November 18, 2020

Exposing the Financial Footprints of North Korea’s Hackers

By Jason Bartlett

Executive Summary

North Korea conducts intricate and sweeping cyberattacks against the United States and its allies to acquire funds to support its illicit nuclear proliferation efforts. Unlike more economically advanced nuclear states possessing domestic research, development, and deployment capacities to establish weapon of mass destruction (WMD) programs, the Democratic People’s Republic of Korea (DPRK) must seek financial resources, assistance, and institutional knowledge, at least initially, from overseas. It has developed its cyber capabilities in order to circumvent financial sanctions and global safeguards, conducting elaborate online bank heists and hacking attacks; stealing funds through fraudulent bank transfers, Society for Worldwide Interbank Financial Telecommunications (SWIFT) transactions, and ATM cash-outs; launching ransomware attacks demanding payment in cryptocurrency; and hacking cryptocurrency exchanges. The scale and sophistication of these innovative sanctions evasion tactics create a challenge that calls for stronger measures to confront them. In addition to providing policy recommendations for U.S. leadership and financial institutions, this report will outline the ways North Korea supports, expands, and utilizes cyber operations to acquire funds for its nuclear weapons program.

The following key points will be addressed:

  • North Korea’s malicious cyber activities are a direct threat not only to U.S. national interests, but also to global security and the integrity of the entire international financial system. They are dangerous and increasing in scale and severity.
  • For North Korea, cyber operations are both low-risk and low-cost, with potentially high gains given the low barriers to entry. However, moving the funds to support these activities requires more complex money-laundering services and supporting networks from abroad. North Korea conducts its cybercrime activities from third-party locations, such as China, Russia, and India. The country continues to benefit from technology sharing, academic training, and the willful blindness of regulators in those countries to sanctions violations.
  • Many governments struggle to protect their financial institutions and virtual currency activity from exploitation by criminals, in part because most states have significantly less regulatory capability over virtual assets than over traditional fiat currency. This situation provides ample opportunity for hacking and exploitation, because the origin and destination of these online transactions can be difficult to trace.
  • This policy brief seeks to provide U.S. leadership with a set of recommendations to curb North Korea’s cyber-enabled proliferation finance schemes abroad. These include, for example, creating a DPRK cyber exchange within the Treasury Department’s Office of Foreign Assets Control (OFAC), issuing cybersecurity audits as part of deferred prosecution agreements with noncompliant U.S. financial institutions, and allocating federal funds and resources to track the whereabouts of North Korean cyber agents studying and working abroad at front companies and leading science and technology universities.

North Korea’s Growing Cyber Fundraising

As sanctions tighten in other areas, such as commodities trade, North Korea continues to compensate for its monetary losses with funds obtained through illicit cyber activity. The country procures substantial funds for its WMD and ballistic missile programs through a variety of elaborate means, including sophisticated cyberattacks. These money-generating attacks can include online bank heists, fraudulent bank transfers, use of cryptocurrency ransomware, and garden-variety hacking and phishing. Since February 2020, North Korea has resumed targeting banks to initiate fraudulent international money transfers and ATM cash-outs in multiple countries, including South Korea, Japan, Spain, and other U.S. allies. Proliferation finance in the case of North Korea applies to all state-sponsored activity focused on procuring illicit funds for the government. While the full extent of its cybercrime capabilities remains unknown, North Korea’s unprecedented success in circumventing U.S. and U.N. sanctions demonstrates how ill-equipped many jurisdictions and institutions are to combat the North Korean cyber threat and prevent the diversion of money to the North Korean regime.

The U.S. intelligence community commonly refers to North Korean malicious cyber activity as HIDDEN COBRA, emphasizing the state’s ability to conduct destructive clandestine operations directly affecting critical U.S. financial and security infrastructure. The U.N. Security Council 1718 Sanctions Committee’s Panel of Experts’ (POE) 2019 midterm report affirmed that North Korean cyber actors attempted to steal an estimated $2 billion (US) from foreign banks, financial institutions, and cryptocurrency exchanges for the country’s growing nuclear and ballistic weapons programs. Today, that figure has likely grown and possibly contributes to financing future cyberattacks and cyber heists.

North Korea continues to pursue greater civil-military fusion by providing extensive cyber and information technology-related training to carefully selected party loyalists and high-scoring university students. According to Nam Jae-joon, former Director of South Korea’s Intelligence Service, Kim Jong Un himself equated the importance of developing cyber capabilities to that of nuclear power claiming that “cyber warfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ (만능의 보검) that guarantees [North Korea’s] military’s capability to strike mercilessly. In May 2020, the regime allegedly recruited at least 100 of the highest-performing graduates from top science and technology universities into the military to manage its intranet network and tactical planning systems. One of these universities is the Kim Chaek University of Technology, which has graduated numerous North Korean hackers including Park Jin Hyok (박진혁) who was allegedly responsible for the 2014 Sony Pictures Entertainment cyberattack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry global ransomware attack. Direct government recruitment and integration of top technology university graduates into specialized cyber-related military postings suggests a national priority of bolstering cyber capabilities.

