Research Collection

Report

Cyber disruption and cybercrime: Democratic People’s Republic of

Author(s): Baezner, Marie

Publication Date: 2018-06

Permanent Link: https://doi.org/10.3929/ethz-b-000314511

Rights / License: In Copyright - Non-Commercial Use Permitted

This page was generated automatically upon download from the ETH Zurich Research Collection. For more information please consult the Terms of use.

ETH Library CSS CYBER DEFENSE PROJECT

Hotspot Analysis: Cyber disruption and cybercrime: Democratic People’s Republic of Korea

Zürich, June 2018

Version 1

Risk and Resilience Team Center for Security Studies (CSS), ETH Zürich Cyber disruption and cybercrime: Democratic People’s Republic of Korea

Author: Marie Baezner

© 2018 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch

Analysis prepared by: Center for Security Studies (CSS), ETH Zürich

ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group, Myriam Dunn Cavelty, Deputy Head for Research and Teaching, Andreas Wenger, Director of the CSS

Disclaimer: The opinions presented in this study exclusively reflect the authors’ views.

Please cite as: Baezner, Marie (2018): Hotspot Analysis: Cyber disruption and cybercrime: Democratic People’s Republic of Korea, June 2018, Center for Security Studies (CSS), ETH Zürich.

1

Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Table of Contents

1 Introduction 4

2 Background and chronology 5

3 Description 8 3.1 Attribution and actors 8 DPRK actors 8 Other state actors 10 Non-state actor 11 3.2 Targets 11 Targets in 12 Targets in other states 12 International financial targets 12 Targets in the DPRK 12 3.3 Tools and techniques 12 Spear phishing 12 Distributed Denial of Service 13 13

4 Effects 14 4.1 Social effects 14 4.2 Economic effects 15 4.3 Technological effects 15 4.4 International effects 15 Cyberattacks attracting significant international attention 16 Cyber-activities as a complement to nuclear strategy 16 Risks from indiscriminate cyberattacks for the DPRK 16

5 Policy Consequences 17 5.1 Improve cybersecurity 17 5.2 Encourage better cybersecurity in financial institutions 17 5.3 Monitor the situation 17

6 Annex 1 18

7 Annex 2 22

8 Glossary 25

9 Abbreviations 26

10 Bibliography 26

2 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

the role of actors from other countries. The study looks Executive Summary at their various targets, techniques and tools deployed, such as spear phishing and malware.

Targets: South Korean institutions and media; Effects US military entities, government and businesses; financial institutions and The DPRK used its cyber capabilities at the cryptocurrency exchanges; and domestic level to spy on its own citizens. DPRK leaders institutions of the Democratic People’s sought to maintain power by controlling their nation’s Republic of Korea (DPRK)1. information sphere. Tools: Spear phishing, Distributed Denial of Economically, cyberattacks attributed to the Service2 (DDoS) attacks and malware DPRK caused financial losses for the targeted (DDoS-KSig, Destover, Jokra, institutions and businesses. DDoS and wiper malware MYDOOM, Dozer, Hangman, damaged firms’ websites and hardware, resulting in a DOGCALL, WannaCry, Android need for costly cybersecurity intervention or hardware malware and others). replacement. Effects: Cyber capabilities used to spy on the The technological impact of DPRK cyber-activities DPRK’s own citizens; economic losses was observed in the discovery of new malware families. for businesses targeted by DDoS Actors allegedly linked to the DPRK created specific attacks and hacked financial malware to fit their targets’ networks. These actors also institutions; discovery of new malware appeared to follow technological advancements by families; cyber capabilities garnering targeting cryptocurrencies and adapting their malware the DPRK international attention to new vulnerabilities. without the inconvenience of International effects observed in DPRK cyber- economic sanctions; cyber capabilities activities were marked by the country’s use of cyber fitting in with the DPRK’s asymmetric capabilities to complement its nuclear missile strategy. strategy. Cyber-activities gave the DPRK the opportunity to Timeframe: 2009 – still ongoing. attract international attention without incurring economic sanctions such as those imposed for nuclear capabilities. In 2014, a cyberattack targeted Sony Entertainment Pictures. The attack wiped the contents Consequences of Sony’s computers and leaked sensitive information on the internet. In 2017, the US and other states attributed The policy recommendations in this report are the WannaCry, which exploited unpatched aimed at reducing states’ risk of being impacted by DPRK Windows operating systems, to the DPRK. The US also cyber-activities. First, states should improve their attributed the Sony hack to the DPRK and revealed DPRK cybersecurity by raising public awareness of spear cyber capabilities to the world. However, the DPRK has phishing attacks and the need for keeping software been developing its cyber capabilities in parallel to its updated. Second, states should encourage financial nuclear capabilities and has been attracting increasing institutions and cryptocurrency exchanges to improve attention throughout recent years. their own cybersecurity. Finally, states should closely This Hotspot Analysis studies cyber-activities monitor DPRK cyber-activities to be better prepared in related to the DPRK. It examines the impact of these the event of a DPRK cyberattack. cyber-activities on the DPRK’s domestic society, the international economy, technological development and international relations. The goal of this report is to better understand the mechanisms of the DPRK’s cyber-activities and their role in the DPRK’s strategy.

Description

States and cybersecurity companies regularly attribute cyberattacks to cyberactors with alleged links to the DPRK. However, these links cannot always be confirmed. This report examines these actors as well as

1 Abbreviations are listed in section 9 2 Technical terms are explained in a glossary in section 8.

3 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

1 Introduction domestic level, the report shows that the DPRK uses its cyber capabilities to spy on its own citizens to secure its The attribution3 of the Sony hack to the information sphere and the continuity of the regime. Democratic People’s Republic of Korea (DPRK) 4 shed Economically, DDoS attacks conducted by the DPRK on new light on DPRK cyber capabilities. Until then South Korean businesses caused economic losses, and cyberattacks attributed to the DPRK had mostly been other cyberattacks on financial institutions attributed to directed against South Korea, but since this event the DPRK also resulted in major economic losses. The technological effects of DPRK cyber-activities consisted cybersecurity firms and states have attributed an 5 increasing number of cyberattacks to the DPRK, of the discovery of new malware families and the revealing the DPRK’s growing cyber capabilities. The identification of the DPRK’s growing interest in unique aspect of DPRK cyberattacks resides in their cryptocurrencies. motives, as the DPRK is the only state that allegedly The examination of international effects conducts cyberattacks for both political motives and addresses the role DPRK cyber-activities played beyond financial gain. DPRK cyber capabilities also appear to the Korean peninsula. It looks at how cyberattacks develop in parallel to its nuclear capabilities. garnered the DPRK the same level of attention as its This Hotspot Analysis examines cyber-activities nuclear capabilities without the inconvenience of related to the DPRK. It looks at various cyberattacks that incurring international sanctions. This subsection were attributed to the DPRK, but also at the role of other explains how cyber capabilities fit into the DPRK’s states in these activities. asymmetric strategy and complement its nuclear missile The study of DPRK cyber-activities is relevant program. The WannaCry ransomware, for example, because of the DPRK’s unique position in international showed that DPRK cyber capabilities can be deployed to politics and its growing cyber capabilities. The latter threaten individuals through indiscriminate have attracted greater international attention in recent cyberattacks. years and warrant more detailed examination. In Section 5, this Hotspot Analysis suggests a The goal of this Hotspot Analysis is to better series of policy recommendations that states may wish understand the mechanisms of DPRK cyber-activities to implement in order to mitigate potential cyberattacks and their role in DPRK strategy. This report will be from the DPRK. States could improve their cybersecurity updated as new cyberattacks or relevant elements through awareness programs on spear phishing and by related to the DPRK emerge. This Hotspot Analysis will keeping their operating systems and software up to also form part of a broader study that comprises the date. They could also encourage financial institutions, various Hotspot Analyses published during the year. This which are at a particularly high risk, to improve their broader report will compare these Hotspot Analyses, cybersecurity. Finally, states should closely monitor the study possible trends and propose recommendations to development of cyber capabilities to avoid being taken states wishing to improve their cybersecurity. by surprise. This Hotspot Analysis is organized as follows: Section 2 describes the historical context in which the DPRK developed its cyber capabilities to attract greater international attention alongside its nuclear missile program. A chronology helps to understand the sequence of international events that led to the DPRK developing nuclear missiles and cyber capabilities. In Section 3, the report describes the various actors from the DPRK as well as actors allegedly linked to the DPRK and other countries. Next, the report details the nature of targets of DPRK cyberattacks as well as a selection of tools and techniques used in these cyberattacks. It shows that, while DPRK cybertools are not highly sophisticated and mostly exploit targets’ vulnerabilities, they are sufficiently advanced to achieve the DPRK’s strategic goals. Section 4 analyzes the effects of DPRK cyber- activities at the domestic and international levels. At the

3 The US intelligence attributed the hack to the DPRK, but some 4 Abbreviations are listed in section 9. cybersecurity firms and experts claimed that the DPRK was not in fact 5 Technical terms are explained in a glossary in section 8. the perpetrator. In this report, the DPRK is regarded as the attacker of Sony Entertainment Pictures in 2014. The general attribution problem is further discussed in section 3.1.

4 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

2 Background and 31.08.1998 The DPRK conducts firing tests of the Taepodong-1 intermediate-range chronology ballistic missile (N.K. News, 2017). 06.07.1999 The JML Virus, allegedly developed by Western states have focused on the DPRK’s the DPRK, is discovered in the wild. development of nuclear missiles and have mostly 2002 Win32/Weird.B, a version of the JML ignored its cyber capabilities. While the development of Virus, is discovered in South Korea nuclear missiles gave DPRK international attention, it (Jun et al., 2015). also attracted sanctions that damage the DPRK 29.01.2002 In his State of the Union address, US economy, whereas cyber-activities allow the DPRK to President George W. Bush places the achieve its strategic goals with a low risk of retaliation or DPRK in the “Axis of Evil” for its sanctions. Western states realized relatively late that nuclear weapon program. the DPRK has successfully developed serious cyber 2003 The DPRK quits the Non-Proliferation capabilities despite its limited internet connectivity. In Treaty. fact, the DPRK has been building its cyber capabilities for 20.03.2003 The US invades Iraq. years. Kim Jong-un expanded these activities after his 2004 South Korea establishes a National father’s death and shifted their focus towards bolder Cyber Security Center (NCSC) under and more visible targets such as the Bangladesh Central its National Intelligence Service (NIS) Bank and Sony Entertainment Pictures (Kim, 2018). (Park, 2016a). The DPRK’s cyber-activities are interesting 04.2004 The DPRK hacks hundreds of because this is the only state actor that uses cyber- computers and servers in South Korea activities for both political motivations and financial (Mansourov, 2014). gains. The following chronology not only lists the main 2005 The DPRK announces that it possesses international developments relating to the DPRK, and its nuclear weapons. progress in its nuclear missile program, but also traces the main cyber-incidents attributed to the DPRK6. 05.07.2006 The DPRK tests the launch of its intermedium-range ballistic missile Rows with gray background refer to cyber- Taepodong-2. related incidents, while rows with light blue background 09.10.2006 The DPRK announces it has list events related to DPRK nuclear missile development. conducted a successful nuclear test (Kim, 2017). Date Event 14.10.2006 The United Nations (UN) Security 06.1950- War on the Korean peninsula puts Council passes Resolution 1718 07.1953 Western countries in opposition to prohibiting exports of military the DPRK and its communist allies. supplies and luxury goods to the DPRK (United Nations Security 27.07.1953 The war ends with the signing of the Council, 2006). Korean Armistice Agreement to stop the hostilities and establish the 03.2007 According to cybersecurity experts Korean Demilitarized Zone near the working on Operation Blockbuster, 38th parallel, separating North and the , a group South Korea. allegedly linked to the DPRK, starts to develop its first generation of 1976 The DPRK starts the development of malware (Novetta, 2016). missiles using Soviet Scud-B missiles and a launch pad from Egypt. 01.01.2008 The US (NSA) starts its operation Boxing 1984 The DPRK conducts its first firing test Rumble to spy on the DPRK of Scud-B missiles (Kim, 2017). (Gallagher, 2015; Maness and 1990 The end of the USSR means reduced Valeriano, 2017). availability of material and economic 2009 The DPRK Korean Workers Party’s support for the DPRK (Recorded Operations Department, responsible Future, 2017). for clandestine operations during the 10.1990 The DPRK conducts its first test of the Cold War, is restructured to become Rodong-1 missile. the Reconnaissance General Bureau 07.1994 DPRK leader Kim Il-sung dies and his (RGB), the DPRK’s main intelligence son Kim Jong-il becomes the new

leader of the DPRK (Kim, 2017).

