North Korea’s hackers have been accused of carrying out some of the most audacious cyber attacks of the past few years, from siphoning millions of dollars to stealing state secrets.
Analysts say cyber capabilities have become a key asset in North Korea’s war chest, used for a wide range of purposes including hacking adversaries like South Korea and pilfering money.
Pyonyang’s increasingly bold attacks in the virtual space have come in tandem with the hermit nation’s rapidly progressing ballistic missile and nuclear programs.
“North Korea’s cyber weapons are as destructive as its conventional weapons,” Lim Jong-in, a cyber security professor at Korea University, told CNN. “Tomahawk missiles can paralyze a major country’s power grid and financial system. So do North Korea’s cyber weapons.”
In the latest revelation, a member of the South Korean ruling party said Tuesday that North Korea stole classified military documents from a South Korean Defense Ministry database in September 2016. They included a document that included plans to “decapitate” the North Korean leadership.
And cybersecurity firm FireEye said Tuesday that it detected and stopped an attack on US electric companies by people with links to the North Korean government.
The hackers’ skill is all the more surprising considering they come from a reclusive country where internet use is heavily restricted.
Inside North Korea, citizens only have access to a government-run, heavily censored intranet rather than the full depths of the world wide web.
But that hasn’t stopped its hackers from becoming some of the best in the business.
“North Korea almost certainly has the capability to conduct disruptive and potentially destructive attacks, as well as more traditional cyber espionage operations,” Bryce Boland, the chief technology officer for Asia-Pacific at FireEye, told CNN.
How big a security threat is North Korean hacking?
North Korea’s cyber capabilities are yet another dangerous arrow in a quiver that includes chemical weapons, nuclear warheads and the world’s fourth-largest standing army.
“Cyber experts say North Korea should be ranked among the top 5 in the world. I believe North Korea can steal anything they want through cyber espionage. No country is safe from its cyber espionage,” Lim said.
South Korea said in December that Pyongyang had broken into the South Korean military intranet and leaked confidential information.
South Korea has strong cyber security defenses, but North Korea’s isolation gives it an unexpected advantage, Boland said.
“North Korea has little connectivity and relatively limited reliance on technology, making it less vulnerable to attacks,” he said.
And the latest revelations from South Korea allege that North Korean hackers stole some 235 gigabytes worth of data, including a joint South Korea-US wartime operational plan.
“If the North Koreans in fact accessed the US/South Korean defense plans, this is a treasure trove of information and presents a real danger,” said CNN military analyst Lt Col Rick Francona.
“The only good thing about it is that we know that it happened and when. That at least allows us to do damage control — mitigate the damage done to national security.”
What tactics do they use?
Boland said spear phishing — messages which appear to be from a trusted source or about a topic specific to the person being targeted but in fact conceal malware or another way for a hacker to attempt to gain access to computers — is a favorite tactic of the North Koreans.
“Once the victim organization has been comprised, we see additional tools being deployed,” he said.
Another tactic they’ve been caught using, Boland said, is called a “watering hole attack.” That involves compromising websites that people visit and placing weaponized content there for them to click.
Top South Korean government officials’ smartphones were also hacked in 2016, according to the country’s spy agency. Seoul accused North Korea of stealing text messages and voice communications by “sending enticing text messages.”
Pyongyang is also suspected of turning 60,000 computers in South Korea into “zombies,” or computers that have been compromised by hackers and can then be used for cyberattacks. South Korea’s spy agency estimated that Pyongyang took control of 10,000 computers in a single month in 2015.
Whatever the type of attack, North Korea will conduct reconnaissance and research ahead of time and tailor it to the specific organization or victim they’re targeting, Boland told CNN.
How do they operate?
Child prodigies are sought from a young age and recruited, according to Kim Heung-kwang, a North Korean defector who worked as a computer science professor in Pyongyang before escaping in 2004.
The country has established about 250 elite schools for computer education, Kim told CNN Wednesday. From there, authorities select 500 of the most talented students for even more advanced training in cyber combat at two schools in Pyongyang.
Once their studies are done, some are assigned to cyber units for hands-on training. Others end up working in places like Shenyang, China, where a secret network of hackers called “Bureau 121” operates, Kim explained.
Kim, in a 2015 interview with CNN’s Will Ripley, said Shenyang offers hackers good internet infrastructure and the ability for North Koreans to work secretly.
However, a recent move by Russia to provide North Korea a new internet connection increases the bandwith available in country. According to FireEye’s Boland, that also carries risks for the regime.
“It gives Russia a stake, influence in North Korea it didn’t previously have. Russia can also track North Korea’s internet to potentially identify the targets picked up by North Korea,” he said.
Previously, North Korean internet traffic was funneled through one sole link, provided by Chinese telecommunications firm China Unicom, according to experts.
Who does North Korea target?
Whatever the methods are, North Korea has been accused of some of the most damaging hacking operations of the 21st century.
They include the Sony hack of 2014, in which servers were brought down, movies were leaked and a trove of emails, Social Security numbers and employee salaries were released. The finger was pointed at North Korea due to the fact that Sony was about to release “The Interview,” a comedy about a plot to kill North Korean leader Kim Jong Un.
In February 2016, $101 million was fraudulently transferred out of the Bangladesh central bank’s account at the New York Federal Reserve and eventually made its way to the Philippines.
Researchers found that the hackers responsible for the theft carefully routed their signal through France, South Korea and Taiwan to setup their attack server, but made a critical mistake that established a connection to North Korea.
Most of the funds have not been recovered.
Analysts say North Korea has been preparing similar operations targeting cryptocurrencies like Bitcoin, as international sanctions make it harder for North Korea to use the dollar.
UK and US intelligence agencies also linked this year’s WannaCry cyber attack to North Korea.