Another example of North Korea’s national interest in strengthening cyber operations through student recruitment is Mirim College, which graduates approximately 100 hackers every year. According to defector testimony, students learn to dissect Microsoft Windows operating systems, create destructive computer viruses, and code various computer programming languages. Its specific emphasis on Microsoft Windows could possibly explain the WannaCry ransomware cyberattack in 2017, which compromised over 300,000 computers in 150 countries through vulnerabilities in the Microsoft Windows operating system. The U.S. government attributed the 2014 Sony Pictures Entertainment, the 2017 WannaCry ransomware cyberattacks, and the 2016 Bangladesh Central Bank cyber heist—the largest of its kind to date, at $81 million—to the Lazarus Group, an elusive North Korea-sponsored hacking organization.

Most recently, the Korean Central News Agency confirmed the establishment of a new science and technology university related to the country’s cyber warfare and weapons development program in its coverage of the North’s October 10, 2020, military parade. This event marked the 75th anniversary of the founding of the ruling party and also featured a new intercontinental ballistic missile, which, if operational, would be the largest and potentially most powerful missile of its kind. This indicates a national investment of government funds to ensure greater civil-military fusion which would threaten not only regional stability on the Korean Peninsula, but international security as a whole.

The Reconnaissance General Bureau (RGB; 정찰총국), North Korea’s primary foreign-intelligence service, is responsible for all collection and clandestine operations, including cyber-enabled financial crime. The RGB conducts illicit financial operations overseas by transferring funds from front companies established abroad to financial institutions in Asia, then ultimately back to North Korea. According to the U.N. Security Council, North Korea cloaks its illicit efforts to move and launder money for its nuclear proliferation program through seemingly legitimate overseas business ventures. For example, the U.N. determined the Malaysia-based tech company Global Communications Co., also known as Glocom, to be a front for North Korean-sponsored proliferation finance on behalf of the RGB through a joint venture with Malaysia-Korea Partners (MKP). The report also claimed that prohibited joint ventures, such as that of Glocom and MKP, continue overseas operations in Latin America, Eastern Europe, Africa, and Asia. They allegedly reinvent themselves under new company names to conceal the movement of funds and their affiliation with North Korean companies.

U.S. Department of Justice announces charges against North Korean national and cyber agent, Park Jin Hyok, in relation to multiple cyberattacks on September 6, 2018. (Mario Tama/Getty Images)

Under the RGB, North Korea currently commands an estimated 6,000 cyber agents through four subgroups across the globe—one being the Lazarus Group. The Department of the Treasury designated both the Andariel/Andarial Group and Bluenoroff Group as subsets of the Lazarus Group, illustrating the complexity of North Korean cyber operations. Many of these agents reportedly operate overseas, in countries including China, India, Russia, Belarus, and Malaysia. Although the exact number of subordinate and independent cybercrime organizations is unknown, this policy brief describes the following identified cyber groups as follows:

Reconnaissance General Bureau (RGB)North Korea’s primary foreign-intelligence service responsible for all collection and clandestine operations abroad.
Bureau 121Serves as the main RGB unit for cyber operations, including cyber-enabled finance crime and computer warfare.
Lazarus GroupCreates social chaos by weaponizing enemy network vulnerabilities and preloading codes for later activation to disrupt or destroy target networks.
Andariel/Andarial GroupGathers information through reconnaissance of enemy computer systems and provides initial assessments of enemy networks’ vulnerabilities.
The Bluenoroff GroupConducts financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities.
APT37Suspected cyber espionage threat group that may be connected to the Lazarus Group.
APT38Mainly targets banks and financial institutions and may be connected to the Lazarus Group.
Electronic Warfare Jamming RegimentEmploys both lethal and non-lethal methods, such as electronic jamming, signals reconnaissance, and physical destruction of targets supporting enemy decision-making processes.
Mirim CollegeTrains future state-sponsored hackers and cyber criminals through academic instruction and technical training. Also known as Mirim University and the Pyongyang University of Automation.*

*Mirim College is not linked to a particular cyber subdivision in this graphic because its graduates have the potential to enter any of the identified groups.

Technological and Operational Support: China and Russia

In addition to domestic investment, North Korea also receives cybercrime support from third-party actors, including China and Russia, in the form of technology sharing, academic training, and willful blindness toward sanctions violations. According to the August 2020 U.N. POE report, both China and Russia violated U.N. Resolution 2397 by allowing North Korean workers to re-enter their countries after the mandatory December 2019 repatriation deadline. While there is a notable distinction in the sophistication of illicit financial operations conducted by organizations subordinate to the RGB, such as the Lazarus Group, and information technology (IT) workers mandatorily stationed abroad, both threaten U.S. national security and the global financial system. In contrast to elaborate cyberattacks and online bank heists, North Korean IT workers’ methods for acquiring illicit funds for the regime typically consist of gaming, application development, web scraping, and internet scamming on websites such as Upwork, Freelancer, and LinkedIn. However, even modest amounts of money can augment North Korea’s nuclear weapons program and mask more nefarious activity.