6 A more detailed list of cyber-incidents attributed to the DPRK and cyberattacks that occurred in the DPRK can be found in Annex 1.

5 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

2009 agency (Jun et al., 2015; Recorded 22.01.2013 The UN Security Council passes Future, 2017). Resolution 2087 tightening sanctions The Lazarus Group starts its against the DPRK (United Nations Operation Troy and its wiper malware Security Council, 2013a). (Novetta, 2016; Talmadge, 2017). 12.02.2013 The DPRK conducts its third nuclear 25.05.2009 The DPRK conducts a second nuclear test (Kim, 2017). test (Kim, 2017). 03.2013 The DPRK accuses the US and South 12.06.2009 The UN Security Council passes Korea of having conducted Resolution 1874 broadening the ban cyberattacks on North Korean on exports of military supplies and internet infrastructures (Center for luxury goods to the DPRK (United Strategic and International Studies, Nations Security Council, 2009). 2018). 04- The Lazarus Group conducts A US strategic bomber plane, B-52, 07.07.2009 Distributed Denial of Service (DDoS) flies over South Korea (Meyers, attacks against 17 South Korean and 2017). US government websites (Chanlett- 07.03.2013 The UN Security Council passes Avery et al., 2017). Resolution 2094 imposing sanctions 2010 South Korea launches its military on money transfers, thus isolating the National Cyber Command (Park, DPRK from the global financial system 2016a). (United Nations Security Council, 26.03.2010 The DPRK torpedoes a South Korean 2013b). Navy corvette. 20.03.2013 The Lazarus Group shuts down 32,000 07.07.2010 The DPRK conducts DDoS attacks on computers in South Korean broadcast South Korean government and and financial companies (Jun et al., private websites (Jun et al., 2015). 2015; Novetta, 2016). 19.07.2010 NSA’s Operation Boxing Rumble ends 04.2013 launches an operation (Gallagher, 2015; Maness and against the DPRK causing numerous Valeriano, 2017). DDoS attacks and defacement on 23.11.2010 The DPRK fires artillery shells at the DPRK websites (Brodkin, 2013; Yeonpyeong Island and jams South Williams, 2013a). Korean radars to avoid direct 25.06.2013 The DPRK launches a DDoS attack retaliation (Jun et al., 2015). against 69 South Korean media 04.03.2011 The Lazarus Group conducts a DDoS outlets and government websites attack on 40 South Korean media (Jun et al., 2015). outlets, critical infrastructures and 09.2013 Kaspersky Lab discovers a financial websites, as well as on US cyberespionage campaign named the military entities in South Korea, in an Kimsuky campaign against South operation named Ten Days of Rain Korean think tanks and industries (Maness and Valeriano, 2017; (Tarakanov, 2013). Novetta, 2016). 2014 The DPRK compromises 140,000 12.04.2011 The Lazarus Group targets the South South Korean government and Korean Nonghyup Agriculture business computers and tries to Cooperative Federation Bank with a penetrate the control system for the DDoS attack (Chanlett-Avery et al., South Korean transportation network 2017). (Tosi, 2017). 17.12.2011 DPRK leader Kim Jong-il dies and his The US starts a cyber program with son Kim Jong-un becomes the new the aim to stop the DPRK’s nuclear DPRK leader. missile program (Sanger and Broad, 2012 Iran and the DPRK sign a treaty on 2017). sharing technologies, including cyber Scarcruft, a cyberactor associated technologies (Novetta, 2016; Sin, with the DPRK government, targets 2016). South Korean media and websites on 09.06.2012 A South Korean conservative DPRK refugees with watering hole newspaper stops a cyberattack by the attacks (FireEye Inc., 2018). Lazarus Group, but has its website defaced (Novetta, 2016).

6 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

08.2014 DPRK attack the British TV 08.2016 A Russian named broadcaster Channel 4. The channel Shadow Brokers steals a series of had planned to release a TV show on exploits and cybertools from the NSA a nuclear scientist being kidnapped and releases them on the internet by the DPRK. The TV show was (Solon, 2017). cancelled after the cyberattack. 11.2016 Scarcruft targets South Korean 24.11.2014 The Lazarus Group targets Sony government and financial institutions Entertainment Pictures with wiper as part of an cyberespionage malware. The group identifies itself as campaign (FireEye Inc., 2018). the Guardians of Peace and demands 05.09.2016 The DPRK fires three ballistic missiles that a comedy movie about a plot to and at least one enters ’s air assassinate Kim Jong-un not be defense zone. released. The group also steals 09.09.2016 The DPRK conducts its fifth nuclear information from Sony and leaks it on test. the internet (Chanlett-Avery et al., 30.11.2016 The UN Security Council passes 2017; Maness and Valeriano, 2017). Resolution 2321 imposing sanctions 19.12.2014 The US Federal Bureau of capping DPRK exports of coal (United Investigation (FBI) publishes a report Nations Security Council, 2016b). attributing the Sony cyberattack to 2017 stops importing coal from the the DPRK (Talmadge, 2017). DPRK (Sanger and Broad, 2017). However, cybersecurity experts are 2017 The Lazarus Group infiltrates the skeptical about this attribution and website of the Polish financial force the FBI to publish some of its regulator and infects visitors with evidence against the DPRK. malware (Sanger et al., 2017). US President Obama warns the DPRK 02.2017 DPRK hackers steal US$7 million of retaliation for the Sony worth of cryptocurrency from the cyberattack. South Korean cryptocurrency 20.12.2014 The DPRK’s intranet goes down for exchange Bithumb (Guerrero-Saade ten hours, possibly because of a and Moriuchi, 2018). cyberattack (Chanlett-Avery et al., 03.2017 Microsoft patches some 2017). vulnerabilities identified by the NSA 10.2015 The DPRK conducts cyberattacks and leaked by against banks in the . group in August 2016 (Nakashima, 12.2015 The DPRK conducts cyberattacks 2017). against the Tien Phong Bank in 03.2017 Scarcruft targets the South Korean Vietnam (Sanger et al., 2017). government and military with spear 06.01.2016 The DPRK conducts its fourth nuclear phishing emails (FireEye Inc., 2018). test (Kim, 2017). 06.03.2017 The DPRK launches four ballistic 02.2016 The Lazarus Group conducts a missiles. Three of them land in cyberattack on the Bangladesh Japan’s exclusive economic zone Central Bank through the SWIFT (Kim, 2017). messaging system and steals US$81 04.2017 A series of spear phishing emails million (Chanlett-Avery et al., 2017). targeting US defense contractors is 02.03.2016 The UN Security Council passes attributed to the Lazarus Group Resolution 2270 imposing sanctions (Center for Strategic and banning exports of gold, vanadium, International Studies, 2018). and rare earth materials to 05.2017 The DPRK starts to mine the DPRK (United Nations Security cryptocurrencies (Recorded Future, Council, 2016a). 2017). 04.2016 DPRK hackers penetrates the South 05.2017 The DPRK tests the launch of several Korean Defense Integrated Data ballistic missiles, some of which hit Center and steal classified documents the Sea of Japan. (Sanger et al., 2017). 05.2017 Scarcruft infects the network of a Middle Eastern firm through spear phishing (FireEye Inc., 2018).

7 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

12.05.2017 The ransomware WannaCry infects 3 Description approximately 200,000 computers in over 150 countries (Kim, 2018). This section describes various actors involved in 15.05.2017 Cybersecurity companies Kaspersky cyber-activities related to the DPRK, their targets and Lab and Symantec affirm that the some of their cybertools. The aim of this section is to Lazarus Group is behind WannaCry provide more information on and a deeper (Solon, 2017). understanding of the relationships between these 06.06.2017 The NSA attributes the ransomware various actors and their techniques and cybertools. WannaCry to the DPRK (Nakashima, 2017). 3.1 Attribution and actors 05.08.2017 The UN Security Council passes

Resolution 2371 imposing sanctions A variety of actors were involved in cyber- banning all exports of coal, iron, lead activities related to the DPRK. It is worth mentioning and seafood from the DPRK (United that information coming out of and about the DPRK is Nations Security Council, 2017a). scarce. Such information is mostly collected by South 09.2017 A press report states that the US Korean and US intelligence and from North Korean Cyber Command targeted the defectors. The former have an interest in depicting the Reconnaissance General Bureau DPRK as an urgent, imminent threat, and their reports (RGB) with DDoS attacks (Center for may be biased, while the reliability of the latter remains Strategic and International Studies, unclear, and knowledge of DPRK structures may also be 2018). outdated. The Lazarus Group targets users of Attribution is a recurring point of contention in the cryptocurrency exchange Coinlink cybersecurity. It is usually based on the cui bono (to with spear phishing emails (Guerrero- whose benefit) logic. However, cyber forensics cannot Saade and Moriuchi, 2018). confirm with 100% certainty that an alleged perpetrator 03.09.2017 The DPRK conducts its sixth nuclear who is thought to benefit from a cyberattack is indeed test. the perpetrator. Due to language limitations, this 11.09.2017 The UN Security Council passes Hotspot Analysis report is based on Western media, Resolution 2375 imposing sanctions cybersecurity and think tank reports, and academic limiting the DPRK’s importation of articles. In addition to the difficulty of gathering crude oil and refined petroleum information on the DPRK, these sources represent products (United Nations Security specific points of view and agendas that are not neutral. Council, 2017b). It is important to bear in mind that, even though this 10.2017 The DPRK acquires a new internet Hotspot Analysis is intended to be objective, this choice connection through Russia of sources may entail a certain imbalance. (Crowdstrike, 2018). The report first examines several actors with 19.12.2017 The US publicly attributes WannaCry direct links to the DPRK, and others with weaker to the Lazarus Group (McAskill et al., associations with or alleged links to the DPRK. Second, 2017). the analysis looks at South Korean and US forces accused Japan orders interceptor missiles of targeting the DPRK. Third, the study analyzes China from the US to counter North because of its role in the DPRK’s cyber-activities. Finally, Korean’s ballistic missiles (McCurry, the report investigates the independent non-state actor 2017). Anonymous, who took part in confrontations in 09.03.2018 The US President accepts to meet the cyberspace with the DPRK. DPRK leader in May 2018 to discuss nuclear missiles (BBC News, 2018). DPRK actors

There are various actors from the DPRK, some of whom are directly linked to the state, while others are rather loose groups for which it remains difficult to prove effective links with the government.

