro and Nuclear Power – the company that operates South Korea’s 23 nuclear reactors.

A 2014 data breach report found that nearly half of all US companies had been hacked. There is limited evidence however, of any North Korean involvement, Sony Pictures the still disputable exception. Besides the Sony hack, a July 4th 2009 DDoS attack on US government websites has been the only other confirmed open-source attack against a US target.

Although confirmed cases of US targets are limited, entities possessing useful intellectual property (IP) may eventually become targets of interest. Numerous defector organizations agree that Bureau 121 is targeting US organizations that have information that could contribute to its nuclear program.

Motivations

The US Army believes North Korea’s declining conventional forces, which increasingly rely on aging and deteriorating weapons, is spurring the country’s advancement in cyber capabilities. Kim referred to cyber warfare as his “magic weapon,” which along with nuclear weapons can allow it to threaten Washington. The relatively low cost of breaching enemy information systems makes cyber warfare an attractive alternative for North Korean leaders. Cyber is also a more utilitarian option. The cost and barriers to entry are low enough to create a more level playing field amongst North Korea’s rich and powerful adversaries. In addition, cyber capabilities expand the regime’s ability to carry out espionage and psychological campaigns.

Outlook

Kim Jong-Un has dedicated enormous amounts of resources to developing his cyber program, which still has huge potential for growth. Recruiting talented new programmers for Bureau 121 is not only a government priority but also a much-welcomed opportunity among the general public as it “guarantees a certain level of quality of life.”

Patterns of past aggressions reveal that Pyongyang tends to launch attacks in response to political triggers, for example, a negative film release, US-ROK military drills, or significant holidays. In an effort to prepare for asymmetric warfare with the West, Pyongyang may try to target critical infrastructure operators and defense contractors who work with the Defense Department. With Pyongyang’s military and technological infrastructure deteriorating and its cyber capabilities expanding, it is likely that these US entities (already being targeted by Russian and Chinese hackers) will face yet another nation-state threat.