For example, North Korean hacker Park Jin Hyok conducted legitimate IT work in China under the front company Chosun Expo while also supporting illicit cyber-enabled proliferation finance activities on behalf of the RGB. Although Park cannot be considered representative of all overseas North Korean IT workers, the continued possibility of dual-purpose front companies calls for further investigation. Similarly, state-sponsored hackers presented as university students or industrial trainees may also be able to circumvent labor-related U.N. sanctions.

China

North Korea’s global cybercrime syndicates employ foreign individuals with access to advanced technology and tactical capabilities to support its proliferation finance schemes. In March 2020, the U.S. Department of Justice charged two Chinese nationals with laundering over $100 million worth of stolen cryptocurrency to obscure transactions for the benefit of actors based in North Korea. The civil forfeiture complaint linked this money-laundering conspiracy scheme to the nearly $250 million worth of virtual currency stolen by the Lazarus Group and used for North Korean hacking campaign infrastructure. However, China’s role in facilitating North Korean sanctions evasions extends beyond professional money-laundering services.

The August 2020 U.N. POE report mentioned an unidentified U.N. member state that claimed North Korean national and information technology manager Ma Tong Hyok allegedly coordinated with the North Korean government and other North Korean information technology managers in China to dispatch IT workers back to China after “resetting their visas.” Additionally, Chinese company Xinlu Science and Technology Co. Ltd. may be linked to two North Korean nationals based in Dalian who were involved in dispatching IT workers from North Korea to China in September 2019. The U.N. POE is currently investigating several ongoing cases concerning Chinese companies illegally employing North Korean workers past the repatriation deadline, including the possibility that North Korean workers were entering China under student and industrial trainee visas—which exposes yet another vulnerability in the current sanctions regime.

Russia

The August 2020 U.N. POE report also highlighted three groups of North Korean information technology workers illegally stationed in Vladivostok, Russia, who earned approximately $230,000 (US) in March 2020. Despite the fact that the U.N. resolution had passed two years prior to the spread of the novel coronavirus that causes COVID-19, the Russia government claimed that it had failed to repatriate all North Korean workers because “transport to and from the Democratic People’s Republic of Korea was suspended owing to the coronavirus disease (COVID-19) pandemic.” U.N. POE investigations continue as these examples of blatant sanctions noncompliance demonstrate how Chinese and Russian actors continue to successfully support North Korean proliferation finance abroad despite U.N. sanctions.

In terms of infrastructural development, major Russian telecommunications company TransTeleCom provided North Korea with a new internet connection in 2017 to supplement the China Unicom connection line established in 2010, which likely expanded North Korea’s international bandwidth and connectivity. Additionally, security firm Intel 471 identified several possible links between hostile North Korean actors and a Russian-language-operated malware called TrickBot in September 2020. This evidence does not suggest direct Russian state involvement in North Korean cyber-enabled financial crime—TrickBot is suspected to have originated in Eastern Europe. However, it does raise the issue of cross-border cybercrime collaboration, which could prove highly dangerous and increase enforcement difficulties.

Educating and Harboring Potential Cyber Agents: China and India

North Korea has the capability and motivation to dispatch university students abroad to technologically advanced nations to obtain high-level IT degrees and necessary training prior to, or during, state-sponsored cyber agent activity. In particular, Chinese and Indian institutions are at high risk for facilitating North Korean illicit crime. In addition to professional money-laundering services and cyber infrastructure, China has the potential to support North Korean illicit cyber activity through training and academic instruction at top technology universities. Recent developments in China–North Korea relations can provide ample opportunity for the historical allies to hedge against the United States within the cyber field. Similarly, Indian universities provide potentially hostile North Korean actors with access to information and technologies inaccessible or difficult to obtain in Pyongyang.

China

In recent years, North Korean leader Kim Jong Un significantly altered his diplomatic approach to Beijing which suggests an increased interest in strengthening personal ties with China. Contrary to his father, Kim Jong Il, and grandfather, Kim Il Sung, who both met Chinese leaders several times while head of state, Kim Jong Un never met with any foreign head of state since he assumed power in 2011. However, in late March 2018, Kim Jong Un unexpectedly visited Beijing to reinforce the North Korea-China alliance just weeks prior to his planned summit meetings with U.S. President Donald Trump and South Korean President Moon Jae-in. This signaled to world leaders that amidst unprecedented diplomatic openness with both South Korea and the United States, North Korea still values its relationship with China above other contenders. Kim Jong Un’s leadership lacked this narrative until that moment.