8 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Reconnaissance General Bureau The Command Automation Bureau of the GSD is responsible for Computer Network Operations (CNO), The RGB7, the DPRK’s main foreign intelligence i.e. the development of malware and research of agency and headquarter of special and cyber- exploits for the KPA. Within the Command Automation operations, was created when the DPRK’s intelligence Bureau, Unit 31 develops malware, Unit 32 develops institutions were restructured in 2009. It is under the software for the KPA, and Unit 56 researches and administration of the Korean People’s Army (KPA) develops command and control software. General Staff Department (GSD) (Meyers, 2017). While The Enemy Collapse Sabotage Bureau’s Unit 204 the RGB is the country’s main cyber-operations is not a cyber-operation unit per se, but is in charge of institution, the DPRK also has other organs that conduct online information warfare and propaganda against such operations. The RGB is responsible for researching South Korea (Jun et al., 2015). cyber solutions, gathering intelligence by cybermeans, There is also occasional mention of a Lab 110, and running cyber-operations. The RGB directly reports which is said to be in charge of technical reconnaissance, to the DPRK National Defense Commission, and there infiltration, intelligence gathering through hacking and are rumors that the RGB is directly supervised by Kim setting implants. However, it is unclear if Lab 110 is Jong-un. The RGB is composed of seven Bureaus, each another name for an aforementioned unit or a separate responsible for a different task, from operations to one. It is also difficult to establish how this unit is technical expertise. US reports also state that the RGB positioned within the DPRK structure (Tosi, 2017). manages several trade companies that are currently under UN sanctions (Chanlett-Avery et al., 2017; Jun et Patriotic hackers al., 2014, 2015). Reports state that DPRK patriotic hackers operate from China. Their role is mostly to post pro- DPRK and anti-South Korean propaganda on Western, Bureau 1218 is the newest of the seven RGB Chinese and South Korean social media and forums. Bureaus. It was created in 2013 and is the main However, direct support and commands from the DPRK cyberactor in the RGB (Chanlett-Avery et al., 2017; regime to these hackers is difficult to prove (Mansourov, Recorded Future, 2017). Its tasks consist of offensive 2014). and defensive cyber-operations, cyberespionage, computer network exploitation and cybercrime to Lazarus Group finance the regime (Jun et al., 2015). South Korean intelligence reports that Bureau 121 employs between The Lazarus Group9 is a hacker group, but many 2,000 and 6,000 hackers who operate from both the details about the group remain unclear. Experts from DPRK and China (Libicki, 2017; Tosi, 2017). various cybersecurity firms have attributed several major cyberattacks to the Lazarus Group (e.g. Office 91 WannaCry, the Bangladesh Central Bank heist, the Sony hack, cyberattacks on banks in Poland and South East Reports claim that the RGB directly supervises Asia) (Guerrero-Saade and Moriuchi, 2018; Kaspersky Office 91, which employs approximately 80 staff and is Lab, 2017; Novetta, 2016). The group has been active at dedicated to hacking activities and providing hardware least since 2009, but a team of cybersecurity experts led to other hacker units (Kim, 2018). The staff allegedly by Novetta revealed the group to the public following its travels regularly to Chinese cities hosting DPRK hackers, investigation of the Sony hack in 2014. This team of such as Shenyang and Dangong (Kim, 2011). experts linked the Lazarus Group to approximately 48 malware families and several cyberattacks on South Other offices Korea (Novetta, 2016). Cybersecurity experts consider the Lazarus Group to be a highly skilled group that Other offices in DPRK institutions are also regularly changes the code of its malware to avoid involved in cyber-operations. The 414 Liaison Office and detection. The group has allegedly employed its the 128 Liaison Office are subordinate to the RGB and malware against financial institutions in at least 18 are responsible for supporting cyber-operations in states since 2009 (Kaspersky Lab, 2017). South Korea. They communicate with espionage The structure of the group is uncertain, as are its networks in South Korea and conduct surveillance of potential links to the DPRK. This hacker group could: South Korean law enforcement.

7 The RGB is also called Unit 586 (Recorded Future, 2017). 9 The Lazarus Group is also called DarkSeoul, WhoIS , 8 Bureau 121 is also called Unit 121, Electronic Reconnaissance NewRomanic Cyber Army Team, Guardian of Peace, Hidden Cobra, Bureau’s Cyber Warfare Guidance Bureau (Jun et al., 2015). Chollima and Hermit.

9 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

- Be associated with the DPRK, possibly sponsored Cybersecurity experts have identified that Scarcruft by the RGB (Nakashima, 2017) tends to use zero-day vulnerabilities in its spear phishing - Conduct independent operations but have emails and watering hole attacks. The use of such members associated with the DPRK vulnerabilities shows that the group is skilled, - Be a mercenary hacker group that sometimes sophisticated and well-funded (FireEye Inc., 2018; works for the DPRK (Talmadge, 2017) Mercer and Rascagneres, 2018; Sheridan, 2018). - Also sometimes be called Bureau 121 and might in fact be Bureau 121 Other state actors There is no evidence to confirm whether the Lazarus Group is only a single group or a consortium of South Korea tightly connected hacker groups working together and sharing infrastructures. The group’s finance also South Korea is regarded as one of the best- remains a mystery, but its sophistication makes it likely connected countries in the world, but this connectivity that it is well funded and organized. Cybersecurity constitutes a vulnerability in terms of cyberattacks. In experts have found Internet Protocol (IP) addresses South Korea, the military and national intelligence from infrastructures in China, Malaysia and Indonesia in agencies are responsible for the state’s cybersecurity. In the Lazarus Group’s cyberattacks. Therefore, experts 2011, South Korea established a National Cyber assume that the group could be operating from these Command (NCC) under its Ministry of National Defense, countries (Talmadge, 2017). which is tasked with defending government and military networks. The NCC employs approximately 1,000 staff Bluenoroff (Abke, 2017; “South Korea to Launch Cyber Warfare Command,” 2011). In 2014, the Ministry of National Cybersecurity experts assume that Bluenoroff is Defense announced a more offensive stance toward the the cybercrime unit of the Lazarus Group, targeting DPRK in cyberspace, intending to give its cyber units the financial institutions and cryptocurrency exchanges. It ability to identify DPRK cyber-activities and to use uses spear phishing emails and watering hole attacks to preemptive cyber strikes against such activities gain access to these institutions’ networks. Bluenoroff (Mansourov, 2014). allegedly has extensive reverse engineering skills to In 2004, the South Korean government created exploit network vulnerabilities. This subgroup pursues the National Cyber Security Center (NCSC) as part of the stealthy theft from financial institutions through long- National Intelligence Service (NIS). This agency is term infiltration rather than simple hit-and-run responsible for overseeing South Korean cybersecurity operations. Cybersecurity experts have attributed the and providing a discussion platform for the private 2016 Bangladesh Central Bank heist and cyberattacks on sector, civilians and the military. financial institutions in Europe in 2016 to Bluenoroff The NIS and South Korean military supported (Kaspersky Lab, 2017; Meyers, 2017; Sheridan, 2018). authoritarian regimes in the past. Therefore, both institutions are under strict governmental surveillance Scarcruft to avoid any abuse. The NIS and NCC came under criticism when agents were investigated for purchasing Scarcruft10 is a hacker group targeting mainly spying malware from the Italian firm Hacking Team. The South Korean institutions and industries. Cybersecurity NIS argued that the malware was intended for experts believe that the DPRK directly or indirectly cyberespionage against the DPRK rather than South supports Scarcruft. This assessment is based on four Korean citizens (Park, 2016a). elements: A 2014 report revealed that South Korea planned - The type of targets, which align with DPRK to build malware to stop or slow down the development strategic interests of the DPRK’s nuclear missiles (Kim, 2014). However, it - The malware families deployed is difficult to assess the South Korean cyber-operations - The belief that a DPRK individual was involved in against the DPRK because of the lack of reports from the the development of Scarcruft’s malware North of the peninsula. - The malware operating time, which matches In January 2014, Kaspersky Lab discovered a working hours in the DPRK time zone cyberactor that targeted specific individuals through The group has supposedly been active since at hotel networks. The campaign, named DarkHotel, was least 2012. Up until 2017, Scarcruft focused its believed to be state-supported. The cybersecurity firm cyberattacks on South Korean targets, but since 2017 hypothesized that South Korea might have been behind the group has expanded its range of targets by attacking these attacks (Zetter, 2014). organizations in the Middle East, Japan and Vietnam.

10 The group is also called Reaper, APT37, Red Eyes and Group 123.

10 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

USA to universities in India. It is possible that the DPRK deployed hacker teams in India, as it did in China In the US, the US Cyber Command, created in (Horwitz, 2017). Recorded Future noted that 2009, is in charge of cyber-operations and responsible approximately 20% of the DPRK’s malicious cyber- for both defensive and offensive operations. The US activities between April 1, 2017 and the July 1, 2017 Cyber Command is directed by the head of the NSA and transited or originated from India. However, India forms part of the US Strategic Command. However, in announced in April 2017 that it would suspend all trade August 2017, the US President announced that the US with the DPRK except medicine and food (Horwitz, Cyber Command will be converted into an independent 2017). Unified Combatant Command in order to separate it Recorded Future (2017) claimed that the DPRK from the NSA (Baldor, 2017). also had at least a virtual presence in Malaysia, New The NSA is the US intelligence agency responsible Zealand, Nepal, Kenya, Mozambique and Indonesia. for signal intelligence and the security of the US Often, this merely involves activities routing through government’s information systems. The NSA also has these states’ internet infrastructures, and these states the capability to conduct CNO, and Edward Snowden therefore may not be directly involved in the country’s revealed in 2013 that the NSA ran a mass internet cyber-activities (Sanger et al., 2017). surveillance program (Greenwald et al., 2013). Russia also played a supporting role in DPRK In relation to the DPRK, the US conducted cyber-activities, sending computer science teachers to cyberespionage campaigns against the DPRK and had the DPRK to teach hacking techniques (Park, 2016b). implants in DPRK networks, but also tried to develop a Russia also provided the DPRK with a new internet malware similar to to stop or slow down the connection, which may enable the DPRK to reduce its DPRK’s nuclear missile program (Sanger and Broad, sole reliance on Chinese infrastructures and balance 2017). The DPRK repeatedly accused the US of having these with Russian infrastructures (Crowdstrike, 2018). launched cyberattack on its internet infrastructures. Iran signed a sharing agreement on nuclear and cyber technologies with the DPRK in 2012. Kaspersky Lab China reported that some cyberattacks attributed to the Lazarus Group were technically similar to the The direct role of the Chinese government in cyberattack on the Saudi Arabian oil company Aramco DPRK cyber-activities is difficult to evaluate. The DPRK attributed to Iran (Baumgartner, 2014). It is possible that used Chinese internet infrastructures to conduct Iran helped the DPRK to develop and improve its cyber cyberattacks, but it is difficult to verify whether the capabilities (Sanger et al., 2017). Chinese government is aware of or directly supports such activities. DPRK hackers operated from various Non-state actor cities in China such as Shenyang and Dangong. DPRK internet infrastructures are basic and limited, so by Anonymous is the only non-state actor involved using Chinese facilities DPRK hackers gain access to in cyber-activities with the DPRK. Anonymous is a better internet infrastructures and DPRK officials are decentralized cyberactivist group that supports internet able to deny any involvement in cyberattacks (Chanlett- freedom and freedom of speech. Anonymous launched Avery et al., 2017). The DPRK also sent hackers to an operation against the DPRK in 2013 that caused a Chinese universities to study computer science and series of DDoS and other cyberattacks on DPRK websites hacking techniques (Kim, 2018; Libicki, 2017). The South and networks. Members of Anonymous also hacked into Korean government reported that approximately 30 the and accounts of a DPRK news agency DPRK software and hardware companies were located and posted messages and pictures criticizing Kim Jong- in the Chinese city of Dalian. South Korean authorities un (Brodkin, 2013; Williams, 2013a, 2013b). warned that software and hardware coming from this region of China was probably compromised and 3.2 Targets implanted with built-in backdoors (Mansourov, 2014). Targets of malicious cyber-activities in relation to Other states the DPRK were numerous and diverse. This Hotspot Analysis report classifies these targets into four groups: The cybersecurity firm Recorded Future (2017) targets in South Korea, which represent the majority of observed that DPRK cyber-activities were often victims of cyberattacks; targets in other states, which conducted from other countries’ territories and mainly consist of the US; international financial targets, reported that DPRK hackers had a strong physical which, in contrast to the other targets, are targeted for presence in India. The DPRK and India have close financial rather than political motives; and targets in the diplomatic and trade relations, and India is the DPRK’s DPRK. main economic partner. The DPRK also sends students

