Since Fifth Domain launched in January, we have brought you stories covering nation-states, associated state proxies and the cyber tactics, techniques and procedures (TTPs) they employ. Much of our coverage has focused on the U.S.'s major cyber adversaries, which include Russia, China, Iran and North Korea.
In January, we analyzed the similarities and differences between the cyberattacks on the Ukraine power grid in December 2016 and December 2015. The threat actor(s) in those incidents is not currently known, but cybersecurity experts suspect it could be Russia or a Russian state cyber proxy, such as Sandworm. Sandworm is known to have developed variants of BlackEnergy, the malware used in both Ukraine grid attacks. Sandworm's involvement in developing the malware does not prove it was involved in the cyberattacks. In fact, Iranian state actors were recently detected using BlackEnergy to attack U.S. defense contractors.
In February, we covered the emergence of Shamoon 2, a cyber proxy with ambiguous ties to Iran. That article highlighted striking similarities in the TTPs used by Shamoon 2 and the original Shamoon attacks, which occurred in 2012. The article also explained how Iran began formulating a national cyber strategy in response to the 2010 Stuxnet cyberattack on its nuclear enrichment program.
Throughout March, we covered congressional hearings on the known Russian threat actors Fancy Bear and Cozy Bear. Cybersecurity researchers have linked Fancy Bear to the Russian military intelligence agency (GRU) and Cozy Bear to Russian Federal Security Service (FSB) and Foreign Intelligence Service (SVR). Both groups played a role in Russia's interference in the 2016 U.S. presidential election and the recent French presidential election. Germany, the Netherlands and the U.K. have all warned that these groups are actively running cyber and information campaigns that target their citizens.
In its annual report, the Finnish security service accused Russia – and Fancy Bear, in particular – of regularly conducting cyber and information operations against Finland over the past year, as well as using IT infrastructure in Finland to launch cyberattacks against other countries. A two-part series (part 1 and part 2) explained how Russia's cyber and information operations grew out of old KGB tactics called "active measures."
From the very beginning, we covered China's three doctrines of warfare, which include psychological, legal and media. In April, we detailed the Chinese People's Liberation Army (PLA) focus on the concepts of informationization (xinxihua) and informationized warfare (xinxihua zhanzheng), which guide its military and strategic thinking, especially in the cyber and space domains. Separately, we covered the first round of U.S.-China talks under the Trump administration, highlighting important strategic and cyber issues, including China's ongoing cyber espionage.
The U.S.-China coverage included the distinct, yet intrinsically China-linked, North Korean cyber threat. We reported on the discovery of the Bluenoroff subgroup within North Korea's most visible cyber operation, dubbed The Lazarus Group. We detailed how Bluenoroff's operation illustrates North Korea's growing interest in hacking for financial profit and its ever-evolving catalog of TTPs. Also, we covered the Lazarus Group's alleged connection to the global WannaCry cyberattack.
In each of these stories, we sought to give you, the reader, an in-depth look at these threat actors and their distinct TTPs. In this piece, we build on those reports, drawing from recent congressional testimony, published cybersecurity research and expert commentary to provide you with a profile for each major U.S. cyber adversary. In doing so, we hope to have created a concise introduction and convenient reference to the distinct motives, narratives, strategies, capabilities and operations of each nation-state threat actor. We also think the similarities, where they exist, will be insightful.
For this piece, we commissioned custom art by U.S. Army veteran and Connecticut-based illustrator D.G. Smith. Each illustration depicts the adversary's distinct historical and strategic – as well as symbolic – cyber presence.
You may not be interested in war, but war is interested in you. – Leon Trotsky
Russian President Vladimir Putin was stationed in East Germany as a KGB officer when some of the earliest visible, eventually fatal hemorrhaging of the Soviet Union began in 1989. The end of the Soviet Era two years later was a source of deep humiliation to Putin and many Russians.