South Koreans watch a television broadcast reporting North Korean leader Kim Jong Un’s unannounced visit to Beijing to meet with Chinese President Xi Jinping on March 28, 2018. (Chung Sung-Jun/Getty)

North Korean students often study abroad at top Chinese science and technology universities, such as the Harbin Institute of Technology (HIT), which offers access to advanced technology and equipment either inaccessible or difficult to obtain in Pyongyang. In September 2013, HIT publicly announced the matriculation of three North Korean teachers from Kim Il Sung University and nine North Korean students from Kim Chaek University of Technology, the alma mater of Park Jin Hyok. According to the Center for Strategic and International Studies’ China Power Program, data analysis revealed that North Korean student enrollment in China reached reported all-time highs in 2015 and 2016, at 1,829 and 1,878 students, respectively. China’s Ministry of Foreign Affairs has refrained from offering public information on North Korean student matriculation information beyond 2016.

The Chinese government continues to pursue official academic partnerships with military-affiliated North Korean universities which may be a stepping-stone for future cyberattacks. In November 2019, the Chinese Ministry of Education and the North Korean Chairman of the Education Commission jointly signed the China–North Korea Education and Cooperation Agreement (2020–2030) to reinforce academic partnerships and postgraduate exchanges. This collaborative government effort to increase foreign exchange and higher education training programs could potentially provide ample opportunity for elevated illicit activity, including cybercrime, given the nature of these science and technology universities. Similar to concerns regarding Chinese universities like HIT educating future North Korean nuclear scientists, academic institutions could realistically provide ample opportunity for present and future North Korean cyber agents to obtain the necessary skills and knowledge to conduct high-level cyberattacks against the United States.

Kim Heung-kwang, a former North Korean computer science professor at Hamheung Computer Technology University, trained many of the country’s first cyber agents before they left for overseas training in China. According to a C4ADS report, Kim claimed that Bureau 121 hackers and North Korean programmers trained and operated within the joint venture Chilbosan Hotel (沈阳七宝山酒店) in the Shenyang region of China. Although North Korean cyber-enabled intelligence operations have significantly evolved since its formation in the 1990s, continued cyber cooperation and training between the two countries would marry a variety of Chinese and North Korean interests, allowing them both to hedge against the United States.

India

India is known for both its expertise in IT and its lax stance on North Korea. In 2016, the U.N. POE investigated India’s Centre for Space Science and Technology Education in Asia and the Pacific (CSSTEAP) for offering postgraduate diploma courses in science and technology to North Korean nationals. According to its report, CSSTEAP offered specialized training that North Korea could use in conducting prohibited ballistic-missile-related activities. These courses also provide potential hostile North Korean agents with access to advanced technology and equipment applicable to cyber-enabled crime.

North Korea has sent more than 30 students to train under the tutelage of CSSTEAP professors, including Paek Chang Ho, a North Korean national designated by the U.N. for his role in the December 2012 launch of the Unha-3 rocket. Additionally, the current first secretary to India at the Embassy of the DPRK, Hong Yong Il, studied remote sensing and geographic information systems at CSSTEAP in 1996 and now serves as a member of the governing board of the university. This represents a sustained academic partnership between the North Korean government and CSSTEAP; Hong continues to exert administrative influence over the university.

Access to advanced technologies, equipment, high-functioning computers, and global software programs is essential for a successful North Korean hacking campaign aimed at procuring funds for nuclear proliferation. According to the university’s website, CSSTEAP had graduated a total of 32 North Korean nationals and 10 Iranian nationals in postgraduate studies as of 2015; it notably stopped releasing public records documenting the number and origin of university students after its mention in the 2016 U.N. POE report. The continued matriculation of North Korean nationals at CSSTEAP following Kim Jong Il’s death in 2011 indicates the regime’s sustained interest in maintaining academic relations with CSSTEAP, which warrants further investigation.

Responding to the Threat

In recent months, the U.S. government has ramped up its efforts against North Korean cyber activity. In August, the U.S. Treasury Department, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Cyber Command issued a joint alert exposing North Korean–sponsored cyber actors of using malicious software, or malware, to gain illicit access to banks in multiple countries to “initiate fraudulent international money transfers and ATM cash outs.” Subsequently, the Department of Justice filed a civil forfeiture complaint for 280 cryptocurrency wallets tied to North Korean–sponsored hackers and Chinese over-the-counter cryptocurrency traders. However, North Korean–sponsored cyberattacks against the United States and its allies have evolved far beyond the realm of cyber heists.

The U.S. government continues to uncover new and dangerous North Korean cyber threat groups which pose serious concerns for international security and U.S. national interests. The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a specialized advisory in July 2020 alerting financial institutions of potential indicators of cyber-enabled crime exploiting the current COVID-19 pandemic. According to the non-profit intelligence organization, IssueMakersLab, North Korea leverages its cyberattacks alongside China and Russia as it reportedly attempted to hack and steal funds from pharmaceutical companies researching COVID-19 vaccines. Although government officials have yet to detect a North Korean cyberattack aimed at the U.S. pandemic relief fund, cyber-intelligence analysis firm CYFIRMA also claimed that North Korean hackers targeted foreign countries’ national COVID-19 relief funds and curated almost 1.5 million e-mail addresses to lure American citizens into providing personal banking information via the false promise of direct payments of $1,000 (US). These warnings indicate that North Korea’s cyber-enabled proliferation finance strategy continues to evolve and adapt to global developments, including pandemics such as COVID-19.