11 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Targets in South Korea messaging system to transfer US$81 million to an account in the Philippines (Chanlett-Avery et al., 2017). The main targets of DPRK cyber-activities were The DPRK regime also used WannaCry, a South Korean institutions. The DPRK targeted a wide ransomware that indiscriminately targeted unpatched range of South Korean victims: South Korean Windows system users, in order to generate revenue. government officials and websites, businesses, media, Hackers managed to raise approximately US$140,000 in financial institutions, critical infrastructures, defense Bitcoin, but did not collect it, probably because this industries, think tanks and cryptocurrency exchanges. would have been too easy to track (Nakashima, 2017). DPRK motivations in targeting South Korea are mostly DPRK cyber actors have shown an interest in political and strategic. This broad spectrum of targets is cryptocurrencies since 2017, when the DPRK started to consistent with the DPRK’s asymmetric strategy and mine Bitcoins. DPRK-associated hackers have also sent aligns with the country’s strategic interests. The DPRK spear phishing emails to cryptocurrency exchanges wants the unification of the Korean peninsula under (Guerrero-Saade and Moriuchi, 2018; Recorded Future, North Korean leadership, and its strategy includes a 2017). rapid invasion of the southern part of the peninsula. The use of cybertools to compromise critical infrastructures, Targets in the DPRK industries and government institutions therefore falls within this strategy (Libicki, 2017). Targeting industries, Motivated by a desire to maintain control over think tanks and government institutions could also serve the population and perpetuate the regime, the DPRK the purpose of espionage, while targeting media and regime also used cybertools to spy on its citizens government websites serves to disrupt and erode (Mansourov, 2014). citizens’ morale (Sanger et al., 2017; Sin, 2016). However, the DPRK has also been a target of cyberattacks. It has been assumed that the US targeted Targets in other states the DPRK nuclear missile program, the DPRK intranet and the RGB with cyberattacks. However, the lack of While South Korea is clearly the main target, the information coming out of the DPRK renders the DPRK started to target other states in 2014. The US was verification of such cyberattacks difficult. The US attacks the most intensively targeted state, with DDoS attacks could be in retaliation for DPRK cyberattacks on US on US government websites and spear phishing on targets, although the alleged cyberattacks on the DPRK critical infrastructures operators and defense nuclear missile program would have been aimed at contractors. The most elaborate cyberattack from the stopping the program or slowing it down (Sanger and DPRK on US soil was the Sony hack. The US represents a Broad, 2017). strategic target for the DPRK due to its status as a Great Power and its foreign military presence on the 3.3 Tools and techniques peninsula. However, the Sony hack served a different goal than the other politically and strategically Cyber-activities related to the DPRK have mainly motivated cyberattacks (Lewis, 2017), as its aim was to consisted of spear phishing emails, DDoS and the use of preserve the image of the DPRK leader by preventing the malware. The first two techniques do not require release of a movie showing the assassination of Kim extensive expertise in computer sciences. However, the Jong-un. The same motive was observed in the latter requires greater knowledge and resources to cyberattack on the British broadcaster Channel 4 develop custom-built malware. (Sanger et al., 2017). Spear phishing International financial targets Spear phishing is a technique used to obtain login A unique aspect of DPRK cyber-activities is their credentials from or infect the computer of a targeted targeting of financial institutions to generate revenue victim. The attacker sends an email or message and circumvent economic sanctions. It is the only containing an attachment or a link, which appears to instance where a cyber state actor has been observed to come from a trusted contact. When the target opens the employ cyberattacks for financial gains. DPRK hackers attachment, this downloads malware without the user’s have launched cyberattacks against several banks in Asia knowledge. The malware then creates a backdoor in the (Bangladesh, Vietnam and Philippines) and also in user’s system, allowing the perpetrator to access the Europe (Poland) since 2014 (McAskill et al., 2017; Sanger user’s computer. A link may also take the user to a et al., 2017; Wilder, 2016). The most impressive website encouraging them to download content cyberattack was the Bangladesh Central Bank heist, infected with malware. Or, a link may take the user to a where DPRK hackers infected the Bangladesh Central webpage that looks like a trusted login page where the Bank network with malware and used the SWIFT global user would enter their login credentials. Once the

12 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

perpetrator has obtained the login information, they are Lazarus Group (Baumgartner, 2014; Hayashi, 2014; able to login in the name of the target. The main goal of Novetta, 2016). spear phishing attacks is therefore to gain access to a computer or an account. DOGCALL Spear phishing has been frequently observed in the context of the DPRK’s development of cyber DOGCALL14 is a backdoor used by Scarcruft since capabilities, often as a first step in a cyberattack, as September 2016. The malware is usually delivered specifically targeted persons receive spear phishing through spear phishing emails using a vulnerability in emails and click on links or download attachments, the Word Processor, a Korean-language word inadvertently granting intruders network access. For processor widely used in South Korea. DOGCALL can example, the Lazarus Group has used spear phishing take screenshots and register keystrokes of users emails against US defense contractors, US electrical without their knowledge. This malware communicates engineering companies and Bitcoin users (Auchard, with attackers and receives commands through 2017; Center for Strategic and International Studies, compromised cloud service providers. This backdoor 2018). was deployed against South Korean government and military networks in 2017, but also featured in other Distributed Denial of Service spear phishing campaigns (FireEye Inc., 2018; Mercer and Rascagneres, 2018). Prior to 2014, the DPRK mostly used Distributed Denial of Service (DDoS) attacks, where DPRK hackers Hangman would render websites inaccessible to users by overloading them with internet traffic. DPRK hackers Hangman15 is a backdoor Trojan that grants and the Lazarus Group used this technique to shut down remote access to compromised computers. The Lazarus South Korean and US government and media websites. Group has been using the Hangman malware against The goal of DDoS attacks is to disrupt and/or harass South Korean targets since 2013. It is usually delivered targets (Chanlett-Avery et al., 2017; Jun et al., 2015). through spear phishing emails, but can also be dropped in systems by other malware (US-CERT, 2017). Malware

Jokra The DPRK developed and used various malware applications to further its strategic goals. The Lazarus Jokra16 is a Trojan malware that wipes data from Group is known to have reused some earlier malware computer hard-disks. It was used in the DarkSeoul code to build new malware. The following list describes cyberattack in March 2013 and was attributed to the a sample of malware attributed to the DPRK11. Lazarus Group (Constantin, 2013; Meyers, 2017;

Novetta, 2016). DDoS-KSig

MYDOOM and Dozer The DDoS malware DDoS-KSig12 is a Trojan used to perform DDoS attacks on specific websites. It also has MYDOOM is a worm that is spread via email and the ability to download other files or malware, to modify peer-to-peer networks to drop other malware (Ballano files and to overwrite hard drives. This malware is Barcena and O Murchu, 2009). It was used in tandem attributed to the Lazarus Group and was used in the with Dozer, a Trojan that performs DDoS attacks DDoS attack against South Korea in March 2011 (Lelli, (Ballano Barcena et al., 2009). Both malware 2011; Novetta, 2016). applications were used in the July 2009 cyberattacks on

South Korean websites attributed to the Lazarus Group Destover (Guerrero-Saade and Moriuchi, 2018; Novetta, 2016).

13 Destover is a Trojan used to open backdoors in infected computers, but can also overwrite hard disks. It shares technical similarities with , the malware used in the cyberattack against Aramco in 2012. The malware was used in the Sony hack attributed to the

11 A more detailed list is provided in Annex 2. 14 DOGCALL is also called ROKRAT (Cisco Talos). 12 DDoS-KSig is also called Fibedol (Windows Defender), QDDOS (Trend 15 Also named Volgmer and TEMP.Hermit. Micro) and Koredos (Symantec). 16 Jokra is also known as MBRKill (Sophos and Trend Micro). 13 Destover is also calledAgent.gqah (Kaspersky), and Escad (Windows Defender).

13 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

WannaCry 4 Effects

WannaCry, the first ransomware paired with a This section examines the effects of cyber- worm, exploited a Windows vulnerability named activities in relation to the DPRK both at the domestic EternalBlue. This vulnerability was discovered by the level of state actors and at the international level. At the NSA but later stolen and leaked by the Shadow Brokers domestic level, this report analyzes how the DPRK uses (Crowdstrike, 2018). A first version of WannaCry found cyberspace to spy on its own citizens and examines the in February 2017 shared some code with the Destover economic repercussions of cyberattacks conducted on malware (Guerrero-Saade and Moriuchi, 2018). financial institutions as well as resulting technological WannaCry spread to 200,000 computers in over 150 innovations. countries. This ransomware demanded US$300 worth of At the international level, the analysis explains Bitcoin from each infected user in return for having their the role of cyber-activities in international relations and computers unlocked again. A British cybersecurity the DPRK’s strategy regarding its nuclear missile expert stopped the spread of this malware by program. incidentally discovering the WannaCry kill switch (Gibbs, 2017). The United Kingdom, the US, Kaspersky Lab and Symantec attributed the ransomware to the Lazarus 4.1 Social effects Group (McAskill et al., 2017; Nakashima, 2017). At the domestic and social level, DPRK cyber- activities serve several purposes. It is difficult to obtain Android malware accurate information on DPRK actions against its own

citizens; however, it can be assumed that cybertools Reports stated that the Lazarus Group also would be used for international as well as domestic targeted smartphones. In 2017, McAfee reported that a purposes. While it is difficult for outsiders to access fake Android Bible study app in Korean contained a information about DPRK domestic affairs, it is just as backdoor. The fake app shared command and control difficult for DPRK citizens to access international news, infrastructures with malware of the Lazarus Group. This as the DPRK government tightly controls access to such app is the first known activity of the Lazarus Group on information. In the DPRK, only the elites are able to Android smartphones (Han, 2017; Uchill, 2017). connect to the worldwide internet. The domestic intranet, named Kwangmyong, is reserved for university students, scientists and selected government officials, but is not connected to the global internet. The DPRK government strictly controls the content of the intranet, which is only composed of a few websites on universities and government news. The DPRK dedicates extensive resources to ensuring that its population remain unable to access the global Internet and to maintaining its Intranet infrastructures (Chanlett-Avery et al., 2017; Mansourov, 2014; Recorded Future, 2017). Reuters reported in 2017 that the DPRK developed tools to spy on its citizens using smartphones (Pearson, 2017). The DPRK government allowed the development of domestic smartphones with limited features, but while this gave DPRK citizens easier access to technology, it also made them more prone to surveillance (Chanlett-Avery et al., 2017; Recorded Future, 2017). The DPRK is determined to maintain strict control over internet access and to spy on its citizens, aiming to assure the survival of the regime and to unify the peninsula under DPRK leadership. Controlling citizens’ access to information is a way to ensure the perpetuation of the Kim dynasty, and withholding outside sources of information from DPRK citizens helps to prevent them from questioning the legitimacy of DPRK elites.

