A U.N. Panel of Experts released a report Aug. 30 on North Korea’s continued efforts to evade international sanctions. The media’s coverage of the report focused heavily on North Korea’s cyber-enabled theft of hundreds of millions of dollars. However, the report also sheds light on a potentially more dangerous threat: cyberattacks and reconnaissance operations against banks, financial institutions, and cryptocurrency exchanges.
The U.N. Security Council established the Panel of Experts in 2006 to oversee and report annually on the implementation of all UN Security Council sanctions on North Korea. In its latest report, the Panel included a comprehensive annex listing North Korean cyberattacks against a range of financial targets between December 2015 and the present. For example, the report highlighted a North Korean hack of a Chilean company called Redbanc, which connects all of Chile’s ATMs. Rather than a cyber heist, this was a cyber-reconnaissance operation, although the Panel did not point this out, thereby overlooking the incident’s threatening implications.
Cyber reconnaissance refers to infiltrations for the purpose of learning about a target’s internal network environment. Pyongyang’s reconnaissance efforts seek to gain critical information in order to pre-position viruses or otherwise manipulate the network. These viruses could either facilitate cyber thefts or allow hackers to gain more information about an internal network, enabling them to map out more destructive attacks that damage the financial sector of the target country.
North Korean hackers have already demonstrated they can launch paralyzing cyberattacks against foreign banks. In the widely-covered DarkSeoul incident of 2013, hackers attacked three major South Korean banks, incurring $800 million in damages by destroying the hard drives of the hacked banks’ computers. Yet the objective of the hackers was not to steal money from these banks. Rather, their intent was to gauge and demonstrate the vulnerability of the South Kroean economy to a devastating attack.
Threatening the physical and financial infrastructure of North Korea’s enemies is consistent with the regime’s broader asymmetric security strategy. According to the director of South Korea’s National Intelligence Service, Kim Jong Un said that cyberwarfare will be the North Korean military’s “all-purpose sword” to “strike relentlessly” at its enemies. This statement appears to affirm that Pyongyang views cyber as more than an income-generating tool. Moreover, while Pyongyang’s cyber warriors have not conducted another attack similar to DarkSeoul, the United States, South Korea and the broader international community should prepare for similar assaults.
Fortunately, the U.N. Panel’s call for action on North Korean cyber operations has the potential to generate momentum for both individual and collective action among U.N. member states. The Panel rightly recommended that member states not only highlight the gravity of cyberattacks when drafting future sanctions, but also encourage potential targets, namely banks and cryptocurrency exchanges, to enhance cyber defense.
Since the Panel is responsible only for monitoring sanctions enforcement, actions to deter North Korea’s broad array of cyber operations beyond theft and crime fall within the purview of individual member states. For instance, the U.S. and its allies should consider further offensive cyber operations to deter and restrict North Korea’s cyber aggression. For instance, when President Trump took office in 2017, he signed a policy directive that saw U.S. Cyber Command launch offensive cyber-attacks against North Korea’s Reconnaissance General Bureau (RGB) that oversees North Korea’s cyber operations.
The U.S. and its allies should also impose additional sanctions on the key financiers of North Korea’s Reconnaissance General Bureau, which oversees North Korea’s cyber operations. While the U.S. Treasury Department and U.N. Security Council have already sanctioned the RGB, its overseas front companies and personnel living abroad allow it to thrive. Fortunately, the U.N. Panel’s numerous reports provide a roadmap for sanctions investigators.
The most notable potential target is a Malaysian company called Global Communications, or Glocom, which sells military technology. Previously, the Panel determined that Glocom was engaged in “patterns of evasion” to exploit multiple overseas bank accounts and local partners in order to move funds on behalf of the RGB. Although Glocom is not directly involved in North Korea’s offensive cyber activity, it directly finances the RGB.
North Korea has invested heavily in cyber operations as a means of achieving national security objectives, such as evading sanctions and learning how to undermine its adversaries through reconnaissance. It is imperative that the U.S. and all U.N. member states build on the momentum generated by the Panel’s findings. Although Pyongyang’s cyber capabilities are still cannot pose a formidable threat to the financial infrastructure of the U.S. and its allies, Washington and the international community must act before the danger grows far worse.
Mathew Ha is a research associate focused on North Korea at the Foundation for the Defense of Democracies, where he also contributes to FDD’s Center on Economic and Financial Power and Center on Cyber and Technology Innovation. Follow Mathew on Twitter @MatJunsuk. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.