North Korean cybercrime has been on the rise in recent years, impacting international economic and physical security. Finances gained from cyber attacks are likely used to fund their nuclear program and to send artillery to Russia in their war against Ukraine. This article addresses issues such as the rising economic slant of North Korean cybercrime, the difficulties associated with retaliation, and methods to change our approach on both the international and organizational level.
For a deeper introduction on North Korean cybercrime, see our previous post on the Lazarus Group, also dubbed Hidden Cobra, APT38, and BlueNoroff.
North Korean cyber attacks are anticipated to continue and ramp up in frequency due to their government’s economic destitution. As discussed in our previous blog post on this topic, the effects of COVID-19, the government’s decision to cease trade with China, continuing sanctions from the West, and nations’ increasing vulnerability to cyberattacks have combined to produce the perfect environment for cybercrime. Ultimately, North Korea is desperate for financial gain, and the world economy is vulnerable to its attacks. North Korea is also uniquely suited for cybercrime since their system of strict government control over the Internet has led to a tightly regulated and state-supported cybercrime capacity. Therefore, they constitute a well-funded, persistent, and politically-motivated financial threat.
Due to their recent increase in financial hardship, it seems that North Korean cyber attacks in the immediate future will be focused on finances, rather than espionage or sabotage. However, these financial gains may be used for non-cyber military exploits. In particular, many US agencies believe the money is used to fund the nuclear program in continued opposition to the US and South Korea, along with selling artillery to Russia to support their stance in the Ukraine War. Therefore, North Korean cybercrime threatens international physical security as well as economic security.
Retaliation against North Korea is made difficult by many factors, the first of which is the issue of attribution. The US cannot definitively place the blame on North Korea for any attack– it may take months or years to come up with evidence on the attackers, and the US will likely be accused of politicizing the issue in order to punish the hermit kingdom.
It would also be incredibly difficult to respond with an offensive cyber attack, since this could cause escalation in conflict with North Korea (or with other countries who may be looking to escalate cyberattacks against the US). Additionally, it could cause the US to compromise its political and diplomatic legitimacy. To top it off, North Korea has an extremely small attack surface due to a lack of domestic IT infrastructure, which would mean an offensive cyber attack would have limited impact. Much of the infrastructure they use for cyberattacks is located in other countries, where North Korean "IT workers" conduct routine cybercrime.
Some might say that North Korea’s limited infrastructure can also act as an asset in retaliation. In 2022, one American hacker was able to take down a majority of North Korean websites from the comfort of his home (Greenberg). If one man could accomplish this in a single night, a team of US or South Korean hackers could most likely cause permanent damage. However, this would almost guarantee escalation of the conflict, and brings up questions regarding the threshold for escalation in the cyber realm.
In order to mitigate the problem while avoiding escalation, international cooperation is necessary. Although the US is the DPRK’s primary target alongside South Korea, if they were unable to hack into American businesses, they would simply move on to other countries. Therefore, national regulations and measures are only a starting point when neutralizing this threat.
Some measures would be completely ineffective without international support. For example, some researchers have proposed that regulations on cryptocurrency could de-anonymize criminal transactions, or at least make it more difficult to cash out ransom payments. However, “the lax practices of certain Chinese, Eastern European, and Southeast Asian exchanges” make instituting these policies extremely unlikely (Ed Caesar, The New Yorker). It is imperative that we make this issue a priority in future negotiations, since without international cooperation, any new regulations will be ineffective.
Making cybercrime less profitable may be an effective way to fix the problem at its root, though its feasibility is quite low. A purely domestic solution could be to guarantee government compensation to companies who are attacked by ransomware, as long as they refuse to pay the ransom. The sanctions against the Lazarus Group may have technically made paying ransoms to North Korea illegal, but if the cyber group can evade attribution, these sanctions will lose some of their practical impact. A similar global solution, in which international institutions or informal groups would provide aid to ransomware-infected companies, could allow the cooperation needed to promote this type of approach. Unfortunately, this approach may not be feasible, since it would require an enormous budget and multilateral political backing. A possible alternative could be mandatory ransomware insurance, privately or publicly managed, in which the company is compensated if it refuses the ransom and sustains damage. In this way, it could be possible to starve North Korea of revenue for its military programs. Policymakers must, however, be wary of the issue of fraud when introducing these measures.
In a recent US briefing, the North Korean cyber threat was regarded as a threat to national economic security due to the increasing severity and frequency of their attacks. North Korean cybercrime is a formidable threat because of its high-quality, targeted attacks by highly trained, state-sponsored attackers. Their targets vary widely, since they are pursuing financial gain instead of political disruption or espionage. Therefore, pretty much any company with an online presence could be the victim of a Lazarus ransomware attack.
Aside from the cyber risk, there is also a crucial compliance risk. If a company is attacked, they are often stuck between a rock and a hard place. If they refuse the ransom, private data may be leaked to the internet, and they will most likely lose their files for good. However, if the company pays the ransom, they are technically engaging in an illegal activity since the Lazarus Group is officially sanctioned by the United States.
ThreatSTOP offers unparalleled protection against North Korean cyber groups, including the infamous Lazarus Group, with over 850 different threat intelligence feeds. Our system is continuously updated with new indicators of compromise, ensuring that users are swiftly protected from emerging threats. With geo-based IP and Domain blocklists, users can enforce compliance by blocking North Korea as a whole. Taking compliance one step further, ThreatSTOP’s will soon launch premium OFAC sanctioned entities and subsidiaries blocklists, powered by a firm of expert compliance researchers, to provide a one-of-its-kind, automated compliance solution. Stay tuned!
Whether you're looking to protect your network security or grow your MSP services, ThreatSTOP has you covered. Don't wait - see how ThreatSTOP can instantly eliminate attacks on your network, including nation-state attacks and North Korea.
Not a ThreatSTOP customer yet? Want to see how ThreatSTOP can instantly eliminate attacks on your network, including nation-state attacks and North Korea, or how it can effectively grow your MSP services?