14 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

4.2 Economic effects including damage to companies’ reputation, also need to be taken into account (Kenig, 2013; NSFocus Inc., Economically, the DPRK is subject to tight 2016). At the same time, DDoS attacks caused economic international sanctions for developing nuclear weapons damage well beyond the context of DPRK cyber- and therefore limited in the type of goods that it is able activities. Criminal cyberattacks, such as the one on the to export and import. Since the regime consequently Bangladesh Central Bank, showed that poor needed to find new ways to generate revenue for its cybersecurity can have serious economic consequences. nuclear program and to ensure the perpetuity of the Through its cyber-activities, the DPRK has found regime, it identified cyber-activities as a way to access a way to circumvent sanctions and generate revenue. It funds and disrupt the world order with little risk of is unlikely that the DPRK will abandon the use of retaliation or sanctions (Kim, 2018; Sanger et al., 2017). cybercrime for financing its regime. Other states under The economic effects of DPRK cyber-activities are international economic sanctions may also be tempted mainly observed in the form of cybercrime actions. The to follow the DPRK’s approach and explore cybercrime DPRK is the first state actor known to use cybercrime to for themselves. generate revenue for its regime and its nuclear program, as well as to circumvent international sanctions, and this 4.3 Technological effects aspect is therefore unique to the DPRK. Cybermeans constitute a relatively inexpensive option: since no Technological effects of DPRK cyber-activities costly equipment is required to be able to launch consisted mostly in the discovery of new malware cyberattacks, significant revenue can be generated families. Most of the malware linked to DPRK without incurring a substantial risk of retaliation (Libicki, cyberactors was custom-built. These groups developed 2017; Meyers, 2017). malware families themselves and sometimes reused The first stage of state-sponsored cybercrime code from earlier malware in new applications. Novetta targeted South Korean banks, but cybercrime attacks (2016) classified the Lazarus Group’s malware families attributed to the DPRK have expanded to South East and identified which sections of code had previously Asian banks since 2015 and to cryptocurrency exchanges been used in which cyberattacks. since 2017 (Sanger et al., 2017; Sheridan, 2018; Wilder, The techniques observed in DPRK cyber-activities 2016). According to a former British intelligence chief have shown that simple, relatively unsophisticated cited in Sanger et al (2017), annual revenue from DPRK techniques can often do a great deal of damage. DPRK cybercrime activities may be as high as US$1 billion. cyberattacks tended to be tailored to the targets and Targeting cryptocurrency exchanges is a strategic goals they were intended to achieve (Lewis, relatively new development for the DPRK, but in fact 2017). DPRK cyberactors mostly relied on their targets’ constitutes a natural progression. Since vulnerabilities rather than confront them with brute cryptocurrencies are not regulated by nation states and force, with the case of the Bangladesh Central Bank heist are therefore not affected by international sanctions, being a good example of this strategy. Reports stated they are an easy way to generate revenue. In 2017, that the Bangladesh Central Bank’s information network several cyberattacks targeted cryptocurrency exchanges was not protected by a firewall, and the perpetrators of in South Korea (Guerrero-Saade and Moriuchi, 2018), the heist therefore simply exploited inadequate and the South Korean government considered closing cybersecurity to their advantage (Chanlett-Avery et al., some of these exchanges as a result. However, no 2017). reference was made to cyberattacks as a reason for the Finally, DPRK cyberactors have shown growing South Korean government discussing the closure of interest in financial institutions and cryptocurrencies exchanges; rather the main reason given was that over the years. This interest could evolve into a serious trading in cryptocurrencies had become too speculative risk to global finance as an increasing number of and constituted a risk for the national economy (Song individuals and groups invest in such currencies, which and Harris, 2018). have been found to be highly volatile. There have also DPRK cyber- and crime-activities generated been instances of cryptocurrency theft, including one in revenue for the regime and caused losses for the early 2017, when cyberactors associated with the DPRK targeted firms and individuals. DPRK DDoS attacks stole US$7 million from a cryptocurrency exchange targeted several South Korean firms and financial (Guerrero-Saade and Moriuchi, 2018). The DPRK’s institutes, rendering websites unavailable and resulting apparent interest in cryptocurrencies may also act as a in direct financial losses for the commercial firms driver to increase its future cybercrime activities. concerned. These losses have been estimated to reach US$22,000 per minute of unavailability, with the 4.4 International effects average duration of unavailability calculated to be approximately 54 minutes. However, these costs are Cyber-incidents attributed to the DPRK have had only the direct costs, and additional indirect costs, an extensive international impact, affecting not only

15 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

South Korea, but sometimes the entire world. Also, the retaliation to a cyberattack would seem DPRK’s use of cyberattacks cannot be dissociated from disproportionate, a fact of which the DPRK is well aware. its nuclear strategy and has even been found to risk The DPRK is also aware that other states are anxious angering some of its allies. about potential retaliation using nuclear weapons. These two elements allow the DPRK to act with quasi- Cyberattacks attracting significant international total impunity in cyberspace (Lewis, 2017; Libicki, 2017). attention Yet, while the development of nuclear weapons and cyber capabilities brought the DPRK international Cyberattacks attributed to the DPRK were often attention, the risk of escalating tensions with South highly mediated and visible. The DPRK did not attempt Korea and its main ally, the US, still exists, if a to hide its cyber-activities (apart from cyberespionage cyberattack on a critical US or South Korean campaigns) from its targets and the public; rather these infrastructures could be interpreted as an act of war. cyberattacks were often extensively discussed in the Such an incident could trigger retaliation by either media, although their attribution was not always conventional or unconventional means (Libicki, 2017; unanimously accepted. With these highly visible Lotrionte, 2013). cyberattacks, the DPRK endeavored to disrupt the The US has tried to target the DPRK nuclear peacetime status quo and to provoke South Korea and missile program with cybermeans. However, this choice its allies (Park, 2016b). The goal of such behavior was to of target could have unfortunate consequences, as it remind South Korea that the DPRK is still to be reckoned could threaten the balance of deterrence among other with and ready to fight, even though the DPRK nuclear states. If the US was successful in its cyberattack leadership consistently denied any involvement. on nuclear weapon facilities in the DPRK, Russia and Furthermore, these cyberattacks served psychological China could decide to target US nuclear weapons warfare aims, with the idea being to intimidate the facilities in return, launching either a preventive strike public and suggest that DPRK cyber capabilities are or a cyberattack to prevent the US from also targeting sufficiently well developed to affect critical their own nuclear weapons arsenals with cybertools infrastructures, the government or even individual (Waddell, 2016). citizens in South Korea (Talmadge, 2017). Risks from indiscriminate cyberattacks for the DPRK Cyber-activities as a complement to nuclear strategy The DPRK has acted with impunity in cyberspace, The DPRK’s cyber-activities can be seen to but its boldness may pose a risk to its alliances and complement its nuclear program in an asymmetric partnerships. WannaCry, the most recent significant strategy. The DPRK knows that, in a conventional war, it cyberattack attributed to the DPRK, also badly affected would not be able to win against South Korea and its China, which has been directly or indirectly supporting allies and that the size of its army would not be sufficient DPRK cyber-activities by turning a blind eye to DPRK to compensate for poorer technology. It is therefore hackers operating from its territory and by offering logical for the DPRK to develop an asymmetric strategy, university courses to DPRK hackers. However, for which the development of nuclear weapons and WannaCry severely impacted on Chinese individuals and cyber capabilities are perfectly suited (Park, 2016b; Tosi, the Chinese economy. Any repeat could make China 2017). While the DPRK’s nuclear missile program offers change its mind on its support for DPRK cyber-activities the advantage of garnering international attention and and economic sanctions. China has already reduced its attempts to create a strategic equilibrium with other importation of coal from the DPRK, possibly as a sign of nuclear powers, it has also brought disadvantages in the protest against DPRK cyber-activities (Bennett, 2017; form of international economic sanctions. The DPRK’s Chanlett-Avery et al., 2017; Recorded Future, 2017). cyber-activities have attracted approximately the same China is not the only state that directly or level of international attention as its nuclear program, indirectly supports DPRK cyberattacks, as both India and even with the country denying any involvement, but Russia also play a certain role in DPRK cyber-activities. without the consequence of sanctions (Edwards, 2016; However, indiscriminate cyberattacks such as WannaCry Park, 2016b). may also strain these alliances and partnerships and The DPRK has therefore used its cyber push these states away from the DPRK. While their capabilities with relative impunity, using a narrative of assistance gives the DPRK the option of plausible consistent denial of any involvement in cyberattacks. At deniability, but Western states could also pressure these the same time, the DPRK appears to be aware of its states to force the DPRK into compliance. In 2017, India limits, as it directs its cyberattacks at relatively harmless announced that would comply with international targets to deliver high visibility at low intensity. This fits economic sanctions and limit its exports to the DPRK into its asymmetric strategy, as DPRK cyberattacks (Horwitz, 2017; Recorded Future, 2017). frequently remain at a low enough level not to trigger physical retaliation. In this type of situation, any physical

16 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

5 Policy Consequences Throughout the past year, actors associated with the DPRK have also targeted cryptocurrency exchanges This section sets out several recommendations and users. States could seek to regulate cryptocurrency focusing on general cybersecurity measures that states exchanges through cybersecurity standards to limit the can take to reduce the risks of being impacted by cyber- risk of theft. activities from actors associated with the DPRK. Even though the DPRK is an untypical cyberthreat actor, the general cybersecurity measures that states can apply 5.3 Monitor the situation are the same as those applicable to other cyberthreat actors. Cyberattacks attributed to DPRK actors have so far mostly targeted South Korean and financial targets 5.1 Improve cybersecurity or specific targets that presented the DPRK regime in a negative light. It has not been possible to establish Malicious cyber-activities related to the DPRK clearly whether there has been any relationship compromised computers either through unpatched between the number of cyberattacks attributed to the vulnerabilities or spear phishing. Therefore, it is DPRK and DPRK missile test launches. Cyberattacks do essential to raise awareness of the need to regularly not appear to have increased either before or after DPRK update software and operating systems. Users need to missile test launches, though (Recorded Future, 2017), better understand the risks of running outdated and states, apart from South Korea, are therefore not software versions or operating systems. Increased directly affected by DPRK cyber-activities. However, awareness of the need for regular updates would reduce states should remain aware of the evolution of the the risk of attacks such as WannaCry causing such DPRK’s nuclear and cyber capabilities. WannaCry spread widespread damage. indiscriminately across the globe, and new, similar Awareness also needs to be raised regarding ransomware may reoccur in the future. Nuclear missiles spear phishing. Users should be trained regularly also have wider geopolitical consequences for states concerning the risks and consequences of spear phishing other than the US and South Korea, and monitoring the emails as well as ways to recognize and flag malicious evolution of these activities would therefore enable emails. Institutions could establish simple standard states to stay ahead and avoid surprises. operating procedures for reporting such emails and enabling users to react quickly whenever malicious emails are identified. The implementation of certain technological solutions could also help users to identify fraudulent emails. The Sender Policy Framework is one example of such a technological solution, as it validates the sender’s identity. Two-factor authentication systems also help to reduce the risk of damage when login credentials are stolen. This method of authentication asks for a second authentication, making it more difficult for malicious cyberactors to access full authentication details.

5.2 Encourage better cybersecurity in financial institutions

Cyber-activities associated with the DPRK have increasingly targeted financial institutions. Such institutions are therefore at a greater risk of cyberattacks from the DPRK than others. States should encourage these institutions and their own central banks to implement the best possible cybersecurity. The Bangladesh Central Bank heist showed that poor cybersecurity can have disastrous consequences. While the SWIFT messaging software was updated as a result, other vulnerabilities in networks connected to the SWIFT messaging system could still compromise the system.

17 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

6 Annex 1

Non-exhaustive list of cyber-incidents related to the DPRK.