Policy Recommendations

The following policy recommendations seek to provide U.S. leadership with a set of both immediate and long-term actions to curb North Korea’s cyber-enabled proliferation finance schemes abroad.

1. The Treasury’s Office of Foreign Assets Control (OFAC) should establish a DPRK cyber exchange to encourage stronger information-sharing practices between law enforcement and financial institutions.

Similar to the FinCEN Exchange, which facilitates voluntary information sharing among financial institutions under section 314(b) of the USA Patriot Act, OFAC’s DPRK cyber exchange could offer best practices on detecting, deterring, and reporting North Korean cyber-enabled financial crime and hacking of financial institutions. Through this program, OFAC could convene regularly scheduled briefings and deterrence training workshops detailing virtual asset risks and red flag indicators of North Korean cyber-enabled financial crime. Additionally, OFAC could share these briefings with like-minded foreign financial institutions and responsible jurisdictions interested in improving cybersecurity measures against North Korea.

2. The U.S. Department of Justice should levy fines on U.S. financial institutions that fail to incorporate basic CISA, Treasury, and Financial Action Task Force (FAFT) cybersecurity protocols into their due diligence practices by the end of 2021.

North Korea continues to exploit cybersecurity vulnerabilities within the U.S. financial system to the benefit of its nuclear weapons development program. For example, section 314(b) of the USA Patriot Act allows financial institutions to share information with one another to identify and report money-laundering or terrorist activity on a voluntary basis, but it fails to provide any legal recourse to nonparticipating institutions. Additionally, illicit cyber actors can circumvent the Bank Secrecy Act, which requires financial institutions to retain records of all transactions in excess of $3,000, by simply conducting transactions under that threshold. Although FinCEN recently proposed lowering the applicable threshold from $3,000 to $250 for international transactions, illicit cyber actors such as North Korea continue to exploit section 314(b) of the USA Patriot Act to their benefit.

In response, the Department of Justice could require cybersecurity audits as part of deferred prosecution agreements with financial institutions to encourage compliance with basic cybersecurity protocols described by CISA, Treasury, and FATF. Failure to implement fundamental cybersecurity practices, such as regular updates of computer software and operation systems, including ATMs, can result in significant cybersecurity breaches. For example, the Lazarus Group successfully deployed the 2017 WannaCry ransomware attack because institutions had failed to issue a mandatory, company-wide computer update of an outdated version of Microsoft Windows. Hostile actors continue to illegally acquire funds through illicit malware operations targeting ATMs because of poor or outdated cyber and system protections. Financial institutions could avoid both such cybersecurity breaches and government fines by incorporating the CISA malware analysis reports and FAFT guidelines into company due diligence protocols and employee cybersecurity training.

3. U.S. financial institutions should regularly engage in cybersecurity dialogue with correspondent banks to ensure the integrity of transactions and the U.S. dollar abroad.

When dealing with correspondent banks, U.S. financial institutions should practice not only proper know-your-customer due diligence protocols, but also know-your-customer’s-customer protocols. Correspondent banks can serve as safe havens for money-laundering schemes, fraudulent transactions, and other illicit cyber-enabled financial crime on the part of hostile states such as North Korea. U.S. financial institutions should regularly engage in dialogue with correspondent banks to learn their policies and approaches to illicit cyber activity. U.S. financial institutions should not facilitate, nor accept, monetary activity from correspondent banks with poor or nonexistent cybersecurity protocols, and U.S. banks should report all suspicious activity from correspondent banks to the Department of the Treasury. This reporting would allow U.S. banks to maintain the integrity of the U.S. dollar abroad and avoid unintentional sanctions violations.

4. The U.S. Department of State should allocate funds and resources to track the number of North Korean nationals participating in IT and/or advanced computer-science–related degree programs abroad in the five countries listed in the U.S. Army manual on North Korean Tactics: China, India, Russia, Belarus, and Malaysia.

The U.S. administration should create a task force to work in consultation with the U.N. POE and the International Atomic Energy Agency to evaluate the curricula of universities hosting North Korean nationals, as the POE did in the CSSTEAP investigation. This collaborative effort could discern the possibility of academic institutions offering training relevant to nuclear weapons development and illicit cyber-enabled proliferation finance. Additionally, the U.S. Department of State should engage with domestic think tanks and foreign allies such as the Five Eyes countries, Japan, and South Korea to conduct in-depth research on this topic. Partnerships with North Korean–defector–led nongovernmental organizations (NGOs) and former RGB employees would also increase research bandwidth and provide valuable linguistic and organizational awareness. The task force could then publish reports documenting suspected academic institutions and individuals to raise international awareness and political pressure to discourage this illicit behavior. Last, the U.S. government should encourage the U.N. to include a section specifically focusing on North Korean cyber-enabled proliferation finance operations within subsequent POE reports, to increase the likelihood of the addition of cyber language to future U.N. Security Council resolutions.

