Reports have surfaced that Bitcoin exchanges in South Korea were recently hit by hackers possibly from the Democratic People’s Republic of Korea (DPRK), according to South Korea’s Cyber Warfare Research Center). They've found that at least one Bitcoin exchange was targeted and the hack was allegedly distributed through a social engineering email campaign.
Despite brash pronouncements, this intrusion was not meant as retaliation for the ongoing War Games that have taken place on the Korean Peninsula or to collect valuable intelligence. Instead, Pyongyang has already mobilized its defense of GDP. It appears that the first shots of the latest round sanction fighting have been fired and are focused on Bitcoin exchanges-not on a major heist like we saw with the attempts to steal money through the SWIFT network. This rapid reaction to sanctions is likely to be the first skirmish before much larger operations requiring more planning, lead time, and network reconnaissance.
The speed with which DPRK conducted this operation demonstrates how serious they’re taking this latest round of sanctions. Should China not let up on its enforcement, we’re likely to see a significant priority shift in DPRK assets to focus on making up the currency shortfall.
Why is this good news? Well, it means that the DPRK threat, in totality, will be degraded. By focusing on currency generation, groups that would otherwise be gearing up for network attacks or traditional espionage will be diverted to filling out the bottom line. This reduces the dynamic nature of the DPRK threat. Knowing where the threat is going to manifest helps defenders prepare and create more effective strategies to cope with the possible DPRK tool kit.
Banking, financial institutions, and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts. They will likely be focused on institutions in South Korea, the United States, and Japan (to add a little political flavor to the currency generation). However, we could see the uptick also happen in countries where network security is largely weak - parts of South and Southeast Asia, the Baltics, and potentially even parts of Africa.
To date, we have not seen a combination of destructive attacks and currency generation from the DPRK. Given current tensions and the potential desire to retaliate for perceived assaults on the regime, the DPRK has the latent capacity to conduct a heist and destroy the network on the way out. The likelihood of this combination happening is low, but it is not zero. This scenario would cause significant issues both from an attribution and economic standpoint, depending on which institution was hit, how it was attacked, and what money was stolen.