DPRK Cyber Capabilities

By: Annie Kowalewski, Columnist 

Photo by: ABC News


Much has been written on threats of the North Korean nuclear and missile developments, but the DPRK threatens the United States and regional allies in another domain as well: cyber. It is easy to dismiss North Korea’s cyber capabilities as underdeveloped due to the isolated and controlled nature of internet access in the country. Yet, with help from Chinese and Russian internet servers, North Korean intelligence services and armed forces have developed a robust cyber capability that focuses heavily on offensive cyber operations. The DPRK’s approach to cyberwarfare and capability to conduct offensive cyber operations remains surprisingly sophisticated, and plays an important role in DPRK power projections.

Uses of Cyber, and DPRK Cyber Capabilities

In July 2009, the DPRK conducted a series of coordinated cyber-attacks against U.S. and South Korean (ROK) government websites to collect data about the US-ROK alliance. Websites targeted included those of the White House, Department of Defense (DoD), and the ROK National Intelligence Service.[[i]] Despite eventual evidence tracing these attacks to North Korea’s telecommunications ministry, the DPRK avoided any real retribution for these attacks. Since then, North Korea has seen cyber as a unique opportunity to collect intelligence, coerce other countries, and potentially engage in warfare with little risk or cost to the country. The 2015 Department of Defense’s Annual Report to Congress on Military and Security Developments Involving the Democratic People’s Republic of Korea, the last publicly available assessment of the DPRK’s overall capabilities from the DoD, (hereinafter: 2015 DoD Report) noted that North Korea “likely views cyber as a cost-effective, asymmetric, deniable tool that it can employ with little risk from reprisal attacks.”[[ii]] In line with this view, North Korea has developed a cyber warfare strategy that incorporates elements of network penetration, electronic intelligence, and psychological and information warfare.[[iii]] This indicates that, today, North Korea clearly views cyber as not only a means of intelligence collection, but also a tool for aggressive and offensive action.

Cyber is a unique domain because it allows North Korea to influence the narrative abroad while remaining isolated, to protect the homeland from foreign influence, and to illicitly gather resources to sustain its other military and political projects. First, offensive cyber tools offer an opportunity for North Korea to maintain its isolated position while still engaging in operations abroad, thus incurring little risk. Cyber is a sphere in which North Korea can gain invaluable information and control the narrative about the DPRK abroad without exposing its intelligence services or even domestic North Korean society to the outside world. For example, in September 2016, North Korean intelligence services were reported to have stolen nearly 235 gigabytes of classified military plans from South Korea’s Defense Integrated Data Center, including, as reports of the hack were made public in October 2017, U.S.-ROK wartime contingency planning documents.[[iv]] Two years before, North Korean hackers penetrated Sony in the United States in response to The Interview film, which depicted an assassination attempt on Kim Jung Un.[[v]] While the United States did not stop airing the film, several South Korean theatre chains cancelled their initial viewings in fear of further retribution. In each of these cases, North Korean cyber intelligence was able to achieve its aims without any repercussions due to the difficulties in attribution and uncertain international norms surrounding cyberattacks, further lowering the risk of using offensive cyber operations to collect valuable intelligence and influence other countries.

Cyber is also an important domain that, when protected and exploited, allows the DPRK to skirt sanctions and sustain its domestic economy. For example, the Korean People’s Army (KPA) and its Reconnaissance General Bureau (RGB), or the DPRK foreign intelligence services, are reported to be active on the dark net internet’s black market, which allows the DPRK to trade and engage with the international illicit economy and avoid sanctions restrictions. [[vi]] Such activities include engaging in black market arms sales, selling stolen data, and buying and transferring cryptocurrencies, all of which directly support the Kim regime and DPRK military programs.[[vii]]

The fact that the KPA and the RGB have been able to navigate the dark net despite the strict restrictions on internet access within North Korea demonstrates the sophistication of the North Korean state’s cyber understanding. To support these operations, the KPA and RGB have created the necessary organizational structure and training. Moreover, these organizations also focus on not only using cyber as a platform for trade and intelligence gathering, but also offensive cyber operations. For example, the KPA invests in training “cyber warriors” from a young age. High school students are reported to attend cyber camps and classes where they are taught basics about penetrating network systems and then later, when they attend military academies, are taught to apply these skills to cyber warfare. The KPA’s cyber command may not sit at the same rank as other branches of the KPA armed forces, but its existence reveals how North Korea views cyber as crucial to sustaining the homeland and projecting power.


