Pyongyang’s sophisticated cyberwarfare arsenal has triggered far less attention and international response than its nuclear and missile weapons, despite having been used repeatedly in attacks against governments, financial institutions, and industries. North Korea has conducted cyber guerrilla warfare to steal classified military secrets, swipe billions of dollars in money and cybercurrency, and inflict extensive damage on computer networks.
U.S. intelligence assesses Pyongyang as one of the top four cyber threats capable of launching “disruptive or destructive cyberattacks” against the United States. During a crisis, it could inflict massive harm on financial, infrastructure, transportation, military, and government computer networks.
Initially, the regime focused on cyber espionage to steal information and cyberattacks to disrupt or destabilize networks related to national defense, nuclear power plants, infrastructure, telecommunications, media, and corporations. But, as North Korea improved the sophistication of its cyber operations and its economic condition worsened, the regime prioritized cybercrimes to evade international sanctions and gain revenue for its nuclear and missile programs.
Pyongyang began with attacks against traditional financial institutions such as banks, engaging in fraudulent interbank transfers and automated teller machine thefts. After the international community took notice of these attacks and improved defenses, the regime shifted to targeting cryptocurrency exchanges.
Cybercrimes are more efficient, cost-effective, and lucrative than Pyongyang’s past illicit activities such as currency counterfeiting, smuggling, and fraudulent pharmaceuticals. The regime’s cybercrimes are global in scope, provide astronomical returns on investment, and are low-risk since they are difficult to detect and attribute with little likelihood of international retribution.
In 2016, a North Korean cyber bank robbery netted $81 million and would have gained an additional $850 million had a bank official not noticed a typographical error in fraudulent bank transfer requests. In 2019, the UN Panel of Experts estimated that North Korea had gained a cumulative $2 billion from cybercrime.
And the spree isn’t over. North Korean hackers stole at least $400 million worth of cryptocurrency in 2021. This April, the FBI announced North Korean hackers had stolen $620 million of cryptocurrency from a video gaming company. Some experts assess that Pyongyang may net $1 billion a year from cyber heists. According to the UN Security Council, the revenue generated from these hacks goes to evade sanctions and support North Korea’s weapons of mass destruction and ballistic missile programs.
More worrisome, however, is the possibility that Pyongyang could inflict even greater damage during a crisis or hostilities on the Korean Peninsula. North Korea could paralyze critical infrastructure systems such as communications, dams, electrical grids, hospitals, nuclear power plants, supply chains, and traffic-control systems. North Korean hackers have targeted railroad companies and airlines, including an automated operating system that controls trains’ speed. Hackers have already jammed airline GPS signals and might seek to gain control of airplane controls.
Pyongyang could also engage in economic warfare to steal massive amounts of money or undermine the stability of the international financial system or worldwide markets. The regime could conduct ransomware attacks on banks to gain money or to disable or destroy computer networks. They might also flood the SWIFT financial messaging system with fraudulent transactions.
The U.S. Department of Justice assessed that North Korean hacking of virtual currency exchanges and related money laundering “poses a grave threat to the security and integrity of the global financial system.” But, to date, there have been very few UN or U.S. sanctions imposed or legal actions taken against North Korean cyber groups.
Addressing North Korea’s cyber threat should be a U.S. national priority that requires a comprehensive whole-of-government response. Extensive sharing of cyber-threat information among and between the public and private sectors is also critical for improving defenses against North Korean and other hackers. Collaboration and coordination enable a more comprehensive assessment of weaknesses in government, industry, business, financial, and infrastructure computer networks as well as identifying technical or methodological fixes.
U.S. defenses are only as strong as the weakest link overseas. The United States should continue and expand efforts to coordinate with foreign governments, law enforcement agencies, and financial regulatory agencies at the national level and, through them, regional and domestic partners. There should also be engagement with foreign financial institutions and businesses to disseminate information on North Korean cyber hacking and money-laundering tactics, techniques, and procedures.
The United States should fully enforce existing laws and assess whether additional legislative and executive actions are needed, including enhanced regulation of cybercurrency exchanges. Washington should ensure that financial entities either fully comply with existing regulations or risk losing their access to the SWIFT financial transaction network or their ability to maintain correspondent accounts in the U.S. financial system.
Justice Department actions against some North Koreans revealed the extent to which they had moved money illicitly through Chinese banks. The Treasury Department should engage with those banks to discern whether they unwittingly facilitated financial crimes (in which case they should be subject to remedial actions) or were complicit (in which case they should be fined, labeled money-laundering concerns, and denied access to the U.S. financial system).
As banks and financial institutions responded to North Korean cyberattacks, Pyongyang shifted toward cryptocurrency exchanges both as targets and as means to launder money. The United States, in conjunction with other nations, should review existing legislation and regulations applicable to cryptocurrency exchanges to ensure sufficient security against cyberattacks and prevent money laundering.
The potential for greater and even catastrophic North Korean cyberattacks against the United States, its partners, and the international financial system raises questions about the proper levels of retaliatory or even preemptive actions against the regime. Given North Korea’s limited exposure to cyberattacks, a U.S. or international response would also need to consider non-cyber tools of national power.
A military response to a non-military cyberattack would be a difficult decision, particularly given the difficulty of conclusively assigning blame for cyber operations. However, NATO leaders agreed in 2014 that a large-scale cyberattack on a member country would be considered an attack on the entire alliance, potentially leading to the invocation of Article V and triggering a military response. Similarly, the United States and Japan agreed in 2019 that, in certain circumstances, a cyberattack could constitute an armed attack for the purposes of Article V of the U.S.–Japan Security Treaty.
North Korea is a direct threat to the security of the United States, its allies, and the international financial system. Pyongyang continues to augment and refine its nuclear, missile, and cyber warfare capabilities. Without a firm response from the United States, the North Korean regime will continue to undermine the effectiveness of international sanctions and could inflict even greater damage during a crisis or military conflict.
Bruce Klingner is a senior research fellow at the Heritage Foundation’s Asian Studies Center. He served as the Central Intelligence Agency’s deputy division chief for Korea.