While attacks attributed to Russia and China most frequently make the news, North Korea continues to have significant success online, driven by a single-minded mission and a lack of consequences for the small nation.
In the latest incident to be uncovered, an online attack linked to North Korea stole classified military documents, including war plans drawn up by South Korea and the U.S., according a South Korean lawmaker quoted by multiple news organizations. The data, part of a massive haul of 235 gigabytes taken during an intrusion spanning the months of August and September 2016, was only recently identified as the South Korean government pieced together what was taken.
Lee Cheol-hee, a South Korean lawmaker and member of the parliamentary defense committee, said that attackers had infiltrated the Defense Integrated Data Center, according to The Washington Post. The stolen data includes war plans and a scheme to assassinate North Korean dictator Kim Jong-un in the event of war, according to the South Korean lawmaker. The attack happened last year, but only 20 percent of the documents have so far been identified.
The theft is only the latest in a long list of aggressive cyber-operations blamed on North Korea. The nation’s cyber squads—in particular, one known to researchers as the “Lazarus group”—are thought to be responsible for stealing and destroying data from South Korean companies in 2013, leaking and destroying data from Sony Pictures in 2014, and the theft of $81 million from the central bank of Bangladesh.
“It’s surprising how much activity there is out there from North Korea,” said Chris Doman, a security researcher at security firm AlienVault, who has focused on the nation’s capabilities. “There are quite a few groups out there and thousands of individuals being trained, but we’ve seen signs that they are sharing malware.”
North Korea has seemingly embraced the asymmetrical nature of cyber-operations. One reason: With only limited internet infrastructure, the nation has very little to lose from launching cyber-attacks and much to gain.
The attacks, for example, also allow the country to circumvent sanctions by stealing funds and information of value. Attacks attributed to groups in North Korea have targeted South Korean companies and government agencies to drain bank accounts and bitcoin wallets, as well as steal sensitive government and technology secrets. The spread of the WannaCry ransomware in May 2017 has also been attributed to the North Korean Lazarus group.
“About 90 percent of this activity is targeted at South Korea,” AlienVault’s Doman said. “But then there is the scary random chaos, such as WannaCry.”
While attribution of online actors is difficult, a variety of security experts have linked North Korea to the attacks with a high level of certainty.
“Lazarus is not just another APT (advanced persistent threat) actor,” security firm Kaspersky Lab stated in an April 2017 analysis. “The scale of the Lazarus operations is shocking. It has been on a spike since 2011 and activities didn’t disappear after” they were outed in a 2016 research paper on Operation Blockbuster.
However, Kaspersky Lab's products have been connected with nation-state activity as well. On Oct. 11, U.S. officials said Russian intelligence had used Kaspersky Lab’s security software to steal information from companies.