B = Business, CI = Critical Infrastructures, F = Financial institutions, G = Government, M = Media, MIL = Military institutions, O = Others Type of Alleged Date Victim(s) Technique/Tool/Name of operation victim(s) perpetrator Approximately 300 computers and 200 Used proxy computers in China to hack South 04.2004 G/O DPRK servers of South Korean institutions (Mansourov, 2014). Korean institutions South Korean Spear phishing emails containing an attachment 2008 MIL DPRK military officers infected with malware (Cluley, 2008). Operation Boxing Rumble was a cyberespionage 01.01.2008 – campaign that hacked into South Korean exploits DPRK G NSA 19.07.2010 that were already installed on DPRK computers (Gallagher, 2015). South Korean Lazarus 2009 Operation Troy (Novetta, 2016). institutions Group 17 South Korean 04- Lazarus DDoS with the malware Dozer and MYDOOM and US government G 07.07.2009 Group malware (Chanlett-Avery et al., 2017). websites Failed attempt to target a DPRK nuclear missile DPRK nuclear 03.2010 G/MIL USA with Stuxnet-like malware (Waddell, 2016; missile program Zetter, 2015). South Korean 07.07.2010 government and B/G DPRK DDoS (Jun et al., 2015). firms websites 08- DPRK news website M South Korea Hack (Mansourov, 2014). 09.01.2011 Uriminzokkiri Free 17.01.2011 M DPRK DDoS (Mansourov, 2014). Radio 40 South Korean media outlets, The operation was named Ten Days of Rain and financial CI/F/G/ Lazarus 04.03.2011 comprised DDoS attacks (Maness and Valeriano, institutions, critical M/MIL Group 2017; Novetta, 2016). infrastructures and US military entities South Korean Nonghyup National Lazarus DDoS (Chanlett-Avery et al., 2017; Jun et al., 12.04.2011 F Agriculture Group 2015). Cooperative Bank South Korean The wiper malware attack was stopped before Lazarus 09.06.2012 conservative M doing any damage, but the website was defaced Group newspaper (Novetta, 2016). USA and DPRK internet South Korea (Center for Strategic and International Studies, 03.2013 O access (accused by 2018). DPRK)

18 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Type of Alleged Date Victim(s) Technique/Tool/Name of operation victim(s) perpetrator 3 South Korean broadcast companies, Jokra wiper - 32,000 computers shut down by Lazarus 20.03.2013 financial F/M/O implants – Cyberattack named DarkSeoul Group institutions and one (Chanlett-Avery et al., 2017). internet service provider 4 South Korean 25.03.2013 media outlets M DPRK DDoS (Jun et al., 2015). websites DPRK websites and DDoS and website defacement (Brodkin, 2013; 03-04.2013 Twitter and Flickr G/M Anonymous Williams, 2013a). accounts Use of the Castov malware to steal credentials South Korean banks Lazarus 05.2013 F and install other malware (Security Response, and their users Group 2017) 25.06.2013 DPRK military G/MIL Anonymous Theft and release of documents (Keck, 2013). 25.06.2013 DPRK websites M/O Anonymous DDoS (Williams, 2013b). 69 South Korean media outlets and DDoS (“South Korea Blames North Korea for 25.06.2013 G/M DPRK government Cyberattack,” 2013). websites Unknown South Korean think (actor with tanks, Ministry of Cyberespionage (Center for Strategic and 09.2013 G/MIL/O probable Defense, and International Studies, 2018; Tarakanov, 2013). links to defense industries DPRK) 140,000 South Korean government 2014 B/G DPRK Hack (Tosi, 2017). and businesses computers South Korean Infected through watering hole websites 2014 media and websites M/O Scarcruft containing the POORAIM malware (FireEye Inc., on DPRK refugees 2018). South Korean transportation Failed attempt to penetrate the network (Tosi, 2014 CI DPRK network control 2017). system Use of malicious gaming application to spy on 19.05.2014 – Smartphones in O DPRK smartphone users in South Korea (Mansourov, 16.09.2014 South Korea 2014). Lazarus Data theft (Center for Strategic and International 08.2014 British Channel 4 M Group Studies, 2018; Sanger et al., 2017). Data theft and Destover wiper (Chanlett-Avery et Sony Entertainment Lazarus 24.11.2014 O al., 2017; Maness and Valeriano, 2017; Novetta, Pictures Group 2016). Intranet shut-down possibly due to a cyberattack 20.12.2014 DPRK intranet G USA (Tosi, 2017). South Korean Data theft (Chanlett-Avery et al., 2017; Maness 24.12.2014 Hydro and Nuclear CI/G DPRK and Valeriano, 2017). Power Spear phishing campaign with a lure document Lazarus 08.2015 South Korean O containing the Hawup RAT (Crowdstrike, 2018, Group 2016).

19 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Type of Alleged Date Victim(s) Technique/Tool/Name of operation victim(s) perpetrator South Korean Lazarus 10.2015 government G Spear phishing emails (Novetta, 2016). Group officials 10.2015 Bank in Philippines F DPRK Hack (Sanger et al., 2017; Wilder, 2016). South Korean National Assembly, Hack (Center for Strategic and International 10.2015 Ministry of G RGB Studies, 2018). Unification and the Tien Phong Bank in 12.2015 F DPRK Hack (Sanger et al., 2017; Wilder, 2016). Vietnam 2 South Korean defense contractors 2016 and South Korean G/MIL DPRK Cyberespionage (Sin, 2016). national security officials Bangladesh Central Lazarus 02.2016 F Hack (Chanlett-Avery et al., 2017). Bank Group Smartphones of dozen of South Hack (Center for Strategic and International 03.2016 G DPRK Korean government Studies, 2018). officials Users of Korean- Users who downloaded infected torrent files language torrent 03.2016 O Scarcruft were infected by the malware KARAE, possibly to file-sharing create a (FireEye Inc., 2018). websites South Korean Data theft of South Korean and US classified 04.2016 Defense Integrated MIL DPRK documents (Center for Strategic and Data Center International Studies, 2018; Sanger et al., 2017). 160 South Korean firms and 13.06.2016 B/G DPRK Cyberespionage (Wilder, 2016). government agencies South Korean government and Cyberespionage with the malware HAPPYWORK 11.2016 F/G Scarcruft financial (FireEye Inc., 2018). institutions 02.2017- Lazarus Bitcoin insiders F Spear phishing (Auchard, 2017). ongoing Group Polish financial Lazarus 02.2017 F Hack (Sanger et al., 2017). regulator website Group South Korean 02.2017 cryptocurrency F DPRK Hack (Guerrero-Saade and Moriuchi, 2018). exchange Bithumb South Korean Infection through spear phishing emails 03.2017 government and G/MIL Scarcruft delivering the DOGCALL backdoor (FireEye Inc., military 2018). US defense Lazarus Spear phishing (Center for Strategic and 04.2017 MIL contractors Group International Studies, 2018). Middle East Spear phishing email that delivered the 05.2017 B Scarcruft Company SHUTTERSPEED backdoor (FireEye Inc., 2018). WannaCry ransomware (Chanlett-Avery et al., 12.05.2017 Individuals O DPRK 2017). US Cyber DDoS (Center for Strategic and International 09.2017 RGB G Command Studies, 2018).

20 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Type of Alleged Date Victim(s) Technique/Tool/Name of operation victim(s) perpetrator Coinlink Lazarus 09.2017 cryptocurrency F Spear phishing (Auchard, 2017). Group exchange US electrical Spear phishing (Center for Strategic and 10.2017 CI DPRK companies International Studies, 2018; Crowdstrike, 2018).

21 Cyber disruption and cybercrime: Democratic People’s Republic of Korea

7 Annex 2

Non-exhaustive list of malware associated with the DPRK

Cyberattack in Type of Group using which this Malware name Other names Comments and reference malware this malware malware was used Android Android/ Lazarus - spying - (Han, 2017; Uchill, 2017) Backdoor Group17 malware Cyberattack Associated with Duuzer on South Mal/Brambul-A Worm DPRK actor and (Symantec Korea in Security Response, 2015) October 2015 Downloader Cyberattacks and against South Castov Castdos Lazarus Group (Security Response, 2017) credentials Korean banks stealer in 2013 Exfiltration CORALDECK - Scarcruft - (FireEye Inc., 2018) tool

DDoS DarkSeoul Mal/EncPk-ACE Lazarus Group DarkSeoul (Cluley, 2013) malware Ten Days of DeltaAlfa, Rain, (Lelli, 2011; Novetta, DDoS-Ksig Fibedol, QDDOS DDoS trojan Lazarus Group Operation 2016) and Koredos Troy Shared some similarities Agent.gqah, with Shamoon18 and Destover Escad, Wiper, Wiper trojan Lazarus Group Sony hack DarkSeoul malware WhiskeyAlfa (Baumgartner, 2014) Used in attack against South Often seen with the wiper Korean DOGCALL ROKRAT Backdoor Scarcruft RUHAPPY (FireEye Inc., government 2018) and military in 2017 Developed by the NSA and then stolen by the Shadow Brokers. It was used with DoublePulsar - Backdoor Lazarus Group WannaCry the Eternal Blue vulnerability (Crowdstrike, 2018) DDoS against South Korean (Ballano Barcena et al., Dozer - DDoS trojan Lazarus Group and US targets 2009) in July 2009

17 More than 45 malware families have been linked to the Lazarus Group. Not all of them are in this list. For more information see: https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf 18 Shamoon was a wiper malware used in y cyberattacks against the Saudi Arabian oil company Aramco in 2012. The Shamoon cyberattack was attributed to Iran.

1

Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Cyberattack in Type of Group using which this Malware name Other names Comments and reference malware this malware malware was used Cyberattack Associated with Brambul on South and Joanap (Kaspersky Duuzer Wildpositron Backdoor DPRK actor Korea in Lab, 2017; Symantec October 2015 Security Response, 2015) Used to download the GELCAPSULE - Downloader Scarcruft - malware SLOWDRIFT (FireEye Inc., 2018) Volgmer, Hangman Trojan Lazarus Group - (US-CERT, 2017) TEMP.Hermit Used in attack against South Korean HAPPYWORK - Downloader Scarcruft government (FireEye Inc., 2018) and financial institutions in 2016 Used in a spear phishing Hawup RAT - RAT Lazarus Group campaign (Crowdstrike, 2018, 2016) against South Korean Used in Win32/Weird, JML Virus Virus DPRK cyberattacks (Jun et al., 2015) Win32/JML around 2000 Cyberattack Associated with Duuzer on South Joanap - Trojan DPRK actor and Brambul (Symantec Korea in Security Response, 2015) October 2015 (Constantin, 2013; Jokra MBRKill Wiper trojan Lazarus Group DarkSeoul Meyers, 2017; Novetta, 2016) Delivered through South Korean torrent file-sharing KARAE - Backdoor Scarcruft - websites (FireEye Inc., 2018) Used in a cyberespionag Unknown e campaign Malware family composed Spying (actor with against South of single malware for each Kimsuky - malware probable links Korean think spying activity (Tarakanov, family to DPRK) tanks and 2013). industries in 2013 Launcher for (FireEye Inc., 2018; Mercer MILKDROP PoohMilk Scarcruft - backdoor and Rascagneres, 2018) (Ballano Barcena and O MYDOOM - Worm - - Murchu, 2009) Used against South Korean Delivered through media and POORAIM - Backdoor Scarcruft watering hole attacks websites on (FireEye Inc., 2018) DPRK refugees since 2014

23 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Cyberattack in Type of Group using which this Malware name Other names Comments and reference malware this malware malware was used Used to identify a victim’s RICECURRY - Profiler Scarcruft - web browser (FireEye Inc., 2018) Delivered on a computer through the DOGCALL malware and developed by the same developer as DOGCALL and RUHAPPY ERSP.enc Wiper Scarcruft - HAPPYWORK, may be linked to the cyberattack on a South Korean power plant in December 2014 (FireEye Inc., 2018; Mercer and Rascagneres, 2018) Delivered through spear Freenki, phishing emails (FireEye SHUTTERSPEED Backdoor Scarcruft - FreeMilk Inc., 2018; Mercer and Rascagneres, 2018) Used in a Delivered through spear cyberattack phishing emails, SLOWDRIFT - Launcher Scarcruft targeting downloads other malware South Korean (FireEye Inc., 2018) academics Enables microphones and SOUNDWAVE - Recorder Scarcruft - registers audio files (FireEye Inc., 2018) (Guerrero-Saade and SpaSpe - - Lazarus Group - Moriuchi, 2018) Banks in South East Asia and banks in Poland Lazarus Trojan.Banker. Bangladesh (related to the Romeo - Group/ Win32.Alreay Central Bank malware family identified Bluenoroff by Novetta) (Kaspersky Lab, 2017) Shared some code with Ransomwar Destover and Hawup RAT WannaCry - e paired Lazarus Group WannaCry (Crowdstrike, 2018; with a worm Guerrero-Saade and Moriuchi, 2018) WINERACK - Backdoor Scarcruft - (FireEye Inc., 2018) Credential ZUMKONG - Scarcruft - (FireEye Inc., 2018) stealer

