Should your business worry about North Korean cyber attacks?

A hooded figre standing in front of a digital version of the North Korean flag
(Image credit: Getty Images)

The threats from Russia and China are well documented, but it’s important not to overlook a third formidable adversary: North Korea. Known for prolific ransomware attacks including the infamous WannaCry attack, North Korea has been active in this space for years. But recently, its activity is ramping up, especially attacks targeting financial organizations and the supply chain.

In July, Estonian cryptocurrency payments provider CoinsPaid fell victim to North Korean hacking group Lazarus, which stole $37 million in the attack. 

During the same month, Lazarus was also linked to an attack on payments processor AlphaPo, resulting in the theft of $60 million in cryptocurrency.

As well as being responsible for one of the biggest and worst cyber attacks of all time, WannaCry, North Korea was to blame for the 2014 breach on Sony Pictures. So what are the country’s aims, who does it target, and how does North Korea stack up against other nation-state adversaries such as Russia and China?

North Korea is a growing cyber security threat

North Korea is a rapidly developing aggressor with growing capabilities. North Korean attackers breach financial institutions for cash to help lessen the impact of economic sanctions and to fund the country's nuclear ambitions. In fact, the country has become a “world-class” espionage adversary and attacker targeting cryptocurrency and financial services, says Ian Thornton-Trump, CISO at Cyjax. 

North Korea has many enemies – the nation maintains a “belligerent relationship” with countries including South Korea, Japan, and the US, says Thornton-Trump.

Its cyber activities are coordinated through the North Korean military and it's responsible for oversight of groups such as Lazarus

Philip Ingram

State-sponsored groups are “extremely active” and “frequently carry out successful attacks”, he says. “These skilled threat actors have been charged by the government with stealing commercial or military information.”

In many ways, North Korea is cut off from the rest of the world. The only two internet connections into North Korea are provided by Russia and China, offering the two hostile nations the ability to view traffic and use North Korea as a proxy through which to perpetrate cyber attacks, says Philip Ingram MBE, a former colonel in British military intelligence.


Webinar from VMware on the benefits of Azure VMware and how this technology can increase productivity

(Image credit: VMware)

This on-demand webinar covers Azure VMWare and the benefits it can offer your business.


North Korea may not be seen as a “top tier” cyber threat country like China, but it is “top of the second tier” and “a very credible threat”, says Ingram. “Its cyber activities are coordinated through the North Korean military and it is responsible for oversight of cyber crime groups such as Lazarus.”

As well as the financial sector, North Korea targets governments and industries including defense and nuclear for espionage, says Ingram. However, Ingram concedes that North Korea is “way behind China and Russia” in the area.

North Korea is shifting its tactics

Recently, North Korean adversaries are increasingly claiming responsibility for attacks in the healthcare sector. At the same time, a recent shift in North Korea’s cyber tactics has seen a rise in attacks targeting supply chains

Adam Marre, CISO at Arctic Wolf describes how in April this year, hackers breached software firm C3X, allowing the attackers to gain access to a number of multinational firms – including hotel chains and healthcare providers.

Then in July, attackers targeted JumpCloud, attempting to use the firm as a point of entry to gain access to its cryptocurrency clients. “This shows how maturing nation-state hackers are increasingly using smaller organizations to gain access to much larger ones,” Marre warns. Taking these new attack vectors into account, it would be fair to predict that the country’s remit “will continue to expand”, he adds.

Lazarus is the most well-known group associated with North Korea. Other North Korean cyber adversaries include Andariel, APT 37 and 38, Temp.Hermit, Kimsuky and Bureau 121 and Bureau 325. “The names and numbers don’t really matter; what is important is they are all coordinated or are subgroupings of Bureau 121 and Bureau 325 and are government controlled,” says Ingram.

And experts say attacks by all groups are ramping up. There has been an increasing amount of activity from the regime every year, says Mitch Haszard, threat intelligence analyst at Recorded Future’s Insikt Group. “As displayed by the endless reports of new cyber-attacks attributed to North Korea, the regime is having large success in its cyber operations. It has clearly identified cyber as an achievable means to gain information and money.”

Mitigating the North Korean cyber threat

The threat from North Korea is significant, especially if you operate in an industry being targeted by the nation. Taking this into account, the first step is to evaluate if North Korea is in your threat model by assessing if your organization is in a commonly targeted industry, says Haszard.

Businesses at risk should base their employee training on protecting from threats perpetrated by North Korea. “The overwhelming majority of North Korean cyber attacks start with social engineering and a phish,” he adds. 

With this in mind, he says organizations should train employees on the types of phishing emails they could be sent by North Korean adversaries. “Teach them how to report them, including conducting regular, randomized phishing exercises.”

It doesn’t have to be complex. Businesses don’t need to start from scratch and follow a stringent and specific program, says Marre. However, he says it is important to stay up to date on the latest threat intelligence from governments detailing North Korean cyber activities. “This should include understanding their tactics, techniques and procedures.”

Having a well-defined and practiced incidence response plan will also ensure businesses can react “quickly and efficiently” in the face of a potential attack, he says.

At the same time, the general cyber security basics should still apply, adds Marre. This includes making sure all systems, software and applications are updated with the latest security patches. “Implement multi-factor authentication (MFA) on all devices and deploy zero trust models and network segmentation to ensure that hackers can’t move laterally across your network.”

As attacks continue to ramp up, North Korea represents a threat capability that organizations will need to “incorporate into their threat models”, says Thornton-Trump. “Superior cyber hygiene, vulnerability management, supply chain monitoring, secure software development, and a robust threat intelligence program are all required when facing the North Korean threat.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.