In the decade following the Soviet Union's collapse, Russia endured internal wars (i.e., with Chechnya), unregulated capitalism that resulted in a highly corrupt oligarchy and the near collapse of its currency. Current conditions in Russia are difficult due to an economic recession, international sanctions, socio-cultural tensions and changing demographics.
Putin's primary motivation is to maintain power, to weaken Russia's adversaries and to restore Russia to its former greatness.
While Putin is a former KGB officer and remains loyal to the storied Soviet institution, Russia is a diverse country. The Soviet experience for many Russians – including the majority of non-ethnic Russians – was not necessarily pleasant and therefore is not as effective a unifying narrative as it is for former Soviet insiders, such as Putin.
Putin has therefore adopted narratives that are reminiscent of the pre-Soviet Russian Tsarist Era, including the "Novorossiya" and "Russian Eurasian Empire" narratives. These nationalist narratives are used along with a Western scapegoating narrative, in which Russian woes are largely America's and Europe's fault, not the fault of leadership that has embroiled the country in conflicts that have resulted in economic sanctions and stagnation.
Russia's younger generation – which did not experience life in the Cold War or the humiliation of Russia's capitulation to the West after a 70-year ideological battle – has been portrayed as apathetic to the nationalist narratives, especially those of Soviet greatness. Remarkably, younger Russians turned out for March anticorruption protests in Moscow and nearly 100 other Russian cities in numbers that surprised the Kremlin and many ordinary Russians alike. It's still unclear whether this was a one-off event or if it indicates the younger generation is losing patience with Russian leadership and belief in its narratives.
In early 2013, Chief of the General Staff of the Russian Federation, Valery Gerasimov, published an article that laid out a "new-type" warfare. Dubbed the Gerasimov Doctrine by some experts, it's alternately known by terms such as next-generation warfare, nonlinear warfare and full-spectrum warfare, among others. U.S. academic literature refers to it as hybrid warfare, while the U.S. military refers to it as hybrid threats.
By whatever name, Gerasimov's central proposition was this: "The role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness."
Hybrid warfare places great emphasis on nonmilitary tactics –such as political, economic, legal and psychological – to achieve its goals. The outcomes of these operations do not cross a threshold that justifies a kinetic response.
In light of this new reality, "The very 'rules of war' have changed," Gerasimov wrote.
A primary goal of Russia's hybrid warfare and cyber strategy is to undermine Western democratic ideals and institutions – including within the U.S., but also among U.S. allies such as the European Union and international organizations such as NATO. Russia calls the peacetime application of these subversive techniques "active measures," which are carried out by the Russian military and security services.
Gerasimov was as keenly aware of "new-type" warfare for offensive purposes as he was of the need to guard Russia against it. Gerasimov cited the Arab Spring that occurred throughout the Middle East in 2009-2010 as a threat to Russia, exploiting as it did the "protest potential of the population." Almost a year to the day after Gerasimov's publication, the threat he had warned of arrived on Russia's doorstep in early 2014 via the Euromaidan Revolution in Ukraine.
Recognizing its domestic vulnerabilities, Russia censors its internet, controls its media and is believed to employ widespread surveillance on its citizens.
Russia is usually cited as the U.S.'s foremost foe in cyberspace. While the Chinese are believed to rival Russia's level of technical, operational and informational capability, Russia has historically shown less reluctance than China to use cyber for aggressive tactics, including cyberwarfare against regional neighbors.
In addition, Russia is believed to employ a broader range of cyber tactics than China in service of its strategic goals. For instance, Russia uses cybercriminal proxies and online information warfare front groups (e.g., fake news, troll factories, etc.) in ways that China does not.
Russia's sophisticated technical capabilities, diverse tactics and willingness to operationalize offensive cyber in furtherance of its sometimes-controversial national interests all factor into Russia's frequent ranking as the U.S.'s top cyber adversary.