24 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

8 Glossary Torrent file: Any type of file that is shared via the BitTorrent protocol, a peer-to-peer (P2P) sharing Backdoor: Part of a software code allowing hackers to protocol (TechTerms, 2007a, 2007b). remotely access a computer without the user’s Trojan horse: Malware hidden in a legitimate program in knowledge (Ghernaouti-Hélie, 2013, p. 426). order to infect and hijack a system (Ghernaouti- Bitcoin mining: Process of verifying and adding Bitcoin Hélie, 2013, p. 441). transactions to the blockchain, and of creating new Two-factor authentication: A login procedure that Bitcoins (Investopedia, 2018). involves two out of the following three elements: Botnet or bot: Network of infected computers which can something the user knows (e.g. password), be accessed remotely and controlled centrally in something the user has (e.g. card), and something order to launch coordinated attacks (Ghernaouti- the user is (e.g. biometric) (Rosenblatt and Cipriani, Hélie, 2013, p. 427). 2015). Command and Control infrastructure (C&C): A server Virus: Malicious program with the capacity to multiply through which the person controlling malware itself and to impair an infected system. Its purpose communicates with it in order to send commands is also to spread to other networks (Ghernaouti- and retrieve data (QinetiQ Ltd, 2014, p. 2). Hélie, 2013, p. 442). Computer Network Exploitation (CNE): A form of Watering hole attack: Attack where a legitimate website Computer Network Operation (CNO) consisting of is injected with malicious code that redirects users espionage and reconnaissance of a network to a compromised website which infects users architecture through cybermeans (Zetter, 2016). accessing it (TechTarget, 2015). Distributed Denial of Service (DDoS): Act of Wiper: Feature that completely erases data from a hard overwhelming a system with a large number of disk (Novetta, 2016, p. 57). packets through the simultaneous use of infected Zero-day exploit / vulnerabilities: Security vulnerabilities computers (Ghernaouti-Hélie, 2013, p. 431). of which software developers are not aware and Exploit: An attack on a computer operating system using which can be used to hack a system (Karnouskos, a vulnerability of the system or software (Rouse, 2011, p. 2). 2017). Hack: Act of entering a system without authorization (Ghernaouti-Hélie, 2013, p. 433). Malware: Malicious software that can take the form of a virus, a worm or a Trojan horse (Collins and McCombie, 2012, p. 81). Patch: Software update that repairs one or several identified vulnerabilities (Ghernaouti-Hélie, 2013, p. 437). Ransomware: Malware that locks the user’s computer system and only unlocks it when a ransom is paid (TrendMicro, 2017). Remote Administration or Access Tool (RAT): Software granting remote access and control to a computer without having physical access to it. RAT can be legitimate software, but also malicious (Siciliano, 2015). Sender Policy Framework (SPF): Technical system validating email senders as coming from an authenticated connection in order to prevent email spoofing (Openspf, 2010). Spear phishing: A sophisticated phishing technique that not only imitates legitimate webpages, but also selects potential targets and adapts malicious emails to them. Emails often look like they come from a colleague or a legitimate company (Ghernaouti-Hélie, 2013, p. 440). SWIFT messaging system: A messaging platform used internationally in financial transactions. It connects more than 11,000 banking institutions in over 200 countries (SWIFT, 2018).

25 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

9 Abbreviations 10 Bibliography

Abke, T., 2017. Cyber security a high priority issue for CNO Computer Network Operation South Korea [WWW Document]. Indo-Asia- Pac. Def. Forum. URL http://apdf- DDoS Distributed Denial of Service magazine.com/cyber-security-a-high-priority- issue-for-south-korea/ (accessed 20.02.18). Auchard, E., 2017. Suspected North Korean cyber group DPRK Democratic People's Republic of Korea seeks to woo bitcoin job seekers [WWW Document]. Reuters. URL FBI Federal Bureau of Investigation - USA https://www.reuters.com/article/us-markets- bitcoin-northkorea/suspected-north-korean- GSD General Staff Department - DPRK cyber-group-seeks-to-woo-bitcoin-job- seekers-idUSKBN1E91ZW (accessed 15.02.18). Baldor, L.C., 2017. US to create independent military KPA Korea People’s Army - DPRK cyber command [WWW Document]. ABC News. URL NCC National Cyber Command – South Korea http://abcnews.go.com/Technology/wireStory /us-create-independent-military-cyber- National Cyber Security Center – South NCSC command-48675223 (accessed 19.07.17). Korea Ballano Barcena, M., O Murchu, L., 2009. W32.Dozer National Intelligence Service – South [WWW Document]. Symantec Secur. NIS Korea Response. URL https://www.symantec.com/security_respons NSA National Security Agency - USA e/writeup.jsp?docid=2009-070816-5318-99 (accessed 21.02.18). RAT Remote Access Tool Ballano Barcena, M., O Murchu, L., Itabashi, K., Ciubotariu, M., 2009. Trojan.Dozer [WWW Document]. Symantec Secur. Response. URL RGB Reconnaissance General Bureau - DPRK https://www.symantec.com/security_respons e/writeup.jsp?docid=2009-070814-5311-99 UN United Nations (accessed 21.02.18). Baumgartner, K., 2014. Sony/Destover: mystery North Korean actor’s destructive and past network activity [WWW Document]. Securelist. URL https://securelist.com/destover/67985/ (accessed 21.02.18). BBC News, 2018. Trump and North Korea’s Kim Jong-un to hold “milestone” meeting [WWW Document]. BBC News. URL http://www.bbc.com/news/world-us-canada- 43339901 (accessed 12.03.18). Bennett, C., 2017. North Korean hackers test China’s patience [WWW Document]. POLITICO. URL https://www.politico.com/story/2017/05/16/ north-korean-hackers-test-china-patience- 238473 (accessed 15.02.18). Brodkin, J., 2013. Anonymous hackers take control of North Korean propaganda accounts [WWW Document]. Ars Tech. URL https://arstechnica.com/information- technology/2013/04/anonymous-hackers- take-control-of-north-korean-propaganda- sites/ (accessed 20.02.18). Center for Strategic and International Studies, 2018. Significant Cyber Incidents [WWW Document]. Cent. Strateg. Int. Stud. URL

26 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

https://www.csis.org/programs/cybersecurity- https://www.theguardian.com/technology/20 and-warfare/technology-policy- 17/may/22/wannacry-hackers-ransomware- program/other-projects-cybersecurity attack-kill-switch-windows-xp-7-nhs- (accessed 25.01.18). accidental-hero-marcus-hutchins (accessed Chanlett-Avery, E., Rosen, L.W., Rollins, J.W., Theohary, 22.02.18). C.A., 2017. North Korean Cyber Capabilities: In Greenwald, G., MacAskill, E., Poitras, L., 2013. Edward Brief (No. R44912). Congressional Research Snowden: the whistleblower behind the NSA Service. surveillance revelations [WWW Document]. Cluley, G., 2013. DarkSeoul: SophosLabs identifies The Guardian. URL malware used in South Korean internet attack https://www.theguardian.com/world/2013/ju [WWW Document]. Nakedsecurity Sophos. n/09/edward-snowden-nsa-whistleblower- URL surveillance (accessed 13.11.17). https://nakedsecurity.sophos.com/2013/03/2 Guerrero-Saade, J.A., Moriuchi, P., 2018. North Korea 0/south-korea-cyber-attack/ (accessed Targeted South Korean Cryptocurrency Users 06.03.18). and Exchange in Late 2017 Campaign (No. Cluley, G., 2008. Sex, spyware and North and South CTA-2018-0116), Cyber Threat Analysis. Korea [WWW Document]. Nakedsecurity Recorded Future. Sophos. URL Han, I., 2017. Android Malware Appears Linked to https://nakedsecurity.sophos.com/2008/09/0 Lazarus Cybercrime Group [WWW Document]. 2/sex-spyware-and-north-and-south-korea/ McAfee. URL (accessed 08.03.18). https://securingtomorrow.mcafee.com/mcafe Collins, S., McCombie, S., 2012. Stuxnet: the emergence e-labs/android-malware-appears-linked-to- of a new cyber weapon and its implications. J. lazarus-cybercrime-group./ (accessed Polic. Intell. Count. Terror. 7, 80–91. 12.02.18). https://doi.org/10.1080/18335330.2012.6531 Hayashi, K., 2014. Backdoor.Destover [WWW 98 Document]. Symantec. URL Constantin, L., 2013. New disk wiper malware linked to https://www.symantec.com/security_respons attacks in South Korea [WWW Document]. e/writeup.jsp?docid=2014-120209-5631-99 PCWorld.com. URL (accessed 21.02.18). https://www.pcworld.com/article/2043241/n Horwitz, J., 2017. India is an unexpected axis of North ew-disk-wiper-malware-linked-to-attacks-in- Korea’s suspect cyber activity. Quartz. south-korea-researchers-say.html (accessed Investopedia, 2018. Bitcoin Mining [WWW Document]. 21.02.18). Investopedia. URL Crowdstrike, 2018. 2018 Global Threat Report: Blurring https://www.investopedia.com/terms/b/bitco the lines between statecraft and tradecraft. in-mining.asp (accessed 21.02.18). CrowdStrike. Jun, J., LaFoy, S., Sohn, E., 2015. North Korea’s cyber Crowdstrike, 2016. 2015 Global Threat Report. operations: strategy and responses. CrowdStrike. Jun, J., LaFoy, S., Sohn, E., 2014. What Do We Know Edwards, W., 2016. North Korea as a cyber threat About Past North Korean Cyber Attacks and [WWW Document]. Cipher Brief. URL Their Capabilities? https://www.thecipherbrief.com/north-korea- Karnouskos, S., 2011. Stuxnet worm impact on as-a-cyber-threat (accessed 15.02.18). industrial cyber-physical system security. IEEE, FireEye Inc., 2018. APT37 (Reaper) The overlooked pp. 4490–4494. North Korean Actor (Special Report). FireEye https://doi.org/10.1109/IECON.2011.6120048 Inc., Milpitas, CA. Kaspersky Lab, 2017. Lazarus Under The Hood. Gallagher, S., 2015. NSA secretly hijacked existing Kaspersky Lab HQ. malware to spy on N. Korea, others [WWW Keck, Z., 2013. Anonymous: We Have Stolen North Document]. Ars Tech. URL Korean Military Documents [WWW https://arstechnica.com/information- Document]. The Diplomat. URL technology/2015/01/nsa-secretly-hijacked- https://thediplomat.com/2013/06/anonymou existing-malware-to-spy-on-n-korea-others/ s-we-have-stolen-north-korean-military- (accessed 21.02.18). documents/ (accessed 06.03.18). Ghernaouti-Hélie, S., 2013. Cyberpower: crime, conflict Kenig, R., 2013. How Much Can a DDoS Attack Cost and security in cyberspace, 1. ed. ed, Forensic Your Business? [WWW Document]. Radware sciences. EPFL Press, Lausanne. Blog. URL Gibbs, S., 2017. WannaCry hackers still trying to revive https://blog.radware.com/security/2013/05/h attack says accidental hero [WWW ow-much-can-a-ddos-attack-cost-your- Document]. The Guardian. URL business/ (accessed 23.01.17).

