North Korean Cyber Operations

Michael Martelle (ed.)

In light of significant recent developments on the Korean Peninsula, this week’s brief highlights North Korean cyber-operations. While Pyongyang’s nuclear weapons program has drawn the most attention recently, North Korea’s cyber capabilities also represent a significant asymmetric capability that has been relied upon both to disrupt enemies of the Kim family as well as produce sources of funding through cyber-enabled crime. This brief includes remarks by James Clapper on cyber-deterrence and North Korea given while he was Director of National Intelligence, a significant report by Kaspersky Lab on North Korea-linked advanced persistent threat (APT) group Lazarus, a letter from Congress to Treasury Secretary Steven Mnuchin expressing concern over Lazarus cyber-operations targeting banks in 18 countries, an alert by the US Computer Emergency Response Team (US-CERT) on North Korean botnet activity, and a Congressional Research Service brief on North Korean capabilities in cyberspace.

In this speech, Clapper uses an anecdote about a trip to North Korea to argue that a form of cyber deterrence would be appropriate for increasing the cost of North Korean cyber operations.

This report focuses on a group (Lazarus) whose cyber activities go back at least to 2009, and whose malware has been discovered in a number of serious cyber-attacks (including the 2014 intrusion into the Sony Pictures computer system in 2014 and a 2013 cyber espionage campaign in South Korea). It reports on the results of the lab’s forensic investigations in two geographically dispersed banks.

In this letter to the Secretary of the Treasury, two members of Congress note recent reports that the Lazarus group, a hacking operation linked to the North Korean regime, had targeted banks in 18 different countries. In addition to providing more information about North Korean hacking activities, the authors request a briefing on Treasury Department interaction with private sector organizations to counter such activities.

This alert - intended to help cyber defenders detect malicious cyber activity conducted by the North Korean government (designated HIDDEN COBRA) - contains indicators of compromise, malware descriptions, and network signatures.

This report surveys North Korea’s cyber capabilities, offers potential motivations for North Korea’s strategy, and examines four case studies.