35+ Years of Freedom of Information Action

Cyber Brief: North Korean Cyber Operations

Published: May 2, 2018

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

In light of significant recent developments on the Korean Peninsula, this week’s brief highlights North Korean cyber-operations. While Pyongyang’s nuclear weapons program has drawn the most attention recently, North Korea’s cyber capabilities also represent a significant asymmetric capability that has been relied upon both to disrupt enemies of the Kim family as well as produce sources of funding through cyber-enabled crime. This brief includes remarks by James Clapper on cyber-deterrence and North Korea given while he was Director of National Intelligence, a significant report by Kaspersky Lab on North Korea-linked advanced persistent threat (APT) group Lazarus, a letter from Congress to Treasury Secretary Steven Mnuchin expressing concern over Lazarus cyber-operations targeting banks in 18 countries, an alert by the US Computer Emergency Response Team (US-CERT) on North Korean botnet activity, and a Congressional Research Service brief on North Korean capabilities in cyberspace.


Office of the Director of National Intelligence, Remarks as delivered by DNI James R. Clapper on "National Intelligence, North Korea, and the National Cyber Discussion" at the International Conference on Cyber Security. January 7 2015. Unclassified.

In this speech, Clapper uses an anecdote about a trip to North Korea to argue that a form of cyber deterrence would be appropriate for increasing the cost of North Korean cyber operations.

Kaspersky Lab, Lazarus Under the Hood, 2017. Not classified.

This report focuses on a group (Lazarus) whose cyber activities go back at least to 2009, and whose malware has been discovered in a number of serious cyber-attacks (including the 2014 intrusion into the Sony Pictures computer system in 2014 and a 2013 cyber espionage campaign in South Korea). It reports on the results of the lab's forensic investigations in two geographically dispersed banks.

Robin L. Kelly and James A. Himes, U.S. Congress, Letter to Secretary Steven T. Mnuchin, April 6, 2017. Unclassified.

In this letter to the Secretary of the Treasury, two members of Congress note recent reports that the Lazarus group, a hacking operation linked to the North Korean regime, had targeted banks in 18 different countries. In addition to providing more information about North Korean hacking activities, the authors request a briefing on Treasury Department interaction with private sector organizations to counter such activities.

U.S. Computer Emergency Readiness Team, Alert (TA17-164A), HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure, June 13, 2017. Unclassified.

This alert - intended to help cyber defenders detect malicious cyber activity conducted by the North Korean government (designated HIDDEN COBRA) - contains indicators of compromise, malware descriptions, and network signatures.

Congressional Research Service, North Korean Cyber Capabilities: In Brief, August 3, 2017. Unclassified.

This report surveys North Korea's cyber capabilities, offers potential motivations for North Korea's strategy, and examines four case studies.