NORTH KOREA IS arguably the least-understood nation on the planet. And that also applies to its state-sponsored hackers whose global cyberattacks have been almost as erratic and inscrutable as the government they work for. They hide behind strange front groups and fake extortion schemes. They steal tens of millions of dollars, a kind of digital profiteering more common among organized criminals than government cyberspies. And they’re now believed to have launched WannaCry, the ransomware that sparked an indiscriminate global crisis, with almost no apparent benefit to themselves.
But as tensions between the US and North Korea rise, cybersecurity and foreign affairs analysts watching the Hermit Kingdom’s hackers say that it would be unwise to write off Kim Jong-un’s digital army as irrational actors, as foreign policy wonks once mistakenly did with the country’s early military provocations. Instead, they warn that North Korea is using cyberattacks much as they’ve used the nuclear threat, an asymmetric lever that effectively holds far more powerful countries in check. Like the Kim regime as a whole, North Korea’s hackers are desperate, brazen, and at times incompetent—but also shrewdly logical in pursuing their goals.
This week, the DHS and FBI released a “technical alert,” warning that North Korean state actors called Hidden Cobra had targeted US organizations in the financial, aerospace, and media industries, along with critical infrastructure. The group’s expansive toolkit included botnet-based denial of service attacks that flooded victims’ websites with junk traffic, remote-access tools, keyloggers, and data-destroying malware. Even more significantly, the report revealed that the DHS and FBI believe Hidden Cobra is one and the same as Lazarus, a hacker operation the cybersecurity community has closely tracked for years, and strongly suspected of North Korean ties. Just 24 hours later, The Washington Postreported that the NSA had pinned the WannaCry ransomware worm that infected hundreds of thousands of computers last month on North Korea—an attack security companies like Symantec, Kaspersky, and SecureWorks had previously attributed to Lazarus Group.
While it seems evident that North Korea dictates Lazarus activity, it acts unlike any state-sponsored hacker group before it, with an erratic track record of theft and wanton disruption. But as arbitrary as those acts may seem, North Korea’s digital offensives actually make sense—at least for a fascist, isolated, sanctioned country that has few other options for self-preservation.
“They are rational actors. But with sanctions and their status as a global pariah, they have little to lose from using this tool,” says John Hultquist, who leads a team of researchers at the security firm FireEye and formerly worked as a State Department analyst. “We should recognize North Korean hacking as an example of what states in dire straits are capable of.”
North Korea’s hackers most obviously depart from state-sponsored norms in their penchant for outright theft. In the past year, cybersecurity researchers have steadily piled on evidence that the country pulled off a series of attacks that used the financial industry’s SWIFT protocol to transfer tens of millions of dollars to its own accounts. Analysts at security firms, including Symantec and Kaspersky, have tied the Lazarus group to bank breaches targeting Poland, Vietnam, and more than a dozen other countries. One attack last year swiped $81 million from Bangladesh’s account at the New York Federal Reserve.
The motive makes sense: North Korea needs the money. As a result of its human rights abuses, nuclear brinksmanship, and sociopathic aggression toward its neighbors, the country faces crippling trade sanctions. Before its hacking spree, it had already resorted to selling weapons to other rogue nations, and even run its own human trafficking and methamphetamine production operations. Cybercrime represents just another lucrative income stream for a shameless, impoverished government.
“We have to start wrapping our heads around the idea that we have a nation-state-sponsored hacking group whose tasking includes financial gain,” says Juan Guerrero-Saade, a Kaspersky security researcher. “It’s hard to stomach, but at this point it’s not an isolated incident.”
The rationale behind WannaCry proves harder to suss out, although a consensus has grown that the ransomware was just another moneymaking venture—albeit a botched onethat spun out of control. After all, the code that paralyzed hundreds of thousands of computers around the world only earned its operators around $140,000 worth of bitcoin, pocket change for a dictatorship. The ransomware even lacked a method to track which victims had paid to have their files decrypted, breaking the trust model that more professional ransomware gangs have used to incentivize payments and extract far larger rewards from far smaller pools of victims.
Those errors may stem from WannaCry’s North Korean creators letting the malware leak prematurely. Worms that spread automatically from machine to machine are notoriously difficult to contain. (The US and Israel discovered as much with its own Stuxnet worm, which spread well beyond the Iranian nuclear enrichment facilities it targeted.) In fact, SecureWorks says the Lazarus hackers distributed WannaCry with a smaller-scale attack before the global explosion. When they coupled their existing efforts with the NSA’s powerful EternalBlue exploit, released earlier this year by hacking group the Shadow Brokers, their infections may have suddenly exploded beyond their expectations or control. “They had this thing, they were using it and getting some money,” says Guerrero-Saade. “Then it got way out of their hands.”
Crazy Like a Fox
Those money-making schemes are hardly the only head-scratching activities of North Korea’s hacker brigades. Since 2009, they’ve also launched distributed denial of service attacks on targets in the US and South Korea. They’ve leaked emails from Sony Pictures and hit a South Korean nuclear power plant, two cases that have long puzzled cybersecurity analysts. They seem like a kind of cyberterrorism, designed to instill fear in their enemies—a tactic that did, for instance, delay and then limit the release of Sony’s Kim Jong-un assassination comedy, The Interview. But unlike more straightforward terrorist operations, North Korea has never taken overt credit. Instead, they hide behind invented front groups like the Guardians of Peace or an anti-nuclear-proliferation hacktivist group, even attempting to extort money from victims before destroying computers and leaking their data.
Those obfuscations give the country a hint of deniability in diplomatic negotiations, says SecureWorks’ North Korea-focused researcher Joshua Chuang, even as their targets receive the intended message. “It’s not like ISIS or al Qaeda—they don’t wave a flag. But they know that forensic investigators will eventually figure it out,” says Chuang. “And any time they get publicity like that, it’s a huge boon for them.”
The attacks also make sense as an extension of North Korea’s military strategy in general, which centers on building weapons—such as nuclear missiles—that can deter its many larger, better-resourced enemies. “Since North Korea is militarily and economically inferior to its adversaries, it needs to use capabilities that can deter foreign aggression, coerce others, and project power without inviting a conventional response,” says Frank Aum, a former advisor on North Korea to the Department of Defense who’s currently a visiting scholar at John Hopkins’ Strategic Advanced International Studies.
After all, Aum argues, hacking for North Korea represents not only a stealthy and deniable tool but a battlefield where it has almost no targets of its own at which victims can fire back. “The regime may see cyberattacks as having less risk of retaliation because they are not easy to attribute quickly or with certainty, and because North Korea’s networks are mostly separated from the internet,” Aum adds.
All of that suggests North Korea’s chaotic and erratic hacking will no doubt continue—because it works. “They’re hyper aggressive because they’re in a corner, because the attribution problem exists, because they’re not constrained by norms or taboos,” says FireEye’s Hultquist. “In this environment, they’re not necessarily irrational. But they’re very dangerous.”