Understanding the cyber threat from North Korea

Part three of our cyber war series provides insights from MWR’s research, threat intelligence and investigations on cyber statecraft, focusing on North Korea.

In the past six years, North Korea has been held responsible for a number of cyber-attacks causing disruption and financial losses on an unprecedented scale. The devastating impact of WannaCry and North Korea’s continuing nuclear weapons program, despite diplomatic efforts and sanctions, suggests the prospect of conflict extending into the cyber domain is closer than ever. Information security professionals are now expected to be foreign policy analysts, capable of interpreting and predicting the threat foreign states pose, and defending themselves accordingly. This article, the third in a short series [1], provides insights from MWR’s research, threat intelligence and investigations on cyber statecraft, focusing on North Korea.

North Korea – exploiting opportunities short of war

North Korea is perhaps the chief contributor to what the academic Lucas Kello has described as an emerging state of ‘unpeace’ [2], where states and organizations are exposed to a range of harms short of armed conflict. Like Russia, North Korea exploits the cyber domain to pursue its foreign policy goals while denying their opponents the ability to respond effectively. At a high level, its national objectives are:

  • Ensuring the survival of the regime,
  • Displaying power and defending the regime’s reputation internationally,
  • Maintaining domestic control.

These aims are manifested across cyber security incidents attributed to North Korea. For over a decade, the regime has been suspected of involvement in a cyber-espionage campaign against the South-Korean defense industrial base. The 2014 attack on Sony Pictures Entertainment remains the clearest example of the regime’s efforts to defend its reputation. Around the same time, UK producers Mammoth Screen identified similar activity while developing a fictional series on a British scientist taken prisoner in North Korea. North Korea has also used cyber tactics to extend its surveillance regime: last year the Hana Center reported the theft of around 1000 records relating to North Korean defectors [3].

Like North Korea’s nuclear weapons program, the ability to launch disruptive cyber-attacks on foreign targets allows the regime to project power and exert influence on the international stage. The WannaCry global ransomware outbreak has since been attributed to North Korea’s cyber force, known as APT38 or Lazarus group [4]. Once misinterpreted as an extortion attempt gone wrong, the attack heralded a new paradigm in cyber statecraft, marked by indiscriminate disruptive attacks impacting victims beyond traditional targets, for example political opponents and supporting industries. The US Department of Justice’s indictment of North Korean hackers is an attempt to kerb the regime’s increasingly aggressive cyber activity by denying perceived benefits such as anonymity (for perpetrators) and plausible deniability [5].

Using cyber tactics to overcome sanctions

In the context of a multi-dimensional power struggle, North Korea’s cyber-attacks on financial services institutions are the latest in a series of efforts to alleviate the economic pressure caused by sanctions imposed by a number of countries and international bodies, in response to its nuclear program. The regime’s well-documented pursuit of alternate revenue streams has featured currency counterfeiting [6], narcotics production and distribution [7], and smuggling [8]. Between 2015 and 2016, APT38 launched a wave of attacks over the SWIFT banking network, generating hundreds of millions of dollars in hard currency. Since then, focus appears to have shifted towards cryptocurrencies, including conning investors through Initial Coin Offerings (ICOs) and attacks on cryptocurrency exchanges. Research by Kaspersky Lab demonstrates the sophistication of APT38’s operations against exchanges, including supply chain compromise and the creation of macOS malware, a first for the group [9]. While the cryptocurrencies remain loosely regulated, attacks are expected to continue.

The targeting and tradecraft demonstrated in these operations suggests the regime is keen to minimize the political fallout from revenue generating operations, in marked contrast to the disruptive attacks mentioned above. North Korea focuses operations in nations that are less determinant in imposing sanctions, or otherwise lack geopolitical leverage over the regime [10]. MWR investigations, corroborated by other security companies, indicate APT38 undertakes meticulous planning and anti-forensic actions (for example, log deletion and remotely wiping infected devices) to undermine attribution.

Yet cyber-attacks are just one of the security challenges created by North Korea’s effort to generate revenue while bypassing international sanctions. Research by the James Martin Center for Nonproliferation Studies (CNS) reveals North Korea’s commercial information technology (IT) industry has operated overseas, largely unnoticed, for decades. Its global network includes a myriad of front companies, intermediaries, and foreign partnerships that facilitated entry into public- and private-sector supply chains worldwide [11].

What should organizations do to defend themselves?

While we are not at (cyber) war, and the prospect of a cyber-attacks escalating into armed conflict is remote, organizations can take steps to mitigate the threat from North Korea:

  • Optimize threat and vulnerability management, including emergency patching, to minimize exposure to automated attacks leveraging publically disclosed vulnerabilities.
  • Develop and utilize intelligence sharing platforms and relationships with law enforcement and cyber security agencies to enrich threat hunts and improve understanding of the latest TTPs.
  • Rehearse organizational response to a disruptive cyber-attack, utilizing recent examples of wormable malware infections.
  • Fintech organizations and others offering cryptocurrency related services should develop the capability to predict and detect attacker behavior commensurate with APT38’s modus operandi.
  • Factor open source intelligence (OSINT) analysis into supply chain risk assessments to determine provenance of third parties.



[2] Kello, L., The Virtual Weapon and International Order (2017), Yale.








[10] Affected regions include Bangladesh, India, Vietnam, Indonesia, Thailand, Latin America, Iraq, and African nations such as Ethiopia, Kenya, Nigeria, South Africa, and Gabon.




Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.