In furtherance of its cyber strategy, Russia uses cyber operations in multiple ways. Cyber operations have proven a new, highly effective means and medium for hybrid warfare, which Russia displayed in cyberattacks against Estonia in 2007, the country of Georgia in 2008 and Ukraine from 2014 to present.
In addition, cyber has proven effective in conducting what a pre-cyber KGB historically called active measures. Retired KGB Maj. Gen. Oleg Kalugin summarized active measures as techniques for subversion, with the goal to "weaken the West."
Russian cyber operations often blend elements of intelligence gathering and active measures. A prime example is the 2016 U.S. presidential election, in which Russia used cyber-espionage hacking to gather intelligence from political targets and then used the stolen information in cyber-enabled active measures (e.g., disinformation, front groups, etc.) to subvert the U.S. political process.
Russia also makes extensive use of proxies to carry out cyber operations in furtherance of its goals. The exact connection between these proxies and the government is often ambiguous, as Russian journalists Andrei Soldatov and Irini Borogin have reported over the years.
Perhaps more than any other country, Russia employs cybercriminals in furthering its state goals. For years, cybercriminals affiliated with the Russian Business Network conducted cyberattacks against U.S. and other Western institutions from inside Russia with impunity. Journalist Brian Krebs has reported that convicted hackers in Russia can shorten jail sentences by agreeing to hack for the government.
During congressional testimony in March, former FBI Director James Comey characterized Russian cyber operations as "loud." Comey said Russia "wanted us to see what they were doing."
In its 2017 annual report, the Finnish security service said Russia didn't appear concerned with keeping cyber operations covert. "Most observations were related to an APT28/Sofacy attack in which no particular effort was made to conceal the activity," the report said.
Russia's bold and brazen offensive cyber operations fit with its historically aggressive military posture, particularly during the Soviet Era.
All war is deception. Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent's fate. – Sun Tzu
Until the mid-19th century, China had been the major regional power in Asia. China constituted approximately one-third of the global economy in the years leading up to 1839, the start of the First Opium War with Great Britain. China considers 1839 to mark the beginning of modern Chinese history, which ushered in the Chinese "Century of Humiliation" that was punctuated by a series of "unequal treaties" with Western countries.
Mao Zedong led the Chinese Revolution in 1949, setting out to reverse China's century of decline by radically reforming Chinese society. By and large, Mao's efforts were disastrous and led to the deaths of tens of millions.
Late in Mao's rule, he and President Richard Nixon reopened diplomatic talks, largely orchestrated by former U.S. National Security Advisor and Secretary of State Henry Kissinger and Mao's close advisor Zhou Enlai. The reopening of U.S.-China relations was perhaps Mao's most important strategic accomplishment as Chinese ruler.
Beginning in 1978, Deng Xiaoping led China through a decade of market reforms and modernization. More controversially, Deng started the 863 and Super 863 initiatives, with the goal of legally and illegally acquiring technological knowledge. Successors built on Deng's initiatives to return China to its current place as a major world economy.
China is once again a major regional power in the Asia-Pacific. President Xi Jinping's central foreign policy initiative is "One Belt, One Road," an ambitious regional project to resurrect the ancient Silk Road.
But China's ambitions are not merely regional. They are global.
China is strategic and ambiguous in the use of language and narrative. China doves and hawks can read the same narrative and come to different conclusions. Regardless of interpretation, China's narratives often share common themes.
One recurring theme is that of China's "peaceful rise." This is the narrative most familiar in the West. Doves read the narrative at face value. Hawks, such as China Analyst Michael Pillsbury, note that "peaceful rise" aligns to a strategic principle that dates to the Chinese Warring States period (fifth-third centuries BCE). The principle states that one should induce complacency to avoid raising alarm in an opponent, withholding one's true motives until the optimal moment to strike.
