Despite the COVID-19 pandemic’s economic disruptions and U.N. sanctions, North Korea has found new, and illegal, ways to support the regime: cyberattacks garnering nearly $400 million in cryptocurrency last year and nearly $1 billion in 2022 thus far. While the United States has evidently made attempts to prevent these cyberattacks – such as sanctioning virtual currency mixer Tornado Cash for supporting North Korean hackers – additional measures are needed to better prevent future cyberattacks, including increased cybersecurity cooperation between the U.S. and South Korea.
North Korea Cyber Trends
North Korea’s cyberattacks generally fall within three common types. First, espionage, disruptive attacks, and destructive attacks, such as the 2013 Operation Dark Seoul and the parallel espionage operation in which North Korea paralyzed South Korean broadcasting stations, banks, government websites and stole information. Second, cyberterrorism and revenge attacks, such as the 2014 Sony Hack in which North Korean hackers threatened Sony and its employees with terrorist attacks on movie theaters if Sony released “The Interview,” a satire about assassinating Kim Jong Un. Third, cyber bank and cryptocurrency exchange robberies – such as the 2016 Bangladesh Bank Heist and the 2017 FASTCash Campaign – that maintain North Korea’s economy in the face of international sanctions.
In recent years, North Korea state-backed hacking group Kimsuky has targeted financial institutions, stealing more than $50 million between 2020 and mid-2021 from three currency exchanges. In March 2022, North Korea hackers stole more than $615 million in ether and USD coin from the Ronin Network by forging withdrawals.
North Korea also appears to have increased its cyber espionage efforts since late 2020. In 2021, Kimsuky is believed to have hacked into South Korea’s nuclear research center, the Korean Atomic Energy Research Institute, stealing information on nuclear power plants. In February 2021, North Korea tried to steal information regarding COVID-19 vaccines and treatments from Pfizer.
North Korea has increased phishing and social engineering attacks for espionage purposes as well. In Operation Dream Job, a North Korean hacking group – the Lazarus Group – created fake LinkedIn profiles to reach out to employees at targeted companies, sent “dream job” offers with hidden malware, maintained conversation with the targets, and collected intelligence regarding the companies’ activities and finances. The attacks first seemed to target government employees. Then, the Lazarus Group targeted companies that work closely with the government such as Israeli defense manufacturers and Boeing. By April 2022, the Lazarus Group was sending fake job offers with Trojan horse programs to the chemical sector and information technology firms as well.
South Korea Cyber Cooperation
As North Korea is increasingly using sophisticated cyberattacks and targeting the United States, it is important for the U.S. and South Korea – North Korea’s usual target – to cooperate against these attacks and to implement the already existing high-level commitments to mutual defense.
One of the reasons that deeper South Korea-U.S. cyber cooperation doesn’t yet exist is because Seoul’s first venture into cybersecurity cooperation with the international community was recent: its 2019 National Cybersecurity Strategy and National Cybersecurity Basic Plan. One of the strategy’s six pillars is international cooperation, and the Basic Plan’s 100 tasks include international collaboration and norm setting.
Since then, there does seem to be growing commitment to enhance bilateral cooperation on countering North Korea’s cyber activities. The 2020 Joint Communique of the 52nd South Korea-U.S. Security Consultative Meeting committed to close communication and coordination in the cyber domain, highlighted the need for cyber command exchanges, and increased science and technology cooperation in cyber defense. In May 2021, the United States and South Korea pledged to further expand cyber cooperation by establishing a cyber working group that will increase law enforcement and homeland security agencies’ cooperation on cybercrime and ransomware attacks and by creating a public-private Domestic Violence and Cyber Exploitation Working Group. The 2022 South Korea-U.S. Joint Statement included broadening cooperation on critical and emerging technologies, deepening regional and international cyber policy, and confronting North Korean cyber threats.
However, despite the continued dialogue, there has been little impact on the implementation level. Efforts so far failed to outline specific efforts against North Korea’s use of cryptocurrency and other financial technology; did not leverage the two countries’ advantages such as the United States’ economic power and South Korea’s knowledge of cryptocurrency risks and North Korea; and failed to see the opportunities in structural differences between the two governments.
Given the flaws of South Korea-U.S. cyber cooperation and North Korea’s recent focus on cybercrime and espionage, the two nations can take the following steps to further their collaborative efforts against Pyongyang’s cyberattacks.
First, the U.S. and South Korea governments should create a working group to combat North Korea’s cyber-enabled crimes – a group that allows for coordinated action and joint research. The coordinated action must leverage the United States’ economic influence and power of sanctions and South Korea’s monitoring and understanding of cryptocurrency crimes. South Korea has had strict regulatory framework since cryptocurrency trading increased in 2017, which allows for a better monitoring system: South Korea does not allow anonymous cryptocurrency accounts and increased reporting requirements for banks dealing with cryptocurrency.
In 2019, the U.S. and South Korea coordinated to takedown a South Korea-based child abuse site that used bitcoin transactions by using the power of a U.S. Internal Revenue Service (IRS) investigation combined with a criminal investigation by the Korean National Policy Agency. While the cooperation was not against a North Korean cyberattack, it was a successful example of leveraging the two nations’ advantages and coordinating various agencies’ efforts to takedown cryptocurrency-related illicit activity.
This working group should also incorporate specific joint research and investigations of cryptocurrency-related crimes and NFTs to better understand how to defend against such cybercrimes before they occur, especially as North Korea is increasingly using both technologies.
Second, as the majority of North Korea’s espionage efforts have targeted companies and research institutions, the two nations’ private entities should engage, share information, and develop better defense mechanisms. For example, in 2021, Korea Hydro & Nuclear Power – a South Korean nuclear operator and target of a North Korean cyberattack in 2014 – signed an agreement with the U.S. Utilities Service Alliance to develop innovative solutions that enhance nuclear power plant safety and performance, and formally collaborate on safety practices including developing defenses against cyberattacks.
The public sector can promote such information sharing by adopting the structure of U.S. Information Sharing and Analysis Organizations (ISAOs) into a bilateral organization. ISAOs are government-backed organizations that encourage cybersecurity intelligence sharing and research between the public and private sectors. In 2015, U.S. Executive Order 13691 supported the creation of domestic ISAOs for U.S. national security. The U.S. government should create a bilateral ISAO with South Korea government and private sector partners to allow for increased bilateral information sharing about North Korea’s cyberattacks as they are an increasing threat to the United States./By Seungmin “Helen” Lee/ The Diplomat