Security Experts:

North Korea's Cyber Warfare Capabilities Detailed in New Report

Despite challenges with lack of resources and aging infrastructure, North Korea is committed to developing cyber warfare capabilities, according to a report published by HP last week.

The United States and other countries have placed embargoes and sanctions against North Korea for its hostility and for violating its citizens' rights. These sanctions make it more difficult to obtain the technology needed to enhance cyber capabilities, but the country doesn't seem discouraged.

According to HP, there are several factors that make it difficult to gather intelligence on North Korea's cyber warfare capabilities. One is the fact that most information comes from United States and South Korean military or agency reports, but they usually don't include classified details such as IP addresses or information on the individual attackers.

Furthermore, many reports coming from South Korea might be biased because of the conflict and tension between the two nations. Another problem is that North Korea is isolated from the rest of the world and the country's Internet infrastructure is under the regime's strict control. The strict supervision of the Web means that there are no rogue actors and that all state-sponsored actors are most likely well trained to avoid inadvertent data leaks, while the isolation enables the government to create confusion and spread disinformation about the regime's capabilities.

On the other hand, the challenges faced by the country in developing its cyber warfare capabilities can provide some useful information. For example, the fact that the Web is strictly controlled by the regime means that independent hacker groups can't operate, so all cyber activity originating in the country can be assumed to be sponsored by the government. North Korea is well aware that any cyber activity traced back to its territory is automatically associated with the government so many attacks sponsored by the regime are launched from cells in China, the United States, South Asia, Europe and even South Korea.

North Korea also cannot launch distributed denial-of-service (DDoS) attacks because there are only a limited number of outgoing connections. However, this hasn't prevented them from conducting such cyberattacks; they simply use the networks of other nations, or botnets with local command and control (C&C) servers, HP said.

Pyongyang's ability to expand infrastructure and computer network operations is limited by factors like unstable power supplies, monetary deficiencies, and the inability to directly obtain the needed technology due to sanctions.

On the other hand, the human element has potential, HP noted. According to recent reports, North Korea has a total of 5,900 elite cyber warriors, which is a considerable increase compared to two years ago when there were roughly 3,000.

The regime's cyberattacks have been mainly aimed at South Korea and the United States, although the former might often rush to attribute any attack on its infrastructure to North Korea. The operations mostly took place when the U.S. and South Korea conducted joint military exercises, in response to political events, or on other significant dates, the report said.

Most of the attacks allegedly launched by North Korea involved the use of wiper malware. In many cases, the malicious elements were specifically designed to disable software produced by AhnLab, a South Korea security firm.  While different hacker groups have taken credit for each attack, experts believe that the same entity might have been responsible for all the operations, but assumed different names to throw investigators off track.

"While North Korea’s cyber warfare capabilities pale in comparison to those of wealthier nations, the regime has made significant progress in developing its infrastructure and in establishing cyber operations. The rate of this progress warrants a closer look at North Korea’s motivations, TTPs, and capabilities," HP said.

Unlike North Korea, its main adversaries, the U.S. and South Korea, are high tech nations. For this reason, Pyongyang's cyber capabilities should not be overestimated. On the other hand, they should not be underestimated either because the country can leverage less advanced tactics, such as DDoS, to successfully cripple its targets.

 The complete report on North Korea's cyber threat landscape is available online.

*Updated to fix an error mistakely mentioning Seoul instead of Pyongyang

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.