Another common theme is China's "rightful place" as the preeminent regional power and a peer among – if not the leader of – nations. China's rightful place is justified by the superiority of its people, its history, its language and its culture, so the narrative goes. The Chinese idea could be likened to the U.S. version of "American exceptionalism."
The Chinese version of the narrative can be interpreted as deceptively aggressive and has become popular among Chinese generals over the past two decades, according to Pillsbury. The narrative originated with Mao and refers to a "100-year marathon," during which China will reemerge from its "Century of Humiliation" to resume its rightful place as the regional and global hegemon. Chinese military and political leaders mark the start of this 100-year marathon as Mao's ascent in 1949 and ending with China's global dominance by 2049. This version of the narrative also aligns to a longtime strategic principle from the Warring States period, Pillsbury notes. The principle states that long-term patience, stretching decades or more, is often necessary to prevail against adversaries.
More recently, Xi has expressed the concept of the "China Dream," which entails themes of domestic rejuvenation and international preeminence.
China experts and scholars remain split on how adversarial the U.S. should view China. Proponents of U.S.-China relations, such as Kissinger and many in the U.S. business community, do not view the Chinese as inherently adversarial or potentially hostile. Hawks, such as Pillsbury, view China as a serious threat to U.S. influence and interests abroad.
Like other nations, China watched the impressive show of U.S. military dominance in the first Gulf War and realized it could not defeat the U.S. in conventional warfare. In 1999, two colonels in the PLA wrote the book Unrestricted Warfare, which sets out a strategy to use nonmilitary means to achieve geostrategic and military goals.
"When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war," the authors wrote. "Warfare which transcends all boundaries and limits, in short: unrestricted warfare." For the Chinese, these include psychological warfare, media warfare and legal warfare.
In many ways, Unrestricted Warfare merely updated what has long been Chinese military and strategic philosophy, with much of the book based on a blend of Mao's concept of the "People's War" and principles dating back to the Warring States period of Ancient Chinese history. The most well-known work from the Warring States period is Sun Tzu's The Art of War. But according to China scholars, throughout his life, Mao frequently referenced a book of stratagems that date to the Warring States period. Pillsbury has written on the nine principal elements of Chinese strategy that originated during the Warring States period. Many of these strategies underlie Unrestricted Warfare.
Two strategic concepts, in particular, have influenced China's thinking on and use of cyber, specifically. The first is the concept of "informationization," and the second is "active defense."
In recent decades, Chinese military and strategic writers have increasingly referred to the concept of "informationized warfare," which focuses on "information dominance" (zhi xinxi quan) via cyber, electronic and space operations. Experts say informationization is roughly equivalent to the U.S. concept of network-centric warfare. In 2004, at the onset of China's ambitious modernization of its military, then-President Hu Jintao cited the need to fight "informationized local wars," a concept echoed word-for-word by PLA leadership in recent national military strategic guidelines, according to the U.S. Department of Defense.
The second strategic principle that has influenced China's thinking on cyber is "active defense," which the U.S. Defense Department explains as follows:China characterizes its military strategy as one of active defense, a concept it describes as strategically defensive but operationally proactive in orientation. It is rooted in a commitment not to attack, but to respond aggressively once an adversary decides to attack a defense that counterattacks in order to disrupt an adversarys preparations or offensive rather than a defense that reacts passively. The PLA interprets active defense to include mandates for both de-escalation and seizing the initiative.
China's cyber strategy also emphasizes the principles of sovereignty, non-interference and states' rights to control online content, the last illustrated most notably by the Great Firewall of China.
Like Russia, China has developed formidable cyber capabilities over the past two decades. Unlike Russia, China is not known to have used its capabilities in cyberwarfare or to allow cybercriminal proxies to act on the state's behalf in furtherance of its goals.
China has instead focused on extensive, multi-year cyber espionage against the West and the U.S., in particular. China's cyber espionage operations include political and military intelligence gathering, which is viewed as a reality in traditional statecraft, but also more controversially in economic espionage. The scale, scope and duration of China's economic espionage has created friction in U.S.-China relations in recent years.
In terms of technical and operational skill, China most likely rivals Russia.
China's cyber operations are well-resourced and capable of developing and using an array of advanced TTPs. The Project 2049 Institute's Mark A. Stokes, Jenny Lin and L.C. Russell Hsiao detailed much of the PLA's cyber operations structure in its 2011 publication, The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure.
Today, the PLA continues a significant, ongoing, multi-decade initiative to modernize, reorganize and ultimately optimize its operations to the "informationized" environment, in which network-centric warfare is the focus. The publication China National Defense News noted that PLA leaders view networks as an Assassin's Mace (Shashou Jian), an inferior weapon that can deal the decisive blow to a superior adversary. The U.S. Defense Department's 2016 Annual Report to Congress on Military and Security Developments Involving China outlines military changes currently underway.
To date, China has engaged primarily in two types of cyber operation: 1. Cyber espionage; and 2. Gaining and maintaining persistent access to critical infrastructure, such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
China's cyber espionage is not limited to military intelligence, as Dean Cheng, senior research fellow at The Heritage Foundation's Asian Studies Center, noted in a recent congressional hearing. Chinese espionage goes "far beyond purely military-related information, and includes economic and political information," Cheng said.
The results of China's commercial cyber espionage are remarkable: China is estimated to steal $300 billion worth of intellectual property from U.S. companies annually, resulting in what Gen. Keith Alexander (retired), former director the NSA, has called "the greatest transfer of wealth in history."
Given the advantages that cyber affords – including low relative cost of operations, anonymity, geographic reach and plausible deniability – China will not likely stop its massive, ongoing cyber espionage operations until some factor changes the strategic equation.
Persistent access to adversaries' critical infrastructure positions China to inflict a costly cyber counterattack should military circumstances require it. This capability fits within China's broader military strategy, notably the concept of active defense.
With a strategic emphasis on deception and an operational focus on espionage and covert active defense, China is the quietest of all U.S. cyber adversaries. China prefers to conduct low-profile, low-intensity operations.
Despite extensive research by governments and the cybersecurity industry that documents its cyber espionage activities, China persists in using the anonymity and plausible deniability afforded by cyberspace to deny charges of cyber operations, particularly commercial espionage, against U.S. and Western companies.
In the cyberwar between Iran and America, the defining issue is culture. The world in the 21st century is a world of thoughts and ideas, and not of hardware… Nowadays, America is the symbol of the evil person and the Islamic Republic is the symbol of the divine person. There is no common ground for these two. One of these two must be victorious over the other. – Islamic Revolutionary Guards Corps Brigadier General Second Class Behrouz Esbati, Operations Commander at Iran's Cyber Headquarters
Most international attention on Iran in the 21st Century has centered around its nuclear program. The reasons behind Iran's nuclear ambitions have been explored extensively by scholars and experts, with consensus usually settling on factors such as state security, domestic bureaucratic interests and international power and influence.
Beyond the nuclear program, Iran's regional and international interests entail a program of both aspirational goals (e.g., influence, economics, ideology, alliances, etc.) and defiance – particularly against the U.S. and Israel, but also the West in general.
Experts note that – despite the blatant ideological and religious extremism often present in Iranian rhetoric – the country's leaders, such as Supreme Leader Ayatollah Ali Khamenei and moderate President Hassan Rouhani (who just won reelection), are essentially pragmatic in pursuit of Iran's agenda. Topping that agenda is the preservation of the Khamenei regime.
Much as with motives, Iran's grand narratives entail political, nationalist and religious ideology. The political narrative often centers around themes of Iran's natural place as a world power and its defiance of the West. This narrative is balanced by a nationalist narrative that conveys Iran's aspirational place as the regional hegemon and an equal among the global superpowers.
