North Korea’s offensive cyber-program has undergone a significant transformation, shifting from a focus on power projection to a more “dual-focused” approach targeting international economic entities. This evolution was highlighted by Crowdstrike researchers Jason Rivera and Josh Burgess at Black Hat Europe 2020.
Initially, North Korea engaged in DDoS attacks and deployed wiper malware to demonstrate force, but these early attempts were not particularly harmful. However, as their tactics became more refined, they started targeting a broader range of countries and industries beyond just the US, South Korea, and Japan. This included data exfiltration from South Korea’s Ministry of Defense and high-profile attacks like the Sony Pictures breach.
The shift towards economic targets was driven by the economic sanctions imposed on North Korea due to its nuclear activities. To bypass these sanctions, North Korea began engaging in various currency-generating operations, such as fraudulent attacks, ransomware campaigns, and targeting the SWIFT banking system. This culminated in a dual-focused effort where North Korea targets both economic entities for currency generation and critical infrastructure and international organizations like the United Nations.
One notable trend observed by Crowdstrike is North Korea’s focus on energy production, including oil, gas, and coal. Targets in the USA have been hit in attempts to steal valuable information and disrupt business operations. Looking ahead, Rivera predicted an increase in advanced ransomware attacks, with North Korea potentially offering ransomware-as-a-service and engaging in data extortion tactics.
Furthermore, North Korea is expected to follow China’s lead in carrying out more economic espionage and adopting a strategy of “cyber-brinkmanship.” This approach involves using cyber or nuclear threats to manipulate the behavior of adversaries without risking a direct military confrontation. Rivera noted that North Korea sees cyber operations as a safer way to project power and take swipes at adversaries without facing the risk of kinetic retaliation or regime change.
In conclusion, North Korea’s offensive cyber-program has evolved significantly in recent years, shifting towards a more sophisticated and targeted approach. By focusing on economic targets and critical infrastructure, North Korea aims to advance its own interests while minimizing the risk of international condemnation or military conflict. As cyber threats continue to evolve, it is essential for organizations and governments to remain vigilant and proactive in defending against these persistent and evolving threats.