North Korean nation-state hacker groups, along with Russian, Middle East, and Iran hacktivists are among the most prolific active groups seeding digital chaos day in and day out.
But unlike other nation-state groups, North Korean hackers take a widely different approach.
Under the umbrella of the Democratic People’s Republic of Korea (DPRK) military intelligence organization, coordinated strategies break in two directions: espionage and crypto heists that are allegedly used to fund sanctioned military programs. These fronts are led by groups like Lazarus — who focus on crypto theft at a large scale — while groups like Kimsuky focus on North Korea’s cyber espionage campaigns.
The targets? South Korea, the U.S., its allies, and any organization or individual that is in possession of valuable intelligence for North Korea or stands in the way of their military and political agenda.
Key Takeaways
- North Korea regularly stands accused of using cyberattacks for espionage and financial gain, including claims of funding their WMD programs by stealing secrets and cryptocurrencies through hacking groups like Kimsuky and Lazarus.
- While intended to curb these activities, sanctions may be driving North Korea to cybercrime and pushing the country towards more cyberattacks.
- The FBI and the NSA recommend that organizations protect themselves with DMARC to prevent spear phishing espionage attacks, which Kimsuky uses.
- With sanctions being ineffective and the threat landscape escalating, a new international approach could be the way forward.
NSA Warns Against Kimsuky
On May 2, the Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) issued a joint advisory warning that the DPRK-linked Kimsuky group was exploiting a new technique to drive a large-scale illegal espionage campaign.
Running spearphishing campaigns, Kimsuky hackers pose as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korea policy circles. The group is going after intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications.
The U.S. Government warned that the operation is sustained and persistent and linked the actions to North Korea’s premier military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council.
Crystal Morin, Former linguist and intelligence analyst in the United States Air Force and today Cybersecurity Strategist at Sysdig — a company that secures cloud and containerized environments — spoke to Techopedia about the origin of Kimsuky.
“The Kimsuky threat actor group has been traced back to 2012. I would correlate the rise of this APT with Kim Jung Un’s successor to Supreme Leader of North Korea and appointment of Supreme Commander of the Korean People’s Army.”
“I don’t think this can or has been confirmed, but the timelines line up, indicating that Kimsuky was an idea of Kim Jung Un and his party,” Morin said.
“Their priority is intel gathering. They have a strategic objective, likely similar to NSA, to inform government and military officials and tactical objectives.”
U.N Says Lazarus and Kimsuky Fund 50% of WMD
While Kimsuky focuses on the intelligence side of North Korean global cyber warfare operations, Lazarus group continues to reap illegal financial gains through cyberattacks mostly directed towards the crypto industry.
In March 2024, investigators of the United Nations announced they were looking into 58 suspected crypto cyberattacks by the DPRK. U.N. said the attacks combined total $3 billion. The illegal funds were linked to funding North Korea’s conventional arms, munitions, nuclear weapons, intercontinental ballistic missiles, and weapons of mass destruction — all in contravention of international sanctions.
According to the U.N. Member States report 40 to 50% of the weapons of mass destruction programmes of North Korea are funded by illicit cyber means.
North Korea is also funding AI, machine learning, and new disruptive technology development programs under this illegal and internationally sanctioned scheme.
Lazarus Group: A Phantom Hyrda?
The U.N. investigation found that Kimsuky and Lazarus groups share infrastructure and seem to operate in coordination. However, experts believe there could be more than one group hiding behind the Lazarus group.
“Kimsuky is a North Korean advanced persistent threat (APT). However, North Korean cyberattacks and threat actors are notoriously difficult to attribute. You’ll often see campaigns bucketed under Lazarus Group instead of being broken out into the more specific APT designations,” Morin from Sysdig told Techopedia.
When Sanctions Backfire
Virtually cut off and isolated from most of the world, North Korea has lived under hard-line sanctions for long decades. Sanctions against the country started in the 1950s, strengthened in the 1980s, and again in 2006 shortly after North Korea’s first nuclear test on October 9, 2006. The country faced additional sanctions in 2013.
From oil to cash flow, defense and weapons, technology, minerals, and more, sanctions have led to a decline in North Korea’s trade volume, stagnation of its industries and markets, and impacted energy and food production systems.
The most vulnerable population groups are the most affected in North Korea, with malnutrition affecting children the most and scholars asking the question of how sanctions impact the humanitarian and food crisis in the country.
