North Korea’s evolving cyber warfare strategy | East Asia Forum

Author: Michael Raska, RSIS

While South Korea and the United States focus on North Korea’s growing nuclear weapons and ballistic missile capabilities, the alliance must increasingly prioritise countering the development of North Korea’s cyber capabilities.

North Korean leader Kim Jong Un gives field guidance at the Sci-Tech Complex in Pyongyang, 28 October 2015 (Photo: Reuters/KCNA).

North Korean leader Kim Jong Un gives field guidance at the Sci-Tech Complex in Pyongyang, 28 October 2015 (Photo: Reuters/KCNA).

The use of cyber weapons of mass effectiveness alongside weapons of mass destruction provides Pyongyang with a unified asymmetric strategy designed to pressure the United States and the wider international community to recognise its legitimacy.

Moreover Pyongyang can effectively counter strict economic sanctions through cyber operations, raising hundreds of millions of dollars to support the Kim regime and its nuclear and ballistic missile programs.

North Korea’s cyber warfare units have come a long way since the mid-1990s, when  the country’s computer infrastructure was rudimentary at best. The 2009 US National Intelligence Estimate dismissed North Korea’s cyber capabilities and long-range missile programs, noting it would take years to develop them into a meaningful threat.

That same year, North Korea reportedly unified all of its intelligence and internal security services and brought them under the direct control of the National Defense Commission to cement the control of current North Korean leader Kim Jong-un. It merged intelligence organisations and its various cyber units such as Bureau 121 into the Reconnaissance General Bureau (RGB).

The RGB became North Korea’s primary foreign intelligence service as well as headquarters for special and cyber operations. The RGB absorbed Bureau 121, increased its size to 3000 people and upgraded its status to that of a ‘department’.

In 2013, the RGB reportedly also established Unit 180, tasked with hacking international financial institutions to extract foreign currency in support of North Korea’s nuclear and ballistic missile programs. It would also install malicious backdoors in software development businesses in Japan and China. Over the years, the focus of Unit 180 shifted toward targeting cryptocurrency exchanges while Bureau 121 has expanded its cyber operations beyond South Korea by attacking foreign infrastructure elsewhere.

These operations have been linked to another unit — Unit 91 — which has been ‘acquiring [the] advanced technologies needed for nuclear development and long-range missiles from developed countries’ since 2014. The Korean People’s Army (KPA) and its General Staff Department (GSD) have also been integrating cyber capabilities into conventional military operations.

In 2016 the GSD established a new department for Command, Control, Communication, Computer and Intelligence (C4I) to enhance the defensive cyber capabilities of the KPA’s command and control systems. These have been reportedly targeted by a top secret US military program. To counter such measures, North Korea is developing quantum encryption technology in an effort to build a highly secure command and control link between Pyongyang and key missile launching sites.

North Korea’s cyber units have progressively developed their resources, assets, malware arsenals and coding capabilities based on their experience from attacking different targets. They are also collaborating on attack campaigns by sharing networking infrastructure and continuously adapting malware code in order to avoid detection.

The sophistication of North Korea’s cyber operations shows an increasing emphasis that Pyongyang is placing on cyber-enabled economic and political warfare, with cyber units and state-sponsored hacking groups aiming to counter international sanctions, while at the same time generating resources for North Korea’s economic and military-technological development.

North Korea’s cyber operations reflect at least three distinct characteristics.

First, North Korea’s cyber units and hacker groups have shown considerable diversity in terms of their capabilities and experience — a range that has made attribution more challenging.

The line between low-end and high-end North Korean cyberspace operations has frequently been blurred. North Korea can employ non-state actors as surrogates, utilise low-cost, off-the-shelf tools that are freely available and exploit known techniques such as denial of service attacks.

Second, North Korea has gradually demonstrated a resolve for cyber-escalation — targeting the critical infrastructure of other nation states as well as private corporations and banks for varying political motivations. Increasingly, North Korea aims to achieve illicit financial gain by bypassing international sanctions and generating foreign currency.

Third, the essential ‘dialectics of North Korea’s cyberspace’ is still asymmetric. North Korea’s internet infrastructure is isolated from global networks, with the country’s entire internet traffic channelled through only two providers — China’s Unicom and Russia’s TransTeleCom. The country is largely unplugged from the global internet and is ringfenced by China’s ‘Great Firewall’.

North Korean hacker groups have therefore been widely dispersed places elsewhere, such as China, Russia, Southeast Asia, and even Europe, acting independently or mutually supporting each other based on their specific cyber missions.

Against this backdrop, South Korea’s Ministry of Defense initiated the Master Plan for Defense Cyber Policy in 2011 to integrate all South Korean military capabilities against cyber threats. South Korean forces have also enhanced their civil-military cooperation in the cyber domain.

Seoul has also prioritised joint efforts with the US military to ensure that the alliance leverages cyber operations as effectively as possible. In this context, South Korea’s cyber capabilities have evolved in the strategic framework of the US–ROK alliance, with joint programs developing artificial intelligence-based technologies to counter a range of cyber threats.

But these measures have arguably not stipulated major changes in the ways and means through which the US–ROK Alliance leverages advanced technologies. US–ROK forces have not been fully able to align their military-technological potential with the required organisational, conceptual and operational innovation needed to utilise advanced technologies in new ways.

Under these conditions, North Korea has been gradually gaining a strategic advantage by pursuing cyber capabilities in conjunction with nuclear and ballistic missile programs as asymmetric capabilities, which provide a relatively low-cost but effective means to exert influence. They also provide Pyongyang with a capability for political, economic and military coercion without triggering major armed conflict.

Michael Raska is Assistant Professor and Coordinator of the Military Transformations Program in the Institute of Defense and Strategic Studies at the S Rajaratnam School of International Studies (RSIS), Nanyang Technological University, Singapore.