In late September, the security company FireEye Threat Research discovered spear phishing emails sent to U.S. electric utilities “by known cyber threat actors likely affiliated with the North Korean government.” The company says it stopped the attacks, which it described as an early-stage reconnaissance “not necessarily indicative of an imminent, disruptive cyber attack.” It remains unclear what information, if any, the hackers obtained from the attacks.
The potential for North Korea to destroy critical infrastructure without a nuclear weapon has largely been ignored, yet Pyongyang has enough cyber offensive capability to cause serious damage. In 2014, a cyber attack on Sony Pictures destroyed files and leaked sensitive internal emails online. Washington blamed North Korea for the hacking, and responded by allegedly interrupting North Korea’s internet access for about a week after the attack. More recently, the U.S. Cyber Command reportedly tried to block online service to North Korea’s powerful intelligence agency, the Reconnaissance General Bureau (RGB), by flooding it with traffic from multiple sources. The RGB reports directly to Pyongyang’s National Defense Commission, which is directly controlled by North Korean leader Kim Jong Un himself.
Overall, however, North Korea’s isolation makes it hard for the United States to come up with an effective strategy to counter Pyongyang’s cyber attacks. The closed nature of its society means Washington has had to rely on outside sources for intelligence-gathering and the North Korean population’s limited access to the internet means that many of its cyber forces operate from outside North Korea.
A South Korean Defense White Paper noted in 2014 — the year of the Sony attack — that North Korea had about 6,000 “cyber warfare troops.” By comparison, the U.S. Cyber Command, established by the Obama administration in 2009, has around 700 military and civilian employees; cyber units in U.S. military services have a goal of maintaining 6,200 personnel.
While most fear a nuclear attack from North Korea, North Korea has consistently used cyber attacks as a distraction from its nuclear program. Since North Korea’s second nuclear test in May 2009, its cyber attacks have targeted South Korea’s critical networks every time there is a nuclear test. After its third test in February 2013, South Korean television stations and a bank suffered from the 3.20 Cyber Terror attack, known as DarkSeoul. In January 2016, when North Korea had its fourth nuclear test, there was a massive spear phishing campaign targeting South Korean public officials, meant to distribute malware to their computers. After the fifth test in September 2016, the South Korean military suffered a major breach that led to the loss of a cache of secret military files.
In the midst of these many offensives, it is difficult to ascertain pattern or strategy in North Korea’s cyber attacks. But using North Korea’s assaults on South Korea as indicative of broader Pyongyang cyber strategy, the recent discovery of North Korean-origin malware in the U.S. electrical grid is likely part of an early-stage probe for weaknesses in the U.S. system. While it may be obvious that North Korea wants the ability to attack critical U.S. infrastructure, Pyongyang also wants to send a broader signal that it has the capability to penetrate American systems. Just making the international community aware of this threat could grant it leverage in any negotiations about its nuclear program.
North Korea is not alone in its attempts to access U.S.-based electrical companies – Russia and Iran have tried too. However, in this case, North Korea’s attacks on South Korea’s electrical grid provide Washington with a template to understand Pyongyang’s hacking strategy. In 2017, the South Korean Ministry of Trade, Industry, and Energy charged that hackers tried to access two South Korean state-owned electric companies, Korea Electric Power Corporation (KEPCO) and Korea Hydro & Nuclear Power (KHNP) almost 4,000 times over 10 years. Choo Mi-ae, the leader of South Korea’s ruling party, said an official KEPCO report confirmed that at least 19 of the 2013-2014 attacks on the utility originated from the North.
In December 2014, North Korean hackers leaked blueprints and test data for KHNP, the South Korean nuclear operator. The hackers, known as “Who Am I” and claiming they were protesting against nuclear facilities, leaked the information over social media, presumably to try to create public panic and to disrupt energy policies in the South. Although the South Korean officials claimed that only non-critical nuclear data was leaked in the breach, it cannot be ignored that the country was exposed to the potential risks of blackout as well as radioactive contamination.
In attempting to penetrate the U.S. grid, North Korea is following the same playbook that it developed against South Korea.
A nationwide attack on U.S. electricity providers would be difficult given that local stations operate independently of each other, using a range of technology and, in many cases, old manual systems. That said, reconnaissance is the first step in any major attack – physical or cyber. In the case of the Russian attacks on the Ukrainian electrical grid, the Russian hackers spent a long time in the utilities’ networks gathering information. Those attacks also began with a spear phishing campaign.
To tackle this threat, the United States must stop other countries from directly and indirectly supporting North Korea’s cyber attacks. North Korea accesses the outside world through a Chinese internet provider and North Korean hackers reportedly operate from inside China. A Russian company recently started providing an internet connection to North Korea and Iran provides it with equipment. There are rumors that North Korean hackers operate from countries in South and Southeast Asia. The Trump administration needs to build new relations with North Korea’s allies to weaken the activity of North Korean hackers within their territories.
Perhaps most urgently, Washington needs to determine Pyongyang’s end game. WannaCry was likely an attempt to generate cash to counter the effects of sanctions, and researchers say that North Korea’s hackers netted millions from the 2016 cyber heist at Bangladesh Bank and on exchanges trading in virtual currencies like Bitcoin and Ethereum.
North Korea’s attempt to probe the U.S. power grid indicates Pyongyang is looking for a bargaining chip to gain leverage if it ever engages in any talks with Washington. As with its nuclear program, North Korea will continue to develop its cyber strategy with help from sympathetic regimes while simultaneously avoiding escalating to a “real” war against the United States. Although we still have most to fear from a nuclear attack, Pyongyang’s threats – and ability – to use its cyber strength are cause for serious concern.