North Korea's successful missile launch last Sunday has further sharpened the world's focus on the country’s growing nuclear capabilities. But in remarks last month, Homeland Security Secretary John Kelly commented that North Korea poses a more likely cyber threat than it does a nuclear concern.
While years of sanctions have isolated the Hermit Kingdom from much of the global financial system, North Korea may be seeking to fund the state's coffers through a widespread cyber-crime campaign. It appears that its ability to do so may be enhanced, rather than hampered, by the increased attention that is paid to its accelerating nuclear program.
In early 2016, multiple South Korean security vendors who provide services to the country's financial sector were targeted with malware in a campaign that also affected aerospace and defense. More notably last year, an intrusion at an Asian bank eventually revealed a manipulation of international systems and a loss of over $81 million dollars. Several months after that, similar activity was uncovered targeting the Financial Supervision Authority of Poland, where North Korea has an embassy that likely could have supplied cyber threat operators with Polish-language operational support. We now strongly suspect that this activity is linked to North Korean state-sponsored cyber espionage actors.
For close observers of North Korea's capabilities, state-sponsored espionage actors carrying out financial theft should not come wholly as a surprise. To augment the little trade it is able to carry out under sanctions, North Korea has relied upon a government department, Office 39, to generate hard currency through everything from counterfeiting to weapons sales and other illicit activity, all for the financial benefit of the state and Kim regime. Given Office 39's mission and North Korea's need to fund (among other things) its nuclear weapons program, it is quite likely that this activity is as much for financial gain as it is for the destabilizing affect it has on the global financial system North Korea is mostly isolated from.
Even if these cyber-enabled thefts were opportunistic in the past, there may be reason to believe that more coordinated and intentional campaigns could surface in the near future. If the US successfully convinces China to apply pressure to North Korea—especially by reducing its economic relationship and following suit with India, which recently suspended most of their trade relationships—Pyongyang would be left with few options to compensate for lost income that it could ramp up as quickly as cybercrime.
Though large-scale heists might be North Korea's preference, they could also leverage the increasingly professionalized and growing ransomware space to accomplish the same ends. Researchers have already noted potential North Korean ties to the recent WannaCry ransomware campaign that has affected hospitals and other organizations across Europe. While the financial gain netted from this activity—to date—seems to be minimal in relation to the affect it has been able to unleash, regardless of the responsible actors, it has likely served as an important proof of concept for future operations. A potentially riskier tactic they could employ from the cyber crime playbook would be the theft and public sale of data from international organizations, similar to the Shadow Brokers' sale of reported NSA tools and Cuba’s traditional use of state-backed spies to sell purloined intelligence. While the motivations of the Shadow Brokers may be less aligned with financial gain, North Korea would be just as interested in this as the political impact of doxing a rival's intrusion tools.
Beyond North Korea, this could also demonstrate a greater principle in how nuclear-armed and cyber-equipped states employ the latter capability in less-than-war situations, as Iran is currently doing. In late 2016 through early 2017, suspected Iranian wiper malware Shamoon returned in a campaign against Saudi Arabia, while a similar tool named Shapeshift (or StoneDrill) was discovered also targeting the petrochemical sector in the same country. By targeting a key US ally through show-of-force campaigns, Iran has signaled a willingness to employ destructive capabilities outside periods of heightened conflict. Without doubt, this will influence to some extent future negotiations over its weapons program. An Iran pursuing a nuclear weapon—while possessing destructive cyber capabilities—presents two security challenges to deal with and increases the country’s bargaining position in future negotiations. The upcoming elections in Iran this week may further serve as an inflection point that will better illuminate how these issues evolve.
In a domain of still-emerging norms, where responsible actors are seeking the most appropriate and proportional means of response, actors willing to employ cyber in novel and aggressive ways will likely continue to create space from which to negotiate and maneuver. A North Korea capable of delivering nuclear-armed ICBMs is certainly a nightmare scenario, but we should not lose sight of how Pyongyang may exploit those fears to its advantage in cyberspace. With the attention of the United States and its allies at present focused on North Korea's nuclear activity, North Korea potentially has greater latitude to act aggressively in the cyber realm, especially against the private sector.