A new report by Recorded Future, a private cybersecurity company, found that the North Korean regime is growing more reliant on cyber operations as a “critical tool for revenue generation, gaining access to prohibited technologies and knowledge, and operational coordination.” This reality warrants greater scrutiny from Washington and the broader international community. Fortunately, Recorded Future’s report could help the United States and its allies counter North Korean cyber activities, as the report discloses Pyongyang’s key vulnerabilities: North Korea’s increasing cyber activity depends on foreign support for network infrastructure.
Recorded Future found that the network activity of the North Korean regime increased by 300 percent since 2017. This is likely due to increased bandwidth capacity. In 2017, Russian telecommunications company TransTelecom agreed to provide Pyongyang with a new internet connection that expanded North Korea’s international bandwidth capacity.
A distinct shift in daily internet usage patterns also indicates that Pyongyang places greater reliance on cyber tools. From 2017 to the present, the highest levels of internet usage among the North Korean elite who can access the internet shifted from weekend evenings to conventional work hours on weekdays. This suggests that North Korea’s elite is using the internet for state purposes rather than just for personal use.
North Korea’s surge in computer activity raises several concerns, the most immediate being Pyongyang’s exploitation of cyberspace to evade sanctions. According to Recorded Future, North Korea continues to generate revenue and evade sanctions through cyber thefts from banks and cryptocurrency exchanges, as well as through cryptocurrency mining and other low-level cybercrime schemes. A U.N. Panel of Experts mandated by U.N. Security Council Resolution 1718 to investigate North Korean sanctions evasion activity reported last September that Pyongyang stole hundreds of millions of dollars through these cyber-enabled schemes.
Beyond problems for sanctions enforcement efforts, North Korean cyber activities enhance Pyongyang’s broader asymmetric security capabilities, thereby strengthening its deterrence posture. North Korea has demonstrated its ability to employ destructive malware. The most prominent illustration of this capability occurred in 2013 when North Korean hackers temporarily shut down three South Korean banks using destructive computer viruses. This attack reflected North Korea’s intent to undercut critical components of South Korea’s economy, thereby damaging a primary source of Seoul’s national power.
The Kim regime has not conducted a similar cyber-enabled economic warfare against South Korea or the United States since then. However, Pyongyang will likely consider destructive cyberattacks against other critical financial or even energy infrastructure targets to extort political or economic concessions from the U.S. and its allies. This, in itself, is the regime’s emblematic “peacetime provocations” strategy that operates below the threshold of war to extort and coerce its militarily superior adversaries.
The U.S. and its allies should do more to deter the Kim regime’s pervasive and growing cyber activities. The Trump administration’s earlier efforts to do so through Treasury designations of North Korea hacking organizations, as well as judicial indictments against a North Korean computer programmer, have been largely symbolic. It is indeed important to name and shame the North Korean personnel involved. However, the designated and indicted North Koreans have foreign partners, enabling them to conduct their activities while remaining untouched by sanctions or criminal charges.
Recorded Future’s report potentially reveals new entities for investigation and possible sanctions. Specifically, TransTelecom’s newly provided internet connection directly contributed to strengthening Pyongyang’s infrastructure and enabling the 300 percent increase in network activity. The North Korea Sanctions and Policy and Enhancement Act (NKSPEA) requires the U.S. government to sanction individuals and entities that are “directed, or provided material support to conduct significant activities undermining cyber security.”
Additionally, Recorded Future noted that North Korea continues to rely on deploying its hackers and programmers abroad to conduct its cyber operations. Based on North Korean internet traffic to and from these countries, the report identified India, China, Nepal, Kenya, Mozambique, Indonesia, Thailand and Bangladesh as potential nations hosting North Korean personnel.
Washington should urge these governments to investigate and expel any in-country North Korean personnel conducting or supporting malign cyber activity. If these governments fail to comply, the United States should be prepared, pursuant to NKSPEA, to impose sanctions on the individuals and companies in these suspect countries for hosting North Korean cyber operatives.
In addition to new sanctions, the United States could also exploit North Korea’s increasing reliance on the internet by employing cyber-enabled information warfare campaigns. In the past, the Kim regime consistently responded with hostility toward the distribution of foreign media and information, because they directly challenge regime legitimacy. Furthermore, since only North Korea’s party and military elite have access to the internet, cyber-enabled information campaigns could help the United States widen critical social fissures within North Korea’s leadership to force Kim Jong Un to re-think his actions.
North Korea gains numerous tactical and strategic advantages by exploiting cyber operations to augment its own asymmetric power. The United States and its allies should therefore take action to target the Kim regime’s cyber vulnerabilities.
Mathew Ha is a research analyst focused on North Korea at the Foundation for the Defense of Democracies (FDD), where he also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Center on Cyber and Technology Innovation (CCTI). FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy