The Peninsula

The Jig Is Not Yet Up: Kim Jong-un Turns to Cyber Crime

By Linnea Logie

Kim Jong-un and his inner circle have since the beginning of 2018 professed their ardent desire for peace on the Korean peninsula.  Yet however impassioned their rhetorical allusions to the prospect of peacefully reunifying the Korean peninsula and integrating North Korea (DPRK) into the global community, North Korean leaders are keenly aware that attempting a major pivot would undermine the ideological and theoretical basis of regime legitimacy.  Fearful that relinquishing nuclear weapons and seeking out alternative means of regime security would precipitate their downfall, Kim and company remain intent on developing alternative means of not only defending elite activities against external interference, but also inflicting damage on so-called foreign “enemies.”  Continued nuclear-weapons development, for all the attention it receives from the outside world, is only part of this broader strategy.

The regime has not survived on the threat of nuclear terrorism, alone.  Contrary to popular belief, North Korea is rapidly amassing capabilities with arguably greater destructive potential than nuclear or ballistic missiles.  Pyongyang’s elaborate licit and illicit financial networks grow more sophisticated and its army of cyber warriors grows more adept with each passing day, posing fearsome threats to Northeast Asia, the United States, and the entire international system.  This has become increasingly evident under the leadership of Kim Jong-un, who has overseen a dramatic expansion of criminal activities into the vast realm of cyberspace to bolster the economic security of the ruling class, as well as threaten the national interests of foreign adversaries.  These malicious activities belie the appearance of civility and openness crafted so carefully by the North Korean leadership since it launched a pre-Olympics charm offensive in early 2018.  Add to this Pyongyang’s recent recriminations of the U.S. negotiating posture, and the prospects of Kim adopting a radically new tact seem slim.

Focusing on North Korea’s nuclear-weapons development at the exclusion of other ominous regime objectives neither diminishes the North Korean cyber threat, nor renders it more easily contained.  With the time already won through the ongoing charm offensive, this threat is now even more disquieting, demanding extreme vigilance from the United States and its allies.  As the revenue-generating activities of regime cyberwarriors rapidly gather steam, Kim will almost certainly remain recalcitrant.

Fighting the Next War

The international community made a critical error in reducing the threat posed by the North Korean regime to one of a strictly nuclear nature.  That the Kim dynasty is first and foremost a “nuclear conundrum” remains the prevailing view, underlying the strategic thinking of key policymakers around the world and virtually institutionalizing a preference for diplomacy in addressing the North Korean threat.  Meanwhile, behind a veil of nuclear belligerence, the ruling Kim family has been quietly and painstakingly preparing to fight the next war: a “Secret War” waged not with guns and bullets, but with information and network access.

Former NSA deputy director Chris Inglis describes cyber as a “tailor-made instrument of power” for the North Korean regime, offering a relatively anonymous, low-cost means of both procuring financial resources and threatening foreign public and private-sector infrastructure.   The rapid escalation of malicious North Korean cyber activities over the past decade seems to confirm the utility of hacking operations for the ruling elite, indicating that cyberwarfare has become a core survival tactic of the current regime.

Pyongyang’s cyber program took root decades prior to Kim Jong-un’s rise to power, however.  The experiences and observations of scientists returning to North Korea from abroad in the 1990s sparked a realization within the regime that programming skills could help the domestic economy recover from the ravages of famine, while concomitantly amplifying the regime’s ability to spy on and attack the United States and South Korea (ROK).  This catalyzed the still-continuing process of identifying and recruiting promising talent for specialized education in elite North Korean or Chinese computer-science programs.  Some North Koreans posted to the UN in the mid-1990s even enrolled in New York-based computer-programming courses.

By the time the U.S. invaded Iraq in 2003, Kim Jong-il was ostensibly convinced that information, rather than conventional military power, would define the future of warfare.  He impressed this conviction upon his son, who, after navigating an uncertain transition of power in the early 2010s, found himself armed with an increasingly potent weapon only just beginning to be taken seriously by outside observers.

Surveying an interconnected globalized landscape with an expanded 21^st-century understanding of cyberspace, Kim Jong-un came to regard cyber capabilities as more valuable than his father likely ever dreamed possible: a new asset to be leveraged in conjunction with the tools already in the regime’s arsenal.  With support from Offices 39 and 91, he expanded the modest ranks of programmers serving his father’s regime into an army of cyberwarriors perhaps 7,000-10,000 strong (ROK Defense Ministry estimates from early 2015 placed this figure at 6,000).  These hackers have carried out increasingly sophisticated attacks on targets in South Korea and around the globe, graduating from “distributed denial-of-service” (DDoS) assaults in 2009, 2011, and 2013; to the infamous Sony hack in 2014; to sensitive data-collection campaigns in 2016; to socially disruptive attacks in 2017; and, increasingly, to digital bank and cryptocurrency-exchange heists.  Indeed, decades-long investments in the grooming of North Korean talent have given rise to a range of malicious North Korean cyber activities known by authorities in the United States and around the world as “Hidden Cobra.”

The third ruling Kim allegedly believes he now wields a fearsome “all-purpose sword” comprised of offensive cyber capabilities, nuclear weapons, and ballistic missiles: a mighty arsenal to be employed not only as a weapon, but for revenue-generation, harassment, and geopolitical retribution.  His efforts to cultivate a robust cyber army have only just begun to pay real dividends for Pyongyang, yielding the advanced technical capabilities necessary for the regime to shift the focus of its cyber strategy from espionage to money-making.