The religious is more complicated, and experts note that its influence fluctuates with the mix of leadership. Iran's state religion is a brand of Shia Islam known as Twelvers, which has a strong element of Islamic eschatology. Twelvers believe there are 12 divinely ordained imams. The twelfth imam is named Muhammad al-Mahdi, a messianic figure like Jesus Christ in the Christian religion. Twelvers believe that one day the Mahdi will return to distribute justice and to confirm Islam as the dominant world religion.
Experts note that former President Mahmoud Ahmadinejad was influenced more by the Twelver eschatology than either Khamenei or Rouhani, with Ahmadinejad believing Iran must create the conditions necessary in order to prompt the Mahdi's return. Experts say this belief partly explains Ahmadinejad's aggressive rhetoric and provocative actions while he ruled.
Since the 2010 discovery of the Stuxnet cyberattack on its nuclear enrichment program, Iran has sought to formulate a cyber strategy. In recent years, Iran has continued to enhance its cyber capabilities, and cyber may be its weapon of choice in the current strategic environment.
As explained in a 2016 paper by The Washington Institute's Kahn Fellow Michael Eisenstadt, Iran's interest in cyber is three-fold: 1. It fits Iran's strategic culture, particularly "a preference for ambiguity, standoff and indirection when conducting high-risk activities;" 2. The absence of international cyber operations norms, which provides Iran with "margin to maneuver;" and 3. The opportunity to shape cyber norms, in favor of its behaviors.
Elsewhere, Eisenstadt has written that, "Cyber allows Iran to strike at adversaries globally, instantaneously, and on a sustained basis, and to potentially achieve strategic effects in ways it cannot in the physical domain."
As with every other major U.S. adversary, Iran remains watchful and wary of its domestic vulnerabilities, particularly to information operations. The 2009 Green Revolution was a "wake-up call" to Iranian leadership, Eisenstadt wrote, and Iran has viewed cyber as a key defensive tool since, particularly via internet censorship and domestic surveillance.
Iran's technical and operational capabilities do not match Russia's or China's, and it's possible that North Korea currently surpasses Iran, in terms of TTPs. But experts warn that Iran is an emergent cyber power that should neither be ignored nor underestimated.
Most threat intelligence and cyberattack forensics published to date suggests Iran and its cyber proxies still rely on purchasing, stealing or repurposing cyber TTPs developed by others, rather than developing their own. This was most recently illustrated in a report wherein cybersecurity researchers at TrapX observed Iran using the BlackEnergy malware to attack a U.S. defense contractor. Prior cybersecurity research showed the Iran-linked Shamoon group repurposed TTPs used against Iran, including the Flame malware and components of Stuxnet.
Since 2012, North Korea and Iran have been parties to a signed scientific and technology cooperation agreement, according to a 2014 report developed by Hewlett-Packard's security unit.
The discovery of the Stuxnet cyberattack in 2010 changed the way Iran thinks about cyber, experts say. Compared to Russia, China and even North Korea, Iran is most likely lagging in developing and operationalizing its own TTPs.
But the capabilities gap is narrowing quickly due to four factors. The first is the intellectual and innovative abilities of Iran's historically technically gifted population. The second is the ease with which it can purchase, steal or repurpose existing TTPs. The third is a cash infusion and recently lifted economic sanctions in the wake of the nuclear agreement reached with the U.S. and other Western countries. The fourth is the scientific and technological cooperation agreement signed with North Korea in 2012. Similar cyber TTPs have been observed in recent cyberattacks believed to be carried out by Iran and North Korea.
Although Iran is known to engage in extensive domestic surveillance, not much has been published on the extent of its foreign cyber espionage operations. It is unclear whether the dearth of knowledge equates with a lack of capability or a lack of detection. In January, cybersecurity firm Symantec published research on Greenbug, a proxy group conducting cyber espionage throughout the Middle East. Forensics revealed that known Greenbug TTPs were present on computers that had also been attacked by the known Iranian cyber proxy Shamoon 2, although no concrete connection has been established between the Greenbug and Shamoon 2.
