The possible meeting between the U.S. and North Korean governments marks the first that leaders from both nations have officially talked. Beyond the impact on the relationship between the U.S. and North Korea, these talks could influence geo-political situations across the world as well as how countries conduct their cyber operations. In a series of blog posts, Cybereason will explore the challenges surrounding this potential meeting as well as how these talks could influence global foreign policy and hacking campaigns.
The upcoming negotiations between North Korea, South Korea and the U.S. are having a distinct impact on how the Democratic People’s Republic of Korea executes its cyberprogram. In an effort to control the negotiations, the Kim Jong-Un regime is likely altering the targets of its cyberprogram. While this development marks a fundamental change in the program, it does not reduce the threat faced by the U.S. and South Korea in the run up to the talks.
Traditional espionage
The operational tempo and the diversity of targets of the espionage part of the program is going to increase, especially against the U.S. No one has a good sense of what the Trump administration is thinking headed into these talks and the North Koreans are going to try to figure out the administration’s perspective as best they can. This means the North Koreans will target think tanks, political operatives and government institutions such as the Department of Defense and the State Department more than they have in the past.
Also, they are likely to burn zero-day exploits in these campaigns as gaining access to anything that might inform the negotiation is now a paramount issue. We’re unlikely to see a significant increase in traditional espionage against South Korea. There might be a slight bump in operations, but given the established policy on inter-Korean issues and the access to South Korean networks traditionally enjoyed by the DPRK, there is less of a pressing need for new operations. If there is any demonstrable change, it will likely be a decrease as more assets are brought to bear against the U.S.
Computer Network Attack
The hackers associated with attack operations are likely being operated as a deterrent/reserve force. North Korea needs to have as many options as possible to gain leverage against the U.S. and to a lesser extent South Korea. Military forces capable of conducting destructive attacks will likely be going after critical infrastructure and key resources in the U.S. and South Korea, not as a precursor to attack but as enhanced deterrence.
The transition from low and slow intrusions to executed attacks will be completely dependent on how the talks progress. They’ll likely only become a real threat if the process breaks down in a way that is a personal affront the Kim Jong-Un or a fear emerges that the conversation is a delay tactic for a military solution. The ascension of John Bolton to national security advisor has likely increased skepticism in North Korea about the sincerity of the talks and increased the desire to be able to hold assets at risk. The regime wants options but is not likely to use them without something going very wrong.
Kleptostate
As a result of U.S. sanctions, Kim Jong-Un cannot afford to forego money generation. However, the targets will shift. North Korea will likely steer clear of large-scale operations that directly target U.S. and South Korean financial institutions and large crypto exchanges because these campaigns are needless provocation, especially when there are plenty of other - and frankly easier - targets in the world. Expect nuisance cybercrime - low-level scamming, small and inefficient ransomware campaigns against individuals - to continue against South Korea.
Power utilities, policy institutes, water treatment facilities, public transit, rail networks, even the government itself are likely to see a spike in activity as the North Koreans seek to buttress their negotiating position. This will create a threat profile that is uncharacteristic of well-publicized North Korean hacking behavior. The increased use of advanced tools and exploits will provide the first real litmus test of how far the program has evolved and showcase the best of North Korea's hacking abilities. The information security community needs to be ready for this evolution and take advantage of these months of posturing to understand and deconstruct that threat North Korea seeks to leverage.