27 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

Kim, E., 2014. S. Korea pushes to develop offensive McCurry, J., 2017. Japan buys US missile defence tools [WWW Document]. system to counter North Korean threat [WWW . URL Document]. The Guardian. URL http://english.yonhapnews.co.kr/search1/260 https://www.theguardian.com/world/2017/de 3000000.html?cid=AEN20140219003100315 c/19/japan-buys-us-missile-defence-system- (accessed 20.02.18). to-counter-north-korean-threat (accessed Kim, S., 2018. Inside North Korea’s Hacker Army [WWW 15.02.18). Document]. Bloomberg. URL Mercer, W., Rascagneres, P., 2018. Korea In The https://www.bloomberg.com/news/features/ Crosshairs [WWW Document]. Talos. URL 2018-02-07/inside-kim-jong-un-s-hacker-army http://blog.talosintelligence.com/2018/01/kor (accessed 13.02.18). ea-in-crosshairs.html (accessed 08.03.18). Kim, S., 2017. A Timeline of North Korea’s Missile Meyers, A., 2017. North Korean Cyber Operations: Launches and Nuclear Detonations [WWW Weapons of Mass Disruption [WWW Document]. Bloomberg. URL Document]. 38North. URL https://www.bloomberg.com/news/articles/2 https://www.38north.org/2017/11/ameyers1 017-04-16/north-korea-missile-launches- 11317/ (accessed 12.02.18). nuclear-detonations-timeline (accessed Nakashima, E., 2017. The NSA has linked the WannaCry 25.01.18). to North Korea [WWW Kim, S.Y., 2011. No. 91 “Hackers HQ” Revealed [WWW Document]. Wash. Post. URL Document]. DailyNK. URL https://www.washingtonpost.com/world/nati http://www.dailynk.com/english/read.php?ca onal-security/the-nsa-has-linked-the- taId=nk00100&num=7772 (accessed wannacry-computer-worm-to-north- 20.02.18). korea/2017/06/14/101395a2-508e-11e7- Lelli, A., 2011. Trojan.Koredos [WWW Document]. be25- Symantec. URL 3a519335381c_story.html?utm_term=.e98613 https://www.symantec.com/security_respons 9b2a8c (accessed 15.02.18). e/writeup.jsp?docid=2011-030417-4602-99 N.K. News, 2017. Chronology of North Korea’s missile, (accessed 21.02.18). rocket launches [WWW Document]. Yonhap Lewis, J.A., 2017. The Likelihood of North Korean Cyber News Agency. URL Attacks [WWW Document]. Cent. Strateg. Int. http://english.yonhapnews.co.kr/northkorea/ Stud. URL 2017/04/05/0401000000AEN2017040500700 https://www.csis.org/analysis/likelihood- 0315.html (accessed 09.02.18). north-korean-cyber-attacks (accessed Novetta, 2016. Operation Blockbuster: Unraveling the 1502.18). long thread of the Sony attack. Novetta, Libicki, M.C., 2017. North Korean cyber operations: McLean,Virginia, USA. active, noisy, and lacking strategy [WWW NSFocus Inc., 2016. Distributed Denial-of-Service Document]. Cipher Brief. URL (DDoS) Attacks: An Economic Perspective https://www.thecipherbrief.com/north- (Whitepaper). NSFocus Inc., Santa Clara, CA. korean-cyber-operations-active-noisy-lacking- Openspf, 2010. Sender Policy Framework [WWW strategy (accessed 12.02.18). Document]. Send. Policy Framew. URL Lotrionte, C., 2013. State Sovereignty and Self-Defense http://www.openspf.org/Introduction in Cyberspace: A Normative Framework for (accessed 03.01.17). Balancing Legal Rights. Emory Int. Law Rev. 26, Park, D., 2016a. Cybersecurity Spotlight: South Korea 825–919. [WWW Document]. Henry M Jackson Sch. Int. Maness, R.C., Valeriano, B., 2017. The Dyadic Cyber Stud. URL Incident and Dispute Data, Versions 1.5 https://jsis.washington.edu/news/cybersecuri Incidents only 20 jan. ty-spotlight-south-korea/ (accessed 06.03.18). Mansourov, A., 2014. North Korea’s Cyber Warfare and Park, D., 2016b. North Korea Cyber Attacks: A New Challenges for the U.S.-ROK Alliance. Asymmetrical Military Strategy [WWW McAskill, E., Hern, A., McCurry, J., 2017. Facebook Document]. Henry M Jackson Sch. Int. Stud. action hints at western retaliation over URL https://jsis.washington.edu/news/north- WannaCry attack [WWW Document]. The korea-cyber-attacks-new-asymmetrical- Guardian. URL military-strategy/ (accessed 16.02.18). https://www.theguardian.com/technology/20 Pearson, J., 2017. North Korea uses sophisticated tools 17/dec/19/wannacry-cyberattack-us-says-it- to spy on citizens digitally - report [WWW has-evidence-north-korea-was-directly- Document]. Reuters. URL responsible (accessed 15.02.18). https://www.reuters.com/article/us- northkorea-surveillance/north-korea-uses-

28 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

sophisticated-tools-to-spy-on-citizens-digitally- Song, J., Harris, B., 2018. Bitcoin tumbles as South report-idUSKBN1690DZ (accessed 22.02.18). Korea plans trading ban [WWW Document]. QinetiQ Ltd, 2014. Command & Control: Financ. Times. URL Understanding, denying, detecting. QinetiQ https://www.ft.com/content/0d5ff7d4-f67d- Ltd. 11e7-88f7-5465a6ce1a00 (accessed 22.02.18). Recorded Future, 2017. North Korea Cyber Activity. South Korea Blames North Korea for Cyberattack Recorded Future. [WWW Document], 2013. . Hamedia. URL Rosenblatt, S., Cipriani, J., 2015. Two-factor http://hamodia.com/2013/07/17/south- authentication: What you need to know (FAQ) korea-blames-north-korea-for-cyberattack/ [WWW Document]. CNet. URL (accessed 14.02.18). https://www.cnet.com/news/two-factor- South Korea to Launch Cyber Warfare Command authentication-what-you-need-to-know-faq/ [WWW Document], 2011. . Army Technol. URL (accessed 14.12.16). http://www.army- Rouse, M., 2017. computer exploit [WWW Document]. technology.com/news/news74048-html/ TechTarget. URL (accessed 20.02.18). http://searchsecurity.techtarget.com/definitio SWIFT, 2018. Discover SWIFT [WWW Document]. n/exploit (accessed 20.02.18). SWIFT. URL https://www.swift.com/about- Sanger, D.E., Broad, W.J., 2017. Trump Inherits a Secret us/discover-swift (accessed 19.02.18). Cyberwar Against North Korean Missiles. N. Y. Symantec Security Response, 2015. Duuzer back door Times. Trojan targets South Korea to take over Sanger, D.E., Kirkpatrick, D.D., Perlroth, N., 2017. The computers [WWW Document]. Symantec World Once Laughed at North Korean Secur. Response. URL Cyberpower. No More. [WWW Document]. N. https://www.symantec.com/connect/blogs/du Y. Times. URL uzer-back-door-trojan-targets-south-korea- https://www.nytimes.com/2017/10/15/world take-over-computers (accessed 06.03.18). /asia/north-korea-hacking-cyber-sony.html Talmadge, E., 2017. North Korea, cyberattacks and (accessed 16.02.18). “Lazarus”: What we really know [WWW Security Response, 2017. Lazarus: History of mysterious Document]. Phys.org. URL group behind infamous cyber attacks [WWW https://phys.org/news/2017-06-north-korea- Document]. Symantec Secur. Response. URL cyberattacks-lazarus.html (accessed 13.02.18). https://medium.com/threat-intel/lazarus- Tarakanov, D., 2013. The “Kimsuky” Operation: A North attacks-wannacry-5fdeddee476c (accessed Korean APT? [WWW Document]. Securelist. 06.03.18). URL https://securelist.com/the-kimsuky- Sheridan, K., 2018. 8 Nation-State Hacking Groups to operation-a-north-korean-apt/57915/ Watch in 2018 [WWW Document]. (accessed 05.03.18). DarkReading. URL TechTarget, 2015. watering hole attack [WWW https://www.darkreading.com/attacks- Document]. TechTarget. URL breaches/8-nation-state-hacking-groups-to- http://searchsecurity.techtarget.com/definitio watch-in-2018/d/d- n/watering-hole-attack (accessed 29.11.16). id/1331009?image_number=3 (accessed TechTerms, 2007a. Torrent [WWW Document]. 14.02.18). TechTerms. URL Siciliano, R., 2015. What is a Remote Administration https://techterms.com/definition/torrent Tool (RAT)? [WWW Document]. McAfee Blog. (accessed 05.03.18). URL TechTerms, 2007b. BitTorrent [WWW Document]. https://securingtomorrow.mcafee.com/consu TechTerms. URL mer/identity-protection/what-is-rat/ https://techterms.com/definition/bittorrent (accessed 04.11.16). (accessed 05.03.18). Sin, S., 2016. Another Tool in the Arsenal [WWW Tosi, S.J., 2017. North Korean Cyber Support to Combat Document]. Cipher Brief. URL Operations. Mil. Rev. 43–51. https://www.thecipherbrief.com/article/asia/ Trend Micro, 2017. Ransomware [WWW Document]. another-tool-in-the-arsenal (accessed Trend Micro. URL 15.02.18). https://www.trendmicro.com/vinfo/us/securit Solon, O., 2017. WannaCry ransomware has links to y/definition/ransomware (accessed 19.02.18). North Korea, cybersecurity experts say [WWW Uchill, J., 2017. North Korea-aligned hackers branching Document]. The Guardian. URL out into mobile phones: report [WWW https://www.theguardian.com/technology/20 Document]. The Hill. URL 17/may/15/wannacry-ransomware-north- http://thehill.com/policy/cybersecurity/36116 korea-lazarus-group (accessed 13.02.18). 6-north-korea-aligned-hackers-branching-out-

29 Cyber disruption and cybercrime: The Democratic People’s Republic of Korea

into-mobile-phones-report (accessed https://www.wired.com/2014/11/darkhotel- 13.02.18). malware,/ (accessed 28.02.18). United Nations Security Council, 2017a. Resolution 2371, S /RES/2371. United Nations Security Council, 2017b. Resolution 2375, S /RES/2375. United Nations Security Council, 2016a. Resolution 2270, S /RES/2270. United Nations Security Council, 2016b. Resolution 2321, S /RES/2321. United Nations Security Council, 2013a. Resolution 2087, S /RES/2087. United Nations Security Council, 2013b. Resolution 2094, S /RES/2094. United Nations Security Council, 2009. Resolution 1874, S /RES/1874. United Nations Security Council, 2006. Resolution 1718, S /RES/1718. US-CERT, 2017. Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer [WWW Document]. US-CERT. URL https://www.us- cert.gov/ncas/alerts/TA17-318B (accessed 21.02.18). Waddell, K., 2016. Is It Wise to Foil North Korea’s Nuclear Tests With Cyberattacks? [WWW Document]. The Atlantic. URL https://www.theatlantic.com/technology/arch ive/2017/03/north-korea-cyberattack-nuclear- program/518634/ (accessed 20.02.18). Wilder, D., 2016. The Cyber Bandit State [WWW Document]. Cipher Brief. URL https://www.thecipherbrief.com/article/asia/ the-cyber-bandit-state (accessed 15.02.18). Williams, M., 2013a. #OpNorthKorea brings more attacks on DPRK websites [WWW Document]. North Korea Tech. URL https://www.northkoreatech.org/2013/03/30 /tango-down-more-attacks-on-dprk-websites/ (accessed 06.03.18). Williams, M., 2013b. Analyzing the June 25 DDoS attacks [WWW Document]. North Korea Tech. URL https://www.northkoreatech.org/2013/06/27 /analyzing-the-june-25-ddos-attacks/ (accessed 06.03.18). Zetter, K., 2016. Hacker Lexicon: What Are CNE and CNA? [WWW Document]. WIRED. URL https://www.wired.com/2016/07/hacker- lexicon-cne-cna/ (accessed 20.02.18). Zetter, K., 2015. The US Tried to Stuxnet North Korea’s Nuclear Program [WWW Document]. WIRED. URL https://www.wired.com/2015/05/us- tried-stuxnet-north-koreas-nuclear-program/ (accessed 28.02.18). Zetter, K., 2014. DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests [WWW Document]. WIRED. URL

30 The Center for Security Studies (CSS) at ETH Zurich is a center of competence for Swiss and international security policy. It offers security policy expertise in research, teaching and consulting. The CSS promotes understanding of security policy challenges as a contribution to a more peaceful world. Its work is independent, practice-relevant, and based on a sound academic footing.