Cashing In

Cybercrime has emerged as a new means of extending the lifespan of the North Korean regime amid punishing international sanctions, whose deleterious effect on Sino-North Korean trade threatens regime economic security and, in turn, legitimacy.  Current estimates place the value of North Korean cybertheft as high as $1 billion annually, and with continued advancement in North Korean programming and cyberinfiltration skills, this already massive sum is poised to balloon rapidly, providing a financial lifeline for the regime while undermining regional and global stability.

Since 2015, North Korean hackers have hit banks in Mexico, Nepal, the Philippines, Poland, Taiwan, and Vietnam, pulling off an $81-million theft in February 2016 from a Bangladesh Central Bank account managed by the U.S. Federal Reserve.  And though some of these banks managed to protect at least a portion of targeted accounts, security experts are sounding the alarm that with improved North Korean computer skills, Hidden Cobra is becoming broader in scope and increasingly sophisticated, designed to successfully perform critical data-collection and revenue-generating functions.

Indeed, Pyongyang only recently embraced cryptocurrency theft and mining as new preferred mechanisms for raising the hard currency it so desperately needs.  Within the first few months of 2017, North Korean hackers pulled off a $7-million heist from Youbit that ultimately shuttered the platform, in addition to a 3,931 Bitcoin (BTC) theft from Yapizon.  Other online exchanges in East Asia, including Coinis in South Korea and Coincheck in Japan, have suffered similar North Korean attacks of various magnitude and frequency.

Undaunted

Evidence suggests that rather than stopping or slowing in the wake of the historic April meeting between Kim Jong-un and President Moon Jae-in of South Korea, Pyongyang’s cyberassault on the South has gathered momentum.  In the weeks following the inter-Korean dialogue in April (and subsequent talks in May), North Korean hackers struck out at the South in a quest for sensitive information that could help the regime prepare for and control the optics surrounding Kim Jong-un’s June 12 summit with President Trump.  Hidden Cobra actors targeted financial companies and organizations known to focus on North Korea, including an independent think tank and a non-governmental group with a history of sending food and material aid to the DPRK.  The use of spear-phishing emails in this attack allegedly yielded strategic gold for Pyongyang, granting hackers access to information detailing U.S.-ROK expectations and ongoing preparations for the Trump-Kim summit.

Meanwhile, the hundreds of North Korean hackers tasked with infiltrating cryptocurrency exchanges continue to flex their growing muscles.  Over a forty-minute period in the wee hours of Monday, June 11^th, 2018, they stole tokens with an estimated value upwards of $36 million from Conrail, the seventh-largest cryptocurrency exchange in South Korea.  Their successful theft represented roughly thirty percent of the total coin owned by the online service, and news of the breach sent the trading value of Bitcoin into a tailspin, driving the global price down more than seven percent by the time markets closed on Monday.  Then came Bithumb, which had already suffered a July 2017 breach that caused over $1 million in losses.  On Wednesday, June 20, representatives of the Seoul-based cryptocurrency exchange—currently the sixth-largest in the world—revealed that hackers had stolen nearly $31.6 million-worth of digital currency overnight, prompting a temporary freeze on withdrawals and deposits.  Fortunately, Bithumb managed to recoup nearly half of its losses by the end of June through a collaborative recovery effort with various worldwide exchanges.

Conclusion

The fact that brazen North Korean cyberattacks on South Korea and other foreign targets have not merely continued unabated but actually accelerated in the weeks since recent meetings with U.S. and ROK leaders belies Kim Jong-un’s repeated allusions to peace, while also suggesting that economic sanctions and the firm messages communicated through direct diplomatic engagement have yet to chasten North Korean leaders.  Instead, hubris appears to remain a prominent feature of Pyongyang’s self-image and worldview.

Kim Jong-il seemingly recognized roughly fifteen years ago that technology was once again transforming the nature of warfare, and the next battle would be surreptitiously waged over information and access.  His son had little choice but to incorporate this conviction into his asymmetrical survival strategy.

While keeping the international community preoccupied with the dangers posed by his ever-improving nuclear arsenal, Kim Jong-un has overseen a thriving network of criminal activity and accelerated the development of robust domestic cyber capabilities.  He now appears confident that he can have his cake and eat it, too: winning time and possible concessions through diplomatic engagement, while quietly ratcheting up a malicious cyberwarfare campaign that is proving increasingly profitable for the regime.

Ultimately, the question is whether the Kim regime recognizes that rebuffing a one-time offer of cooperation from the United States may elicit a devastating response from the Trump administration.  Pyongyang’s diplomatic track record, unceasing activities at major domestic nuclear sites, and continued misbehavior in cyberspace suggest the ruling core has yet to accept the necessity for a dramatic strategic shift.  Events unfortunately seem to be building toward an unsavory breakdown in comity, leaving observers only to wonder how negotiations may founder, and when.

Linnea Logie is an incoming graduate student with the Security Studies Program at Georgetown University.  She is currently an Intern at the Korea Economic Institute of America. The views expressed here are the author’s alone.   

Image from Prachatai’s photostream on flickr Creative Commons.