Despite being the most sanctioned country in the world, many have questioned whether the approach actually works. Benjamin Katzeff Silberstein of The Swedish Institute of International Affairs, writing for East Asia Forum said that North Korea regularly circumvents sanctions through “complex smuggling operations”.
Like many others, Silberstein believes that on the surface, sanctions seem to have had little impact on North Korea’s behavior.
Stripped of cash, and unwilling to comply with sanctions, especially those who forbid the country to build up its military capabilities, North Korea has allegedly taken to the cyberwarfare arena in search of resources and intelligence.
Nazar Tymloshyk, CEO at UnderDefense — a security provider — explained why cyberspace is ideal for North Korea.
“It is difficult to say definitively that international sanctions have any effect on North Korea hacking groups. Sanctions don’t work in cyberspace.”
Malachi Walker, Security Advisor for DomainTools also spoke to Techopedia about the issue.
“In the case of North Korea sanctions have been largely unenforced from 2018 until a new sanctions package released by the United States Department of Treasury has been released in early 2022.”
“Still, in that same year, North Korean hackers stole $1.7 billion of cryptocurrency according to blockchain analysis firm Chainanalysis,” Walker said.
Stephen Kowski, Field CTO, SlashNext, told Techopedia that sanctions on North Korea are backfiring and unwillingly driving the country’s push into illegal cyber operations.
“International sanctions against North Korea have inadvertently pushed the regime to rely more on its cyber capabilities, including groups like Kimsuky, for financial gain and intelligence gathering.”
“These sanctions have made cyber operations cost-effective and low-risk for the DPRK to fund its activities and circumvent restrictions.”
NSA and the FBI: How Organizations Should Protect Themselves Against North Korean Cyber Espionage
In the latest joint advisory, the FBI and the NSA warned that Kimsuky is using a new technique that involves exploiting weak DMARC security policies to mask spearphishing campaigns.
DMARC — short for Domain-based Message Authentication, Reporting & Conformance — is an email security protocol that works with other methods to prevent email spoofing. It lets domain owners define how to handle emails that fail authentication checks, protecting their reputation and reducing phishing attacks.
While DMARC policies can play a vital role in identifying and stopping email phishing attacks, due to lack of awareness, technical complexities, and fear of disruption, it is common for businesses, individuals, and organizations either not to enable DMARC controls or to misconfigure them.
Morin from Sysdig told Techopedia the North Korean cyberespionage group Kimsuky targets missing or misconfigured DMARC policies.
“This new technique will almost certainly improve Kimsuky’s success rate for spear phishing campaigns as the technique is clever from an attacker’s perspective.”
Target, breach, and exfiltration
Morin explained that data exfiltration from the targeting of misconfigured or poor DMARC policies is likely no different from Kimsuky’s standard exfil technique for spear phishing attacks: send the phish, hook the victim, obtain initial access, find interesting data, and exfil interesting data.
“According to CISA and MITRE reporting, Kimsuky uses its malware on the victim machine to encrypt the data and send it to a C2 server through email.”
DMARC policies — which are rather simple to implement, especially compared to the risk of not enabling them — when correctly enabled and configured, are a means of email security and authentication to help filter out spam and domain spoofing (ie. phishing attempts). DMARC verifies the sender’s legitimacy and email authenticity.
Security teams looking for mitigation technical details and guidelines, as well as lists of red flags to watch out for, can check out the FBI-NSA document.
The Bottom Line
North Korea’s cyberattacks are a two-front assault, stealing intelligence and cryptocurrencies to fuel their sanctioned programs. Sanctions, while intended to stop these activities, seem to be backfiring and affecting the most vulnerable.
The international community must explore alternative methods to curb North Korea’s cyberwarfare. This could involve increased diplomatic efforts, collaboration on cyber defenses, information sharing among governments and businesses, and stricter enforcement of existing sanctions to close loopholes.
While simple technical solutions exist, for example, to enable DMARC to thwart Kimsuky’s phishing attacks, a wider solution remains tied to the geopolitical state of global affairs.
As demonizing entire nations becomes the common way forward, it also polarizes society and fuels the “us vs. them” mentality that hinders productive dialogue and international cooperation. A new approach that focuses on addressing root causes that push North Korea towards cybercrime could provide a more sustainable path forward.т