To date, cybersecurity research suggests Iran has been more focused on carrying out destructive or disruptive cyberattacks. The most well-known destructive cyberattack was carried out against Saudi Aramco in 2012. The Aramco attack destroyed approximately 35,000 computers using a wiper program.
Research and reports suggest Iran is also developing its capabilities to attack critical infrastructure, as evidenced by a 2013 cyberattack that allowed Iranian threat actors to temporarily take control of a small dam in New York state by compromising the dam's industrial control system (ICS). ICS systems are prevalent in critical infrastructure.
Iran's cyber posture is unpredictable and ranges from disruptive or destructive retaliatory cyberattacks to covert cyber espionage and reconnaissance activities.
As illustrated by the Shamoon attacks, Iran's cyber operations are at times aggressive and indiscriminately destructive, although cyber proxies often carry out operations to provide plausible deniability.
At other times, Iran appears to lay low and engage in covert cyber espionage against international adversaries and surveillance against its domestic population.
I have talked many times, but modern warfare is an electronic warfare. I can say that the victory and defeat of modern warfare depend on how we do electronic warfare. – Kim Jong Il
Since the Korean War, North Korea's stated goal has been to reunify the Korean Peninsula under its rule.
For decades, North Korea and South Korea have remained in a conventional military stalemate. During the first decades following the Korean War, the North held a slight military advantage over the South. Since the 1980s, the balance of power has shifted as South Korea's economy developed and the North's stagnated. The U.S. remains allied to South Korea, with U.S. military assets stationed in the South to further tilt the balance of power.
Since the North began losing its conventional military edge, it took lessons from the Soviets and Maoist China in developing unconventional and irregular warfare tactics, of which cyber, special operations and nuclear weapons are key components.
Today, experts say the North cannot win a conventional military confrontation with South Korea and the U.S., so the North has continued a two-pronged strategy. The first part is a series of ongoing asymmetric provocations that fall just below the threshold justifying a conventional military response. Such provocations include cyberattacks and missile test fires.
The second part of its strategy is to develop a robust hybrid warfare capability, centered around its blitzkrieg-like philosophy roughly translated, "quick war, quick end." Central to its blitz strategy, experts say, would be the rapid destruction or disablement of South Korean and U.S. command and control systems, which would emphasize the use of cyber and electronic warfare.
According to experts, North Korea emphasizes two themes in many of its narratives: 1. A philosophy called juche (ju-cheh), which means self-reliance; and 2. Songun (sun-goon), which is the country's "military first" doctrine. Both serve the single goal of preserving the multigenerational Kim regime.
The concept of juche, or self-reliance, is central to the political philosophy outlined by Kim Il Sung, the first ruler in the Kim dynasty. Juche draws from Marxist-Leninist thought, while adding a distinctly North Korean character. Central to the juche philosophy are principles of strength, independence and defense.
Songun is an ideology that promotes the military above all other institutions in North Korean society. As such, the military receives the lion's share of the country's economic resources. Approximately one-third of North Korea's 25 million population is estimated to serve in some military or paramilitary capacity, making North Korea the fourth largest military in the world (calculated based on active military personnel).
Former North Korean leader Kim Jong Il recognized the importance of cyber, information and electronic warfare as the Information Age dawned. Kim Jong Il was quoted in the classified publication, Electronic Warfare Reference Materials, as saying, "I have talked many times, but modern warfare is an electronic warfare. I can say that the victory and defeat of modern warfare depend on how we do electronic warfare."
In 2013, South Korea's National Intelligence Service Director Nam Jae Joon testified that current leader Kim Jung Un allegedly said, "Cyber warfare, along with nuclear weapons and missiles, is an all-purpose sword that guarantees our military's capability to strike relentlessly."
