Korea’s missiles program

To stem North Korea’s missiles program, White House looks to its hackers

The Biden administration is doing more to counter North Korean hackers amid concerns their cryptocurrency heists are powering the country’s weapons programs.

By JOHN SAKELLARIADIS

The Biden administration has spent much of the last two years bracing key U.S. networks and infrastructure against crippling cyberattacks from Russia, Iran and China.

But it is following a different playbook as it ramps up its efforts to thwart digital threats from North Korea: Follow the crypto — and stop it.

Convinced North Korea primarily sees hacking as a way to funnel money back to the cash-strapped Kim Jong Un regime, the White House has focused on blocking the country’s ability to launder the cryptocurrency it steals through its cyberattacks.

In the last year, the administration has unveiled a flurry of sanctions against North Korean hacking groups, front companies and IT workers, and blacklisted multiple cryptocurrency services they use to launder stolen funds. Earlier this month, national security adviser Jake Sullivan announced a new partnership with Japan and South Korea aimed at cracking down on Pyongyang’s crypto bonanza — thereby choking off money to its nuclear and conventional weapons programs.

“In countering North Korean cyber operations, our first priority has been focusing on their crypto heists,” Anne Neuberger, the National Security Council’s top cybersecurity official, said in an interview.

The stepped-up effort to blunt North Korea’s cyber operations is fueled by growing alarm about where the fruits of those attacks are going, Neuberger said.

Hacking, she argued, has enabled North Korea to “either evade sanctions or evade the steps the international community has taken to target their weapons proliferation … their missile regime, and the growth in the number of launches we’ve seen.”

Poor regulation and shoddy security in the fast-growing cryptocurrency industry, which is dominated by start-ups, make it an easy target for Pyongyang’s hackers. Because of crypto’s inbuilt privacy features and the fact that it can be sent across borders at the click of a mousepad, it also offers a powerful tool to circumvent sanctions.

North Korea has conducted roughly 100 ballistic missile tests in the last year, and it staged its first intercontinental ballistic missile test in five months on Monday. Between November and August, it also exported more than a million artillery shells to Russia, according to South Korean intelligence services.

U.S. officials increasingly believe the key to slowing that type of activity lies at the intersection of hacking and cryptocurrency.

Last year, Pyongyang-linked hackers stole roughly $1.7 billion worth of digital money, according to estimates from cryptocurrency tracing firm Chainalysis.

And in May, Neuberger estimated that about half of North Korea’s missile program is funded by cyberattacks and cryptocurrency theft.

North Korean hackers “directly fund” North Korea’s weapons of mass destruction and ballistic missile programs, said State Department spokesperson Vedant Patel.

Until recently, North Korea’s cyber prowess has garnered relatively little attention in Washington. Fear of digital strikes spilling over from the conflicts in Ukraine and Gaza, or during a possible Chinese invasion of Taiwan, has overshadowed the issue, experts say.

“People tend to think, … how could the quote-unquote ‘Hermit Kingdom’ possibly be a serious player from a cyber perspective?” Adam Meyers, a senior vice president at cybersecurity firm CrowdStrike, said in an interview. “But the reality couldn’t be further from the truth.”

Pyongyang’s hackers have repeatedly caught Western companies off-guard with their technical ingenuity, an ability to blend old-fashioned spy tricks with cyber operations and sheer brazenness, according to private sector researchers.

And while those who study North Korean cyber operations say their proficiency at stealing cryptocurrency represents a major challenge to the West today, they also argue it would be dangerous to pigeonhole Pyongyang as little more than a money-stealing threat.

By some metrics, North Korea has launched more than a dozen supply-chain attacks in the last year — a sophisticated tactic in which hackers compromise the software delivery pipeline to get nearly unfettered access to a wide range of companies.

The significance of those attacks has been “extremely underplayed in the public,” said Tom Hegel, a threat researcher at cybersecurity firm SentinelOne, because they caused little harm outside the direct victims of the attacks — often individuals or obscure cryptocurrency startups.

But some of the same techniques they’ve honed in targeting those firms could have been used to cause widespread digital disruption, say cybersecurity experts.

In April, researchers at cybersecurity firm Mandiant uncovered that North Korean hackers had pulled off the first publicly known instance of a “double” software supply-chain hack — jumping from one software maker into a second and from there to the company’s customers.

Mandiant assessed the hackers were after cryptocurrency. Had they wanted to, however, the North Koreans could have used tactics like that to inflict “a massive level of damage,” said SentinelOne’s Hegel.

What North Korea “is able to do on a global scale, no one has replicated,” added Mick Baccio, global security adviser at security firm Splunk.

Asked about her level of concern that North Korean hackers had grown more capable and could pivot to destructive activity, Neuberger acknowledged Pyongyang’s hackers are “capable, creative and aggressive.”

But she said the White House was confident the North Koreans are focused on stealing money or intellectual property that could be used for the country’s weapons programs. She also argued that cutting off the profitability of North Korea’s hacks is one of the best ways to deter them.

“The goal is to aggressively cut the profitability of the regime’s hacking,” she said.

North Korea’s proficiency in computer warfare has surprised onlookers for almost a decade now.

They famously burst onto the public consciousness in 2014, when Pyongyang’s operatives hacked into Sony Pictures Entertainment and threatened the movie studio against releasing “The Interview,” a raunchy comedy that portrayed the assassination of Kim Jong Un. Years later, in 2017, they unleashed a self-spreading computer virus that is estimated to have caused billions of dollars in damages in a matter of hours.

But in addition to the growing technical proficiency of North Korean hackers, it is the volume and variety of their activity that has recently alarmed onlookers.

In the last 18 months, U.S. intelligence agencies have warned that Pyongyang is targeting think tanks and academics to collect intelligence and staging ransomware attacks — in which they scramble victims’ data until they pay an extortion fee — against U.S. healthcare companies.

More recently, the Justice Department, FBI and Treasury Department have also accused Pyongyang of dispatching thousands of tech workers to Russia and China, where they secured remote IT jobs with global companies under a false identity, and then funneled their salaries back to the regime.

In one recent case that received little attention outside the region, North Korean hackers conspired with insiders at a South Korean data recovery company to bilk millions from unwitting victims of Pyongyang’s attacks.

Just a fraction of that money appears to have found its way back to Pyongyang, according to South Korean law enforcement. But the scheme dated back to 2017 and involved a variant of ransomware that was not previously linked to Pyongyang.

The case speaks to how creative the country has gotten at finding ways to avoid scrutiny and skirt international sanctions, said Erin Plante, vice president of investigations at Chainalysis.

“It shows that they’re always thinking outside the box, evolving and keeping up with the news in the same way we do, which is a little bit scary,” she said.

Michael Barnhart, a North Korea expert at cybersecurity firm Mandiant, said the scheme was reminiscent of several other operations the country’s hacking forces have pulled off in recent memory — some of which are not yet public.

The common theme, he argued, was how adept Pyongyang has become at mixing cyber operations with more traditional spying and money laundering tactics.

“This is a very, very well-organized criminal family,” he said.