How North Korea’s hackers bankroll its quest for bomb Analysis by Foreign Policy
The Foreign Policy magazine has published an article arguing that cybercrime is a windfall for Kim Jong Un’s nuclear ambitions. Caliber.Az reprints the article.
For at least five years, a shadowy group of hackers has been waging a quiet campaign to harvest sensitive data from government agencies, academics, and think tanks in the United States and South Korea, all while stealing and laundering cryptocurrency on the side. That group, dubbed APT43, was outed as a likely proxy for North Korean intelligence services late last month by cybersecurity firm Mandiant, a revelation that unnerved, but didn’t surprise, policymakers in Washington and allied capitals in Asia.
APT43 and other groups like it represent the new face of North Korea in the digital age. It is at once a closed-off communist autocracy that is cash-strapped, impoverished, and more isolated than ever before, while also being tech savvy, entrepreneurial, and ruthlessly adept at trawling the web to loot, steal, and—most importantly of all—find ways to advance its nuclear weapons program.
In short, Pyongyang has deployed an army of hackers to bankroll its quest for the bomb.
“North Korea’s illicit cyberactivities are really gaining traction,” said Ellen Kim, an expert on Korea at the Center for Strategic and International Studies think tank. “They used to use their cyber-capabilities to attack South Korean government departments, but now they’ve really shifted their focus to international banks and infrastructure in other countries.”
The trend represents an alarming new threat for Washington and its allies in Asia as North Korea stubbornly expands its nuclear weapons and ballistic missile programs, even as its economy teeters on the brink of collapse after three years of a draconian, self-imposed lockdown to prevent the spread of the COVID-19 pandemic.
“While North Korea is often viewed by many in the West as economically backward and a so-called Hermit Kingdom, its capabilities to do real harm to governments, enterprises, and even individuals through its activities in cyberspace should not be underestimated,” said Jon Condra, an expert at the cybersecurity firm Recorded Future.
The nexus of North Korea’s cybercrimes and its nuclear program add a new and dangerous layer of complexity to the Biden administration’s efforts to denuclearize the Korean Peninsula—an initiative that has sputtered and stalled for years due to North Korea’s refusal to pick up the phone. Pyongyang announced on Friday that it tested a solid-fuel intercontinental ballistic missile for the first time, another critical breakthrough in its quest to build a nuclear arsenal that could potentially target the continental United States. The announcement is expected to ramp up pressure on Western governments to find new ways to cut off North Korea’s illicit sources of revenue abroad, including through cybercrime, in a bid to stymie its weapons programs as much as possible.
This new trend of Pyongyang blending its cybercrime and nuclear aims poses a major headache for Washington’s national security apparatus, where nuclear policy, sanctions enforcement, and cybersecurity policies are run by different agencies with vastly different expertise that don’t naturally operate in tandem. The U.S. government has worked to thwart North Korea’s access to cryptocurrency, sanctioning cryptocurrency “mixer” firms that obscure the owners of crypto assets and directly sanctioning North Korean state-sponsored hacking groups.
Cryptocurrencies have proved to be powerful tools for evading sanctions, as transactions are exchanged through encrypted transfers and aren’t processed by commercial banks. They are also much more vulnerable to cyberattacks than traditional banking infrastructure, making cryptocurrency reserves a ripe target of opportunity for North Korean hackers.
“Coupled with the unregulated and vulnerable nature of decentralized finance (DeFi) protocols and organizations, the cryptocurrency sector is a high-value target,” Saher Naumaan, an analyst at BAE Systems Digital Intelligence who researches state-sponsored cyberoperations, wrote in a recent blog post for the Council on Foreign Relations.
Cybercrime has proved to be a windfall, at least by North Korean standards, for the regime. A UN report by independent sanctions monitors estimated that hackers linked to the regime stole between $630 million and over $1 billion in cryptocurrencies in 2022, amounting to record-setting figures and a comparatively large haul for a country with an estimated GDP of just $28 billion in 2016. Blockchain analysis firm Chainalysis, in a separate report, put the number even higher at $1.7 billion. And as sanctions enforcement dries up many traditional forms of generating revenue—including arms sales and limited commodity exports—Pyongyang is increasingly relying on cybercrime to fill its coffers.
North Korea is considered the most isolated country in the world, making it difficult to estimate both how much it spends (or even has to spend) on propping up its cybercriminals and just how it spends the funds that its army of hackers manages to steal. What little information that Western governments had been able to glean from North Korea has been effectively cut off for the past three years, due to a self-imposed pandemic lockdown that has blocked all Western diplomats from reentering the country and reopening their embassies there. (The United States doesn’t have an embassy in Pyongyang, but some of its European allies, including the United Kingdom, Germany, Sweden, and the Czech Republic, do.)
Still, the regime’s broad ambition to gain a credible nuclear program has been clear for years, allowing experts and Western governments to piece together the big picture of where Pyongyang’s ill-gotten gains are going.
“It is hard to say exactly where stolen funds from the compromises of cryptocurrency exchanges or banks end up being invested in North Korea, but it is a reasonable assumption that a good portion is allocated to the government’s various military initiatives, including its nuclear program,” Condra said. That program is “notoriously expensive, and given Pyongyang’s lack of economic heft and access to global markets due to sanctions, it is likely that the nuclear program is a major beneficiary of the regime’s cybercriminal activities.”
The case of APT43 sheds new light on how North Korea has deployed its army of cybercriminals to advance its national security goals and not just rake in money for the cash-strapped government. The group’s “focus on foreign policy and nuclear security issues supports North Korea’s strategic and nuclear ambitions,” according to the report from Mandiant. (The APT43 group also in 2021 focused on gathering health-related intelligence, likely in response to what is suspected to be a deadly wave of COVID infections across North Korea, showing its ability to quickly pivot to new priorities for Pyongyang.)
The group targeted government agencies and research institutes in South Korea, the United States, Japan, and Europe focused on geopolitical and nuclear policies, all while maintaining a mercenary bent of stealing money when and where it could.
“We consider cyber espionage to be the primary mission for APT43 and available data indicates that the group’s other activities are carried out to support collecting strategic intelligence,” Mandiant researchers wrote in their report. “The actors regularly update lure content and tailor it to the specific target audience, particularly around nuclear security and non-proliferation,” the report added, and all while “carrying out financially-motivated cybercrime as needed to support the regime.”
Earlier this month, the top U.S., Japanese, and South Korean envoys overseeing North Korea policy met in Seoul to discuss the growing threat from North Korea’s nuclear program. They issued a joint statement saying they were “deeply concerned” about how North Korea supports its weapons of mass destruction and ballistic missile programs “by stealing and laundering funds as well as gathering information through malicious cyber activities.”
The flurry of diplomatic meetings and sanctions, however, is unlikely to curb North Korea’s cybercrime anytime soon. “North Korean threat actors are increasingly clever in their approaches to operations, and if tasked to pursue a particular set of targets, they are likely to have some success just based on their persistence and resourcing,” Condra said.