Published daily by the Lowy Institute

Cyber crime: North Korea’s billion-dollar soft spot

Cyber-crime is big business for Pyongyang, and a ripe target.

Cyber crime: North Korea’s billion-dollar soft spot
Published 10 Nov 2017   Follow @flatgard

Cyber-crime is now a billion-dollar industry for North Korea. Cracking down on this criminal enterprise presents a strategic opportunity to apply further pressure on the Kim Jong-un regime.

Hard currency generated from cyber-crime is undermining global efforts to impose economic pressure on Pyongyang. As sanctions are imposed against its formal economy, North Korea has increased the scale of its illegal businesses. The massive criminal operation may be equivalent in size to the annual budget of the North Korean nuclear weapons program.

To generate such tremendous returns, North Korean hackers steal bitcoin, hold data ransom, and rob foreign banks, including the brazen heist of a sovereign nation’s central bank that netted $81 million. Evidence suggests the spree of bank robberies continues across Australia’s region, with attacks against banks in the Philippines, Vietnam, and Taiwan. The UK government has now also attributed the global WannaCry ransomware attacks that in May crippled thousands of computers to North Korea.

North Korea's leadership views its cyber-capabilities as a unique advantage that it can deploy without fear of retribution. North Korea is one of the least ‘connected’ countries in the world, while its adversaries (countries such as Japan, South Korea, and the US) are internet dependent. And that dependence makes for vulnerability to cyber-attacks.

In the event of a conflict, North Korea likely believes it could remotely attack and degrade the financial systems, telecommunications infrastructure, energy utilities, and media networks of the US and its allies. Pyongyang has previously demonstrated this capability against South Korea, while WannaCry came perilously close to threatening human lives in hospitals around the globe.

Recently the US launched cyber-attacks against North Korean military infrastructure. The attacks caused no permanent damage and imposed only a short-term degradation of internet access. They were likely designed to signal American capability and willingness to use such methods. But the North Koreans and the US both know that incapacitating the DPRK military through cyber-attacks is unlikely.

However, North Korean cyber-criminals represent a soft vulnerability in an otherwise hardened defence.

The main North Korean cyber-criminal groups, known as Lazarus and Guardians of Peace (GOP), reside and operate almost exclusively outside the country, according to a recent analysis by the commerical security firm Recorded Future. The criminal operations are launched from IT infrastructure physically located in other countries, and private sector analysts have learned details of Lazarus and GOP due to their weak security practices (eg. not encrypting web traffic or obfuscating IP addresses).

Lazarus and GOP’s physical location in foreign countries brings them within the reach of law enforcement. Cases can be developed against individuals. Australian Federal Police can work with foreign law enforcement to gather evidence, serve warrants, and make arrests. Local law enforcement agents acting under court order may be able to seize compromised equipment. Legal action can increase pressure on the criminal network, closing physical safe-havens and raising the costs for launching attacks. The foreign location of the North Korean actors may also enable the Kim regime to save face by disowning the responsible individuals.

Even if the criminals slip the dragnet and escape back to North Korea, indictments can pave the way for diplomatic efforts that might follow. In 2014, the US brought charges against five Chinese officers in the People’s Liberation Army for stealing intellectual property from US-based businesses. These officers will likely never see the inside of an American courtroom, but their indictment led to a landmark agreement between President Obama and President Xi. China agreed to support international norms in cyberspace; Chinese cyber-attacks against the US have since been reduced.

China is, of course, key to any success with North Korea. To encourage China's leadership to take action, any legal case must present evidence of North Korean activity taking place on Chinese soil. The Chinese may find it difficult to support such criminality, especially when it threatens the stability of the global financial sector or undermines Chinese commitment to global law and order. China may be willing to bring charges of its own or deport those responsible for the attacks.

If law enforcement and diplomatic efforts are unsuccessful, governments could use the gathered evidence to deploy cyber-operations that damage the criminal’s computer infrastructure. Such operations should be documented and shared with other countries. Proving the effectiveness of cyber-operations and ability to be used in a limited tactical scope would build good faith with regional and global allies. Establishing cyber-capabilities within a continuum of options – economic, law enforcement, diplomatic – will better position Australia, America, and other allies to deter and disrupt cyber-crime in the future.  

Malcolm Turnbull and Julie Bishop have pledged to develop and use cyber operations to combat online crime. North Korean criminals present an opportunity to demonstrate this capability.

You may also be interested in