Skip to main content
banner image
venafi logo

North Korean Cyberattacks Can Inspire Other Rogue Nations

North Korean Cyberattacks Can Inspire Other Rogue Nations

June 24, 2021 | Yana Blachman

North Korea, officially the Democratic People’s Republic of Korea (DPRK), is one of the leading cyber threat actors out there today. The cyber capabilities are an extension of the state’s national objectives and military strategy. The lack of global safeguards, low-cost and low-risk with potentially high yield makes cybercrime a natural choice for the North Korean regime, who successfully pioneered a new model of state-sponsored cybercrime that could create a dangerous blueprint for other rogue states to follow.

As a nation that is under great international financial and political pressure, North Korea has a long history of bringing capital into the country via illicit means and strongly relied on illegal activities to evade sanctions, such as counterfeiting, smuggling of metals, gems, cash, arms trading, gambling and illegal shipping operations. Cybercrime is merely an expected extension of this strategy and corresponds with the state’s larger approach and national goals. As such, cybercrime has become a primary means of revenue generation for North Korea, helping the state to work outside international sanctions and ensure the continuation of the Kim Jong-Un regime. This North Korean leader sees cyberwarfare as “an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.”

North Korean advanced persistent threat (APT) groups leverage cybercrime to finance the state’s nuclear development side by side with the intelligence collection and espionage campaigns. North Korean APT groups have carried out countless of cyberattacks in over 30 countries, with a reported 300% increase in the volume of activity since 2017. The attack campaigns were against several sectors, including energy, finance, government, industry, technology and telecommunications. Since January 2020, North Korean threat actors have targeted these sectors in Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States.

Some estimates suggest that cybercrime profits for North Korea may amount to as much as $1 billion each year. According to the UN Security Council as much $2 billion is already making its way directly into the nation’s weapons program.

The cybercrime model of North Korea could create a blueprint for other nations to develop similar programs. Without international action, this could result in escalating cyber guerrilla warfare, putting all nations at significant risk.

As I mentioned in a media alert today, “The world needs to start taking this threat more seriously. North Korean attacks are often more brazen and reckless than those sponsored by other states because they are not afraid of getting caught—this makes them particularly dangerous. North Korea has thrown the entire rule book out the window and that gives the cybercriminals it sponsors free reign to engage in highly destructive, global attacks, such as the WannaCry ransomware attack on Windows users worldwide, which was the first destructive attack at that scale, affecting more than 200,000 users across at least 150 countries. North Korea is setting an example that other rogue states can follow; states such as Belarus can see that cybercrime offers them a way of countering the worst effects of sanctions, while making themselves more of a threat to the wider community.”

Sporadic and opportunistic attempts from other rogue countries have been already reported. Chinese state-backed APT groups, like APT27 and APT41, are known to monetize their targets using ransomware or other means as part of larger cyberespionage campaigns.  In Russia, some evidence suggests that Russia’s military cyber units use military resources and infrastructure to create cash flow and funds to corrupt individuals in the military. Although these are most likely motivated by personal financial gain or hobbyist interests and are not part of a larger national strategy policy—it may only be a matter of time until they adopt the North Korean model.

DPRK cyber operators support operations for multiple APT groups that likely share malware and resources through its military-affiliated ‘Reconnaissance General Bureau’ (RGB), including Lazarus Group, APT37, APT38 and Kimsuky that are known to target business and governments worldwide via targeted and destructive attacks. Some of the groups’ operations are focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities, using methods such as ransomware, ATM cashout schemes, cryptomining and cryptocurrency theft, and even cyber bank heists. For example, we saw the $101 million heist of the Bangladesh Bank via the SWIFT banking system.

Several of these attacks are characterized by their use of code signing certificates, which serve as machine identities making it possible for businesses to trust the software they use. North Korea is one of the top threat actors out there. Being part of the national strategy, its cyber capabilities are very advanced—making the use of machine identities and complicated supply chain attacks only natural.

In a campaign published in November 2020, Lazarus Group used stolen code signing certificates to execute a sophisticated supply chain attack on financial services and governmental website users in South Korea. Lazarus, active since 2009 and reportedly responsible for the attack against Sony Pictures Entertainment in 2014, leveraged stolen code signing certificates from two legitimate South Korean security companies—one of which was issued to the US branch of a South Korean security company and executed a novel supply chain attack involving a software required for South Korean users when accessing government or financial services banking websites.

North Korea’s use of code signing machine identities makes its attacks particularly hard to defend against. Stealing code signing machine identities equips North Korean cybercriminals with the ability to pass off their own malicious software as legitimate software from a genuine developer. It also enables them to execute devastating supply chain attacks. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in the software supply chain. Without more co-ordination and collaboration among businesses and governments to address the tactics used by North Korean cybercriminals, these threats will only get worse, and other global pariahs will sense their own opportunities.

The Venafi Machine Identity Threats Model helps protect your organization by utilizing the power and knowledge of the security community to remain aware and alert of the latest cyber threats and potential malicious actors.

Related posts

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more