April 1, 2020 | Policy Brief

North Korea Turns to Cyber Disinformation Attacks Amid Global Coronavirus Outbreak

April 1, 2020 | Policy Brief

North Korea Turns to Cyber Disinformation Attacks Amid Global Coronavirus Outbreak

Google’s Threat Analysis Group (TAG) released a new report on March 26 revealing North Korean hackers’ persistent cyberattacks on news outlets to spread disinformation. This new development in North Korean cyber operations reflects not only Pyongyang’s interest in expanding the scope of its cyber capabilities, but also the Kim regime’s attempts to conceal its struggles in dealing with the coronavirus pandemic.

The new Google TAG report found that since 2019, North Korean as well as Iranian state-backed hackers have targeted news outlets, journalists, and their related contacts to plant false stories and launch disinformation campaigns. Additionally, these state-backed hackers sought to gain the log-in information of journalists and their correspondents by integrating advanced social engineering and spear phishing tactics.

These actions reflect North Korea’s strategic objectives, as the regime regularly conducts information and influence activities (IIA) to maintain and strengthen its power both at home and abroad. The Korea Institute of Liberal Democracy, a South Korean think tank, revealed that North Korea employs 7,000 agents engaged in propaganda and information warfare. Their mission is to manipulate South Korean public opinion in Pyongyang’s favor.

Although North Korea’s IIA strategy prioritizes South Korea, the Google TAG report suggests Pyongyang is expanding its targeting range to the rest of the world. Specifically, earlier this February, the UN Food and Agriculture Organization (FAO) reported that a North Korean-hacked FAO account provided Voice of America with a fake story. The story claimed that an FAO leader affirmed the North Korean regime’s assertion it had no cases of coronavirus within its borders.

Yet since the coronavirus outbreak earlier this year, policymakers and foreign policy experts around the globe have collectively expressed skepticism about North Korea’s ability to cope with the pandemic. The Kim regime persistently dismisses such doubts and reports it has zero cases, despite reports from North Korean defectors of hundreds of coronavirus-related deaths.

Rather than admitting its inability to combat the outbreak by actively seeking international support, the North Korean regime has continued its provocations. For example, Pyongyang continues conducting short-range missile tests not only to advance its military capabilities, but also to signal to the world that the Kim family regime operates from a position of strength even while confronting the global pandemic.

Cyberattacks could be another provocation tool, as they could disrupt the ability of the United States and other nations to confront the coronavirus. For instance, unidentified hackers temporarily disabled U.S. Department of Health and Human Services (HHS) servers with a distributed denial of service (DDoS) attack earlier this month. Although there is no evidence to suggest North Korea perpetrated this attack, Pyongyang’s cyber warriors are capable of conducting similarly disruptive and subversive operations, as they did against South Korea in 2009.

As such, the United States and its allies must continue to respond to this persistent threat from Pyongyang. Fortunately, earlier this week, the White House issued a press statement announcing a one-year extension of Executive Orders 13694 and 13757, which laid the foundation for the Treasury Department’s cyber sanctions program.

The administration therefore should enforce these sanctions by targeting the hackers and programmers carrying out malign activities. Additionally, it should target the companies and individuals supporting Pyongyang’s cyber activities, pursuant to the North Korean Sanctions and Policy Enhancement Act of 2016. This legislation requires the U.S. government to sanction individuals and entities that “directed” or “provided material support to conduct significant activities undermining cyber security.”

Imposing and enforcing these financial penalties will allow Washington not only to signal Pyongyang’s malicious activities will not be tolerated, but also to stifle funding of Pyongyang’s cyber army.

Mathew Ha is a research analyst focused on North Korea at the Foundation for the Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew and CCTI, please subscribe HERE. Follow Mathew on Twitter. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber North Korea Sanctions and Illicit Finance