- North Korea has a cyber army of about 7,000, trained to find secrets, disrupt critical infrastructure, and steal money to circumvent sanctions.
- These cyberattacks are often difficult to pin on North Korea because they originate in countries like China and Russia, and a counterattack is almost impossible because of North Korea’s rudimentary internet.
- North Korea’s likely next targets are critical US infrastructure like power plants, dams, and electrical grids.
- Visit Business Insider’s homepage for more stories.
North Korea’s state-sponsored hack of Sony Pictures in 2014 over the movie “The Interview” was highly embarrassing for Sony. But it was just the tip of the iceberg, according to Daniel Russel, vice president for international security and diplomacy at the Asia Society Policy Institute.
Russel, a former assistant secretary of state for East Asian and Pacific Affairs, spoke with Insider recently about the threat of North Korea’s hacker army, how it supports North Korea’s nuclear program, and what the future holds if the US doesn’t take this threat seriously.
Insider: When did this cyber army start?
Daniel Russel: The North Korean cyber operation documented by a lot of cybersecurity firms lists this principal group as starting circa 2010. But that gives the impression that we know a lot more about North Korea's cyber activity than I think we really do.
North Korea has been cultivating and has been investing in an elite cyber force under the control of its military, the Korean People's Army and the Reconnaissance General Bureau - Kim Jong Un's clandestine security apparatus. It's estimated to comprise about 7,000 people who are trained pretty extensively, both in specialized domestic programs in North Korea, including in parts of their universities.
In other cases, they then seem to receive training in China or in Russia. Quite a few of them are dispersed through China, Russia, and some in India. They use other countries as a platform and for conducting their various cyber activities because North Korea has pretty much air-gapped its own internal internet or intranet system, both to prevent North Koreans accessing information from the rest of the world, but more importantly to prevent the rest of the world from getting in.
That makes it very hard to get a definitive attribution that the attack originated in North Korea and raises the risk that China or Russia will get the blame. It also makes it harder for services in countries like the US to retaliate because you're running the risk of retaliating against China or Russia for something that's actually masterminded and executed by the North Koreans.
Insider: How do we figure out that these attacks are actually performed by North Korean actors?
Russel: You're digging into technical areas for which I'm spectacularly unqualified because I'm not a digital or a cyber expert. But the people who are real experts, Mandiant, FireEye, or CrowdStrike, or for that matter the CIA or the NIS, South Korea's intelligence service, have a very sophisticated ability to conduct forensic detective work in the cyber realm. In many cases, they can identify patterns, code, servers and the like to trace things back to North Korea.
These companies issue an annual worldwide cyber-threat report. They track all of these various major hacking operations and rank them. They call them advanced persistent threats, APT. North Korea is the host of something they call APT38 - or the Lazarus Group, Guardians of Peace, or Hidden Cobra. These are sort of code names. APT38 is number one on their list of worldwide cyber threats.
In some cases North Korea directly claimed credit for a cyberattack. Beyond that, Kim Jong Un and the Korean Workers' Party have been speaking increasingly in a very open and direct way about its cyber capability.
They use the same vocabulary now for cyber as for their nuclear weapons. They call it "an all-purpose sword that guarantees our capability to strike relentlessly."
Insider: You called the Sony hack "chickenshit." Can you tell me what kinds of bigger projects are out there?
Russel: You could break it down into three categories: spying; sanctions circumvention through cyber theft; and harassment, disruption, and retaliation - the Sony hack was an example of that.
One important use of cyber for North Korea is to steal secrets. CrowdStrike has done a lot of documenting this, but it's the US government and foreign governments that are paying super-close attention to this.
In 2016, APT38 stole about 40,000 defense documents from South Korean contractors with information on F-16 fighters and drones. North Korea is also believed to have stolen a PowerPoint summary of the US military's top-secret operation plan, called Op Plan 5027, which is the war plan for the United States.
Second is the cyber theft category. In March, the Department of Justice unsealed indictments accusing some Chinese and North Korean nationals of laundering $100 million for North Korean nuclear activities. This indictment makes clear that the money these people laundered was part of a $250 million theft by North Korea in a cyberattack on a global cryptocurrency exchange. So this isn't just imaginary stuff.
Cyber theft effectively neutralizes UN and US sanctions against North Korea. If North Korea is denied a billion dollars in the sale of coal and iron and mushrooms, but it can go out and steal a billion dollars, then sanctions are not going to have the intended effect.
