February 19, 2021 | Insight

North Korean Hackers Could Ramp Up Cyberattacks on COVID-19 Targets in Near Future

February 19, 2021 | Insight

North Korean Hackers Could Ramp Up Cyberattacks on COVID-19 Targets in Near Future

During a closed-door parliamentary session on Tuesday, South Korea’s National Intelligence Service (NIS) informed the National Assembly that North Korea’s state-sponsored hackers are attacking South Korean pharmaceutical companies in an attempt to steal data on COVID-19 vaccines and treatments. Although NIS officials said these attacks mostly failed, a recent report by Daily NK, a news publication that relies on a “robust network” of journalists inside North Korea, suggests Kim Jong Un’s hackers will increase this onslaught of cyberattacks on COVID-19-related targets in the coming days and weeks.

On February 5, Daily NK reported that the Kim regime created a new cyber organization called Bureau 325 on January 3. According to Daily NK’s anonymous “high-ranking” source, Bureau 325’s primary task is to steal COVID-19 information from pharmaceutical and biochemistry labs and companies as well as from government and intelligence organizations. The group is reportedly composed of five separate teams. Three teams will operate abroad to conduct cyber-enabled espionage, while the remaining two teams will stay back to process the stolen data.

Daily NK’s source added that this initiative is not yet fully operational. Specifically, regime authorities ordered the establishment of a “thorough security system” around Bureau 325 by February 16, which is a national holiday celebrating former leader Kim Jong Il’s birthday. This system would boost support for overseas hacking teams. It would enhance relationships with local facilitators to create optimal conditions for hackers to disguise their internet activity and move easily and discreetly between physical locations to evade law enforcement. It is unclear, however, if the North Korean government indeed completed this security system by the scheduled deadline. The source suggested that Bureau 325 would begin “full scale” operations after February 16, but did not specify an exact date.

While Daily NK’s report on Bureau 325 remains unconfirmed by other sources, the South Korean and U.S. governments should still be wary of and prepared for increasing North Korean cyberattacks in the near future.

One reason for caution is that the North Korean government celebrated the February 16 holiday honoring Kim Jong Il without conducting a major military provocation. Leading up to the holiday, the South Korean government speculated that Pyongyang could complement traditional memorial services for Kim Jong Il with a major weapons test or a military parade. However, North Korea’s ongoing domestic economic crisis, COVID-19 pandemic restrictions, effects of last year’s natural disasters, and uncertainty about the direction of the Biden administration’s North Korea policy may have spurred Pyongyang to consider an alternative and more discreet way of celebrating this day, namely through cyberattacks.

The Kim regime has long relied on provocations to gain the attention of its adversaries, raise tensions, and coerce others into providing political and economic concessions as the price of avoiding conflict. Cyber operations enable North Korea to quietly reap economic and security benefits, such as illicit revenue through cybercrime and key intelligence and data through cyber espionage. At the same time, Pyongyang may seek to avoid harmful diplomatic confrontations and publicity. Furthermore, if Daily NK’s reporting on Bureau 325 is indeed true, the Kim regime may have already begun this ramped-up hacking campaign as the February 16 deadline passed.

Moving forward, the South Korean and U.S. governments should cooperatively prepare potential targets for attacks by sharing with them information necessary to improve their cyber defenses. This would entail informing them of specific indicators of North Korea’s tactics, techniques, and procedures in targeting its victims via email and other platforms. Additionally, to counter future North Korean cyberattacks, the two allies should also identify offensive means to pursue the U.S. Defense Department’s stated objective to “defend forward and disrupt malicious cyber activities at its source.”

One specific option for Washington and Seoul is to engage and pressure foreign governments to investigate, identify, and expel North Korean overseas hackers and programmers that may be operating within their jurisdictions. Recorded Future, a U.S.-based cybersecurity firm, has reported that countries such as India, China, Russia, Malaysia, Nepal, Kenya, Mozambique, Indonesia, and Belarus have shown signs that they host ‘significant physical and virtual North Korean presences” within their jurisdictions – an assessment supported by U.S. government and military findings. Additionally, Daily NK’s reporting on Bureau 325 suggests that Pyongyang assigns critical mission tasks, such as data theft, to its overseas units.

Recorded Future has assessed that North Korea does not launch attacks from inside its own country, because it would create a “significant operational weakness” by giving enemies a pretext to use their own cyber tools to “limit current North Korean cyber operational freedom and flexibility.” Thus, