Emerging technologies will intensify the North Korean cyber threat

The World Economic Forum’s Global Risk Report 2024, released in January, puts cyber insecurity as the fourth most severe global risk, up from eighth in 2023.

North Korea is a major contributor to rising cyber insecurity. Its hackers stole $600 million in cryptocurrency in 2023, “almost a third of all funds stolen in crypto attacks last year”, according to a report by TRM Labs.

Evolving operations

North Korea emerged as a major cyber actor on the international scene in 2014 when it hacked multinational firm Sony Pictures. It was also the first time Washington openly attributed an attack to a foreign country.

Since then, Pyongyang has turned its hacking skill set towards evading international sanctions and stealing funds. It has exploited the fact that crypto is not well regulated. Elliptic, a crypto exchange monitoring organisation, said North Korean actors stole almost $900 million between July 2022 and July 2023.

A North Korean state-backed group, Lazarus, was behind one of the largest crypto thefts to date. They stole $625 million from the cryptocurrency network Ethereum, which is linked to a popular game called Axie Infinity. With these funds, Pyongyang has been able to finance the development of its nuclear and ballistic weapons programme.

North Korea is also using cyber operations for espionage, intelligence gathering, and information operations to steal critical military information. It targets academia, human rights organisations, and media companies; it creates discontent or mistrust through election fraud; and attacks critical national infrastructure, particularly in South Korea and the United States. The South Korean intelligence agency said that North Korea accounted for 80% of hacking attempts against South Korea in 2023, a figure that was up 36% from the previous year.

In 2016, North Korean hackers stole 235 gigabytes of classified military plans from South Korea’s Defense Integrated Data Centre. This allegedly also included a plan to assassinate senior officials and launch an air assault. Similarly, in 2023, South Korean shipbuilders faced multiple hacking attempts from North Korea, trying to steal information through spear phishing. Other attempts include attacks on Russian missile producers, aerospace and military companies, and an alleged effort to steal 1.2 terabytes of information, including data on laser weapons.

Hacking is critical in intelligence gathering for the regime’s survival, particularly to anticipate its adversaries’ planning and strategy. In August 2023, Kimsuky – a North Korea-based cyber group – attempted to attack a US-South Korea joint military exercise. The same group has also attempted to hack around 150 senior South Korean government officials from the diplomatic and security fields using malicious emails. In one case, hackers used a cloned digital identity for intelligence gathering, money laundering operations, and influence campaigns.

International response

The Biden administration has tried to regulate the virtual currency ecosystem to stop illicit cyber activity and enforce strict adherence to regulatory norms with detailed advisories. They have especially targeted virtual cryptocurrency mixers, which are service platforms that blend together different cryptocurrencies to obfuscate the original source of funds. Notable mixers, such as Tornado Cash, Blender.io, and Sindbad have faced sanctions. Tornado Cash, for example, was used to launder $455 million in cryptocurrency.

Last year, South Korea and the United States started working together to sanction, counter, and disrupt North Korea’s illicit cyber-domain activities, later joined by Japan with closer engagement with the private sector. Such measures have led to a $24.2 million reduction in the amount of money received by illegal cryptocurrency addresses. This is mainly the result of a drop in scamming cases because the US crackdown forced exchanges to implement stringent policies. 

Adapting to the restrictions

Amidst the hardening of regulations, North Korean hackers are searching for new ways to acquire funds. A 2024 report by the United Nations Office on Drug and Crime found that the North Korean Lazarus group is linked to Southeast Asian drug traffickers involved in “regional money laundering and underground banking networks” for cyber fraud operations.

This is not the first time North Korean cybercriminals have explored foreign avenues. Earlier attempts have involved collaboration with Russian and Chinese actors outside of state control, aiming to transfer funds to North Korea through financial or underground channels, such as the dark web. During a North Korean military parade last year, a tank was found to be equipped with an “automatic rocket interceptor system” that was allegedly obtained through cyber theft from either Chinese or Russian defence companies. This indicates that North Korea is willing to target even former ideological allies like Russia and China to obtain military technologies.

Emerging technology

Critical and emerging technologies like Artificial Intelligence (AI) will increase the impact and volume of North Korean cyberattacks.

North Korean hackers have limited resources, and AI tools, like Chat GPT, enhance their cyber capabilities and operations. Chat GPT, for example, can help with data exfiltration, web scraping, and identifying confidential data. It can also enhance English language skills for email phishing attacks. Digital tools such as voice cloning, deep fakes, image generators, and chatbots make fake profiles more realistic and more believable. AI models also help to identify vulnerabilities in codes and software.

US Deputy National Security Advisor Anne Neuberger has already acknowledged the risk of North Korean hackers exploiting AI and machine learning tools. She said, “We have observed some North Korean and other nation-state and criminal actors try to use AI models to help accelerate writing malicious software and finding systems to exploit.”

Earlier, the US Office of Foreign Assets Control, a financial and intelligence enforcement agency under the US Treasury Department, flagged the illicit activities undertaken by North Korean hackers and groups. Such attacks include the targeting of United States companies or IT freelancers. Hackers have been able to use AI tools like voice cloning and text converters to lure victims to run malware using compromised Korean websites that appear legitimate.

Emerging technologies enhance offensive operations, but they also help safeguard states’ essential infrastructure and strengthen defensive measures against malicious activities. According to Rob Joyce, the director of cybersecurity at the NSA, advancements in AI, machine learning, and deep learning have significantly improved our ability to detect and combat malicious behaviour. Countering cyber operations from hostile regimes will require a comprehensive approach that involves constant vigilance and collaboration with international partners, allies, and the private sector.