5. The U.S. Department of State should coordinate with the intelligence and think tank community to conduct in-depth research to further expose Chinese and Russian intelligence and malicious software exchanges with North Korean agents, as well as the illegal employment of North Korean IT workers abroad.

The U.S. Department of State should collaborate with U.S. think tanks, NGOs, and the North Korean defector community to conduct in-depth research on the number and possible locations of North Korean agents and information workers abroad, as well as the entities and institutions illegally harboring them. North Korean defectors previously employed by the DPRK government, in particular the RGB, may offer valuable insight into the organization, recruitment, and execution of the country’s intricate global crime networks in well-known risk zones such as China and Southeast Asia. These collaborative research reports could be submitted to the U.N. POE on North Korea to discuss possible diplomatic rapprochement efforts with noncompliant entities and shared with allies, as appropriate, to coordinate joint efforts. Additionally, the United States and the U.N. could consult these findings when considering revised or new sanctions against North Korea, as well as countries and entities in violation of U.N. Resolution 2397.

6. The Department of the Treasury should expand sanctions designations to any foreign entity supporting, through academic training or information and technology sharing, or closing its eyes to North Korean illicit cyber activity.

Many North Korean–sponsored actors operate outside of North Korea with little consequence—which calls for stronger pressure on the host countries to comply with sanctions. The U.S. government should enhance its sanctions regime to target all institutions supporting North Korean proliferators operating abroad. The 2016 U.N. POE specifically mentioned CSSTEAP, but it is probably only one of many academic institutions and individuals who, wittingly or unwittingly, train future North Korean cyber agents. U.S. policymakers could use Executive Orders 13687 and 13694 to highlight the organization and operation of illicit North Korean networks, as well as target individuals and entities conducting, facilitating, and/or supporting proliferation finance and academic training applicable to future cybercrime and nuclear weapons development. Increasing the financial and logistical burden for foreign agents and entities supporting illicit North Korean state-sponsored activity, whether directly or indirectly, is essential to combating the nation’s illicit proliferation finance efforts. These existing tools could expand the breadth of the U.S. sanction and designation framework to encompass support for illicit behavior.

Conclusion

North Korea will continue to exploit the vulnerabilities in U.S. and U.N. legal and financial institutions through any means possible. The United States should lead fellow responsible nations in creating safeguards against illicit cyber activity to match the sophistication of current cyber threats. North Korea’s expanding cyber capabilities are a direct threat to international security and the global financial system. Beyond strengthening cybersecurity protocols and information sharing between governments and financial institutions, the United States government can coordinate with its allies to conduct in-depth research on the whereabouts of overseas North Korean cyber agents to track, identify, and prevent further dispatch units.

Since the Cold War era, China and Russia have continued to provide North Korea with academic and technological support, but now the pariah country has exhibited signs of conducting advanced cyberattacks by means of its own agents. Despite being considered secondary to China and Russia as a cyber threat, North Korea is committed to advancing its cyber capabilities—which will narrow the cyber threat gap with China and Russia even further. Beyond strengthening cybersecurity protocols and information sharing between financial institutions, the United States government can coordinate with its allies to conduct in-depth research on the whereabouts of overseas North Korean cyber agents.

The United States can only gain from joint coordination with allied nations to protect shared global interests and international security. Shielding against pending cyberattacks is crucial but preventing the training and dispatch of cyber agents is equally important in limiting the breadth of North Korea’s cyber-enabled financial crime. North Korea is much more than just China’s “little brother,” and U.S. leadership must respond swiftly to this cyber threat.

About the Author

Jason Bartlett is a Research Assistant for the Energy, Economics, and Security Program at CNAS. His work primarily focuses on proliferation finance and sanctions evasion tactics, including cyber-enabled financial crime. Previously, he researched international security threats and illicit activity at the CSIS Korea Chair, C4ADS, and the Asan Institute for Policy Studies in Seoul, South Korea. He also provided four years of linguistic and administrative assistance to numerous human rights nongovernmental organizations resettling North Korean defectors in South Korea and the United States. He is fluent in Korean and Spanish.

Romanization of North Korean Names

This policy brief romanizes North Korean names from the Standard Korean into English according to the Democratic People’s Republic of Korea’s variant of the McCune-Reischauer Korean language romanization system. For example, 김정은 will be written as “Kim Jong Un” instead of “Kim Jong-un” without hyphenation.

Acknowledgments

The author would like to thank Maura McCarthy for her review of this report. He also thanks Neil Bhatiya, Andrea R. Mihailescu, and Aaron Arnold for their valuable feedback and peer review during the finalization of this report. Additionally, he would like to acknowledge Elizabeth Rosenberg, Melody Cook, Maura McCarthy, Emma Swislow, and Chris Estep for their assistance with the production of the report.