North Korea's cyber strategy fits within its traditional military strategy, which entails two primary goals, according to a Center for Strategic and International Studies report: 1. To disrupt opponents' conventional military operations, and 2. Peacetime asymmetric methods that disrupt, destroy, exhaust or coerce adversaries, while remaining below the threshold to justify conventional military response.
North Korea is usually estimated to be less sophisticated than Russia or China. It's unclear how North Korea compares to Iran in terms of technical capability. North Korea's cyber operations are formally organized and integrated within its military.
Like Russia and Iran, North Korea is known to use cyber proxies. The most well-known is the hacking collective Lazarus Group, which has been linked to North Korea by multiple cybersecurity researchers. However, the exact nature of the connection between Lazarus Group and the North Korean military (if the two are distinct) remains unclear.
Like Iran, North Korea has been known to use TTPs developed by others. However, cybersecurity researchers have also shown that Lazarus Group – and a subgroup dubbed Bluenoroff – consistently develop and rotate use of new TTPs to avoid detection.
North Korea is also believed to have more established cyber espionage capabilities than Iran presently has, but the exact scope and scale of the North's cyber espionage operations are difficult to estimate.
In 2012, North Korea signed a scientific and technology cooperation agreement with Russia, China, Syria, Cuba and Iran, according to a 2014 report developed by Hewlett-Packard's security unit.
North Korea maintains active and formidable cyber operations. South Korea Defense Security Command Chief Cho Hyun Chun estimated North Korea had approximately 6,800 cyberwarriors in 2016. If true, that number illustrates North Korea's significant investment in cyber, considering defector Jang Se Yul estimated the number to be 1,800 just three years ago.
North Korea's cyber operations are formally organized and integrated within the broader military structure. The Reconnaissance General Bureau (RGB) – of which the infamous Bureau 121 is a part – is more active during peacetime. RGB is responsible for North Korea's non-cyber provocative acts – such as ballistic missile testing – as well as cyberattacks, including the 2014 Sony Pictures hack. RGB is also responsible for North Korea's cyber espionage operations.
The General Staff Department (GSD) oversees conventional military cyber operations and readiness. The GSD would provide the Korean People's Army cyber capabilities in the event of a conventional war, targeting adversaries' technological military systems such as command and control. In December 2016, North Korea hacked South Korea's command and control systems. The purpose of the cyberattack is unclear. Weeks later, the Korea Herald reported that South Korea's Defense Agency for Technology and Quality cited a Pentagon simulation that showed a full-fledged cyberattack from Pyongyang could "paralyze" U.S. Pacific Command.
Based on its philosophy of "quick war, quick end," North Korea is believed to engage in the Chinese equivalent of "active defense" – whereby North Korean hackers gain and maintain persistent access to adversaries' critical infrastructure for quick-strike retaliation to a conventional military attack. It is unclear to what extent North Korea may have already infiltrated U.S. critical infrastructure. Even if North Korea does not maintain persistent access, it's likely capable of launching an effective cyberattack in short order. The Defense Advanced Research Projects Agency recently awarded a contract to develop technology to restore power rapidly following a cyberattack on the U.S. grid.
In addition to RGB and GSD, North Korea maintains a robust technology research and development function to support its military activities.
The one adjective most often used to describe North Korea is provocative. Since the end of the Korean War in 1950, North Korea has never stopped provoking South Korea, regional neighbors or – in recent decades – the U.S.
The highly disruptive and destructive cyberattacks this decade – ranging from the Dark Seoul attack in 2013 to the Sony Pictures hack in 2014 – were designed to get attention.
Given its history and strategy, North Korea will likely continue to be a highly visible, extremely aggressive cyber provocateur, with a penchant for spectacularly disruptive and destructive cyberattacks.
D.G. Smith is a freelance illustrator in Manchester, Connecticut. Some of his clients include The Folio Society, North American Review and the University Press of Mississippi. A complete portfolio is available at www.dgsmithillustration.com.