While the administration takes a lot of pride in its efforts to maintain sanctions against North Korea, this is an immense loophole, and it's not just going to buy those fancy Mercedes that we saw Kim Jong Un driving around in when he was hobnobbing with Donald Trump in Singapore and in Hanoi. This money is going to fund North Korea's nuclear weapons and intercontinental ballistic missile program. We're paying for the threat against ourselves.
At the high end, it's potentially a devastating destruction of critical infrastructure in the United States and Japan and South Korea.
The WannaCry virus, on the one hand, was ransomware; you could argue that it's aimed at getting money, but it caused a huge disruption of hospitals in the UK and, potentially, in something like 100-plus other countries where they had disseminated the ransomware. This was software that brought the operation of critical facilities to a standstill.
This is not hacking; this is cyber warfare.
Cyber weapons kind of level the playing field for North Korea in a way that nukes can't. Not only do the United States, China, Russia, have vastly more nuclear weapons than North Korea, but a nuclear weapon is an all-or-nothing proposition.
Cyber warfare has a very different risk-return calculation. it's a low-cost, asymmetric, relatively speaking, low-risk weapon system. And the US is the most vulnerable country on planet Earth to disruptive cyberattacks.
Most American infrastructure facilities were built in the pre-digital era - energy grids and the Hoover Dam. They get retrofitted with makeshift, MacGyver-style internet linkages, as opposed to new infrastructure that has digital safeguards built into it. So you have somebody firing up their router, like with one of those old "you got mail" connections.
The US has a lot of that stuff, number one. And something like 80% of America's critical infrastructure is privately owned. Who's going to pay to upgrade the power plant? Who's going to pay to upgrade the air traffic control systems? Who's going to pay to upgrade the rail systems, the cellphone network? Good luck getting these private companies to sell their shareholders on investing billions of dollars in upgrades.
If it's bad now, just imagine what it's going to look like with 5G and the internet of things. New interconnectivity is going to provide new opportunities for malicious cyberattacks, and you're going to wake up one morning and find that your toaster oven is getting ready to kill you, thanks to Kim Jong Un.
Insider: Are there other ways that this cyber army is innovating?
Russel: I think the new threat for which we are woefully unprepared isn't so much a technical innovation as a strategic innovation. We can see that North Korea is practicing its ability to shut down and to hold at risk an entire American city or a facility in the US that is critical to our economy, our safety, and our national security.
This cyber capability, the ability to hold not just a bank hostage but a nation hostage, is going to be North Korea's next generation weapon of mass destruction.
There isn't a big bang. There's not a missile that can be taken out on the launchpad, and because North Korea's own internet or intranet system is so difficult to access, direct retaliation or preemptive cyber defense may not be possible. We've got to sprint now to get ready because we can see what very likely is coming at us.
Insider: What are we doing on a national level, and to support our allies against these kinds of attacks?
Russel: I'm sure there are a lot of cyber-defense initiatives and programs underway through the Department of Defense, the FBI, the Department of Homeland, and National Security, the CIA, etc. - some with the Five Eyes intelligence partners, some with various allies, and then NATO has a program. US, Japan, South Korea have programs. But I'm not all that current on where it is now and how well developed they are, and that's only one piece of it.
I am strongly convinced that this is not a priority for the Trump administration.
Donald Trump was prepared to accept the word of his best friend, Kim Jong Un, that North Korea had no intention of threatening the US. He's turned a blind eye when North Korea has violated UN sanctions by launching mid-range ballistic missiles into the Sea of Japan.
Because North Korea depends so heavily on China, not just for cyber, but in the case of cyber, for access to servers, its pipelines, and so on, it would be critical for the United States to develop some degree of cooperation with China to limit North Korea's offensive cyber threat.
Obviously, there's much more on the diplomatic side that we would have to do to present North Korea with an international unified front that would make it difficult for it to find these cyber platforms to use against us.
The United States needs to launch a crash campaign to up the level of our defense of critical infrastructure. This is not a secret. There's plenty of warnings out from the US intelligence community and from the cybersecurity companies. But the United States, as far as I know, doesn't have a cyber czar.
Most importantly I think, is deterrence. Deterrence means convincing the other side that the consequences of an attack are sufficiently certain and the capability of the United States is so well demonstrated that it's too high a risk to take.
And the fact is that North Korea is succeeding in so many of these cyberattacks, and it's getting a pass from the Trump administration, so it's continuing to build intercontinental ballistic missiles. It's continuing to develop other weapons.
The US has stood down on joint military exercises with South Korea. The US is in the middle of a grudge match with South Korea over the cost of American troop deployment there. The US is in the middle of a demolition derby with China. It's at odds with so many of the countries that have historically been American partners.
What North Korea sees when it looks at the US does not deter it.
This interview has been edited and condensed.