As a research and policy institution committed to the highest standards of organizational, intellectual, and personal integrity, CNAS maintains strict intellectual independence and sole editorial direction and control over its ideas, projects, publications, events, and other research activities. CNAS does not take institutional positions on ​policy issues and the content of CNAS publications reflects the views of their authors alone. In keeping with its mission and values, CNAS does not engage in lobbying activity and complies fully with all applicable federal, state, and local laws. CNAS will not engage in any representational activities or advocacy on behalf of any entities or interests and, to the extent that the Center accepts funding from non-U.S. sources, its activities will be limited to bona fide scholastic, academic, and research-related activities, consistent with applicable federal law. The Center publicly acknowledges on its website annually all donors who contribute.

  1. “Democratic People’s Republic of Korea Sanctions,” U.S. Department of State, https://www.state.gov/democratic-peoples-republic-of-korea-sanctions/.
  2. “Alert (AA20-239A): FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks,” U.S. Cybersecurity and Infrastructure Security Agency, August 26, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-239a.
  3. “DPRK Cyber Threat Advisory: Guidance on the North Korean Cyber Threat,” U.S. Cybersecurity and Infrastructure Security Agency, April 15, 2020, https://us-cert.cisa.gov/sites/default/files/2020-04/DPRK_Cyber_Threat_Advisory_04152020_S508C.pdf.
  4. “Report of the Panel of Exports Established Pursuant to Resolution 1874 (2009)” (S/2019/691), United Nations Security Council, August 30, 2019, https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf.
  5. Jeong Tae Joo, “Around 100 top technology university graduates join military,” trans. Jason Bartlett, Daily NK, May 18, 2020, https://www.dailynk.com/english/around-100-top-technology-university-graduates-join-military/.
  6. “Park Jin Hyok,” U.S. Federal Bureau of Investigation, https://www.fbi.gov/wanted/cyber/park-jin-hyok.
  7. Also referred to as “Mirim University” and the “Pyongyang University of Automation.”
  8. U.S. Department of the Army, North Korean Tactics, July 2020, https://fas.org/irp/doddir/army/atp7-100-2.pdf.
  9. Eugene Kim, “We Spoke To A North Korean Defector Who Trained With Its Hackers—What He Said Is Pretty Scary.” Business Insider, December 24, 2014, https://www.businessinsider.com/north-korean-defector-jang-se-yul-trained-with-hackers-2014-12.
  10. “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups,” U.S. Department of the Treasury, press release, September 13, 2019, https://home.treasury.gov/news/press-releases/sm774.
  11. 고병준 [Koh Byung-joon], “N.K. establishes university named after Leader Kim,” Yonhap News Agency, October 14, 2020, https://en.yna.co.kr/view/AEN20201014003000325.
  12. Hyonhee Shin and Josh Smith, “North Korea unveils ‘monster’ new intercontinental ballistic missile at parade.” Reuters, October 10, 2020, https://www.reuters.com/article/northkorea-missiles/update-7-n-korea-unveils-monster-new-intercontinental-ballistic-missile-at-parade-idUSL4N2H103F.
  13. “Report of the Panel of Exports Established Pursuant to Resolution 1874 (2009)” (S/2019/171), United Nations Security Council, March 5, 2019, https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/s_2019_171.pdf.
  14. “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups.”
  15. Wenxin Fan, Tom Wright, and Alastair Gale, “Tech’s New Problem: North Korea,” The Wall Street Journal, September 14, 2018, https://www.wsj.com/articles/north-koreans-exploit-social-medias-vulnerabilities-to-dodge-sanctions-1536944018.
  16. Also known as Korea Expo Joint Venture.
  17. “Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack,” U.S. Department of Justice, press release, March 2, 2020, https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack.
  18. “Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group,” U.S. Department of the Treasury, press release, March 2, 2020, https://home.treasury.gov/news/press-releases/sm924.
  19. “Report of the Panel of Exports Established Pursuant to Resolution 1874 (2009)” (S/2020/840), United Nations Security Council, August 28, 2020, https://undocs.org/en/S/2020/840.
  20. “Report of the Panel of Exports Established Pursuant to Resolution 1874 (2009)” (S/2020/840).
  21. Martyn Williams. “Russia Provides New Internet Connection to North Korea,” 38 North, October 1, 2017, https://www.38north.org/2017/10/mwilliams100117/.
  22. Mark Arena, “Partners in crime: North Koreans and elite Russian-speaking cybercriminals,” Intel 471, September 16, 2020, https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/.