Despite this cyber strategy and institutional support from the Kim regime, the DPRK military and intelligence services lack the actual capacity to conduct cyber operations independently and the United States has an opportunity to exploit this vulnerability. North Korea is largely dependent on foreign resources for its cyber capabilities, particularly China and Russia. For example, Russian-state owned TransTeleCom is reported to handle around 60% of North Korea’s internet traffic, and Chinese state-sponsored China Unicom has provided North Korea internet access for several years.[[viii]] Several Chinese servers are thought to act as “forward cyber bases” that North Korean intelligence services use to attack Republic of Korea (ROK) servers.[[ix]] This reliance on foreign connection, networks, and software is a great weakness in North Korea’s cyber intelligence operations, as using foreign capabilities leaves North Korea vulnerable to penetration. The United States should take this vulnerability into account when using its national security tools to undermine the DPRK threat, and consider cutting off DPRK access to these servers or implementing secondary sanctions against third-party companies that allow the DPRK to use their servers.








[[i]] Hyung-Jin Kim, “Korean, US Web Sites hit by suspected cyber attack,” Associated Press, July 11, 2009, https://web.archive.org/web/20090711142028/https://www.google.com/hostednews/ap/article/ALeqM5jvH8X8qojQgzc1R8X_5PceTd1nWQD99A5BQ81.

[[ii]] “Annual Report to Congress on Military and Security Developments Involving the Democratic People’s Republic of Korea,” Department of Defense, May 2015, https://www.defense.gov/Portals/1/Documents/pubs/Military_and_Security_Developments_Involving_the_Democratic_Peoples_Republic_of_Korea_2015.PDF, 14.

[[iii]] Frank Cilluffo and Sharon Cardash, “Parsing the North Korean Cyber Threat,” The Diplomat, October 18, 2017, https://thediplomat.com/2017/10/parsing-the-north-korean-cyber-threat/.

[[iv]] Kelsey Atherton, “How North Korean hackers stole 235 gigabytes of classified US and South Korean military plans,” Vox, October 13, 2017, https://www.vox.com/world/2017/10/13/16465882/north-korea-cyber-attack-capability-us-military.

[[v]] Ibid.

[[vi]] Ju-min Park and James Peterson, “Exclusive: North Korea’s Unit 180, the cyber warfare cell that worries in the West,” Reuters, May 20, 2017, https://www.reuters.com/article/us-cyber-northkorea-exclusive/exclusive-north-koreas-unit-180-the-cyber-warfare-cell-that-worries-the-west-idUSKCN18H020.

[[vii]] James Andrew Lewis, “After the Breach: the Monetization and Illicit Use of Stolen Data,” House Committee on Financial Services, March 15, 2018, https://financialservices.house.gov/uploadedfiles/hhrg-115-ba01-wstate-jlewis-20180315.pdf; “North Korea targets more cryptocurrency firms,” Dark Web News, January 5, 2018, https://darkwebnews.com/hacking/north-korea-targets-more-cryptocurrency-firms/.

[[viii]] David Choi, “State-sponsored Russian company is providing internet for North Korea and security experts are worried,” Business Insider, October 4, 2017, http://www.businessinsider.com/north-korea-internet-transtelecom-cybsercurity-russia-2017-10.

[[ix]] Alexandre Mansourov, “Korea’s Cyber Warfare and Challenges for the Alliance,” Korea Economic Institute of America, December 2, 2014, http://keia.org/sites/default/files/publications/kei_aps_mansourov_final.pdf.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.