  23. 한상미 [Han Sang-mi], “북한, 과학 영재 50-60 명씩 유학 보내 사이버 요원 양성” [North Korea sends 50-60 gifted science students abroad to train as cyber agents], Voice of America Korean, June 14, 2016, https://www.voakorea.com/korea/korea-politics/3375411.
  24. Choe Sang-Hun, “North Korea Last Hosted a Chinese President in 2005: Here’s How It Went,” The New York Times, June 19, 2019, https://www.nytimes.com/2019/06/19/world/asia/china-north-korea-summit.html.
  25. Steven Lee Myers and Jane Perlez, “Kim Jong-un Met With Xi Jinping in Secret Beijing Visit,” The New York Times, March 27, 2018, https://www.nytimes.com/2018/03/27/world/asia/kim-jong-un-china-north-korea.html?rref=collection%2Fsectioncollection%2Fasia&action=click&contentCollection=asia®ion=stream&module=stream_unit&version=latest&contentPlacement=6&pgtype=sectionfront.
  26. Zhai Ning, “Vice President REN Meets North Korean Students Studying at HIT,” trans. Wang Ying, Harbin University of Technology, October 8, 2013, http://en.hit.edu.cn/news/index/2302.
  27. “International Studies in China, 2011–2016,” China Power Project, Center for Strategic and International Studies, https://chinapower.csis.org/data/international-students-china-2011-2016/.
  28. Possibly translated as 中朝教育交流与合作协议in Chinese and 조-중 교육교류협력협정 in Korean.
  29. “Chen Baosheng meets chairman of the Education Commission of North Korea,” Ministry of Education of the People’s Republic of China, press release, November 7, 2019, http://en.moe.gov.cn/news/press_releases/201911/t20191111_407684.html.
  30. Jeremy Page and Alastair Gale, “Behind North Korea’s Nuclear Advance: Scientists Who Bring Technology Home,” The Wall Street Journal, September 6, 2017, https://www.wsj.com/articles/behind-north-koreas-nuclear-advance-scientists-who-bring-technology-home-1504711605.
  31. David E. Sanger and Martin Fackler, “N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say,” The New York Times, January 18, 2015, https://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html.
  32. Jason Arterburn, “Dispatched Mapping Overseas Forced Labor in North Korea’s Proliferation Finance System,” C4ADS, 2018, https://www.c4reports.org/dispatched.
  33. “Report of the Panel of Exports Established Pursuant to Resolution 1874 (2009)”,(S/2016/157), United Nations Security Council, February 24, 2016, https://www.undocs.org/S/2016/157.
  34. “India denies training N Korean experts in ballistic tech at Dehradun,” The Tribune, June 23, 2016, https://www.tribuneindia.com/news/archive/nation/india-denies-training-n-korean-experts-in ballistic%20tech-atdehradun-255921.
  35. “Governing Board,” Centre for Space Science and Technology Education in Asia and the Pacific, https://www.cssteap.org/governing-board.
  36. “Post Graduate Courses.” Centre for Space Science and Technology Education in Asia and the Pacific, May 5, 2015, https://www.cssteap.org/post-graduate-courses.
  37. “CISA, Treasury, FBI, and USCYBERCOM Release Cyber Alert on Latest North Korea Bank Robbing Scheme,” Cybersecurity and Infrastructure Security Agency, August 26, 2020, https://www.cisa.gov/news/2020/08/26/cisa-treasury-fbi-and-uscybercom-release-cyber-alert-latest-north-korea-bank.
  38. “United States Files Complaint to Forfeit 280 Cryptocurrency Accounts Tied to Hacks of Two Exchanges by North Korean Actors,” U.S. Department of Justice, U.S. Attorney’s Office for the District of Columbia, press release, August 27, 2020, https://www.justice.gov/usao-dc/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two.
  39. Cybersecurity and Infrastructure Security Agency,” Alert (AA20-301A),” October 27, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-301a.
  40. “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” FinCEN Advisory, U.S. Department of the Treasury, July 30, 2020, https://www.fincen.gov/sites/default/files/advisory/2020-07-30/FinCEN%20Advisory%20Covid%20Cybercrime%20508%20FINAL.pdf.
  41. @issuemakerslab (IssueMakersLab), “North Korea's RGB-D5 Attacks on COVID-19 Vaccine Pharmaceuticals,” Twitter, October 16, 2020, https://twitter.com/issuemakerslab/status/1317168178691067904.
  42. “Global COVID 19-Related Phishing Campaign by North Korean Operatives Lazarus Group Exposed by CYFIRMA Researchers,” CYFIRMA, June 18, 2020, www.cyfirma.com/early-warning/global-covid-19-related-phishing-campaign-by-north-korean-operatives-lazarus-group-exposed-by-cyfirma-researchers/.
  43. “Agencies Invite Comment on Proposed Rule under Bank Secrecy Act,” U.S. Department of the Treasury, Financial Crimes Enforcement Network, October 23, 2020, https://www.fincen.gov/news/news-releases/agencies-invite-comment-proposed-rule-under-bank-secrecy-act.

Authors

  • Jason Bartlett

    Research Assistant, Energy, Economics, and Security Program

    Jason Bartlett is a Research Assistant for the Energy, Economics, and Security Program at CNAS. His research focuses on sanctions policy and evasion tactics, counterproliferat...

View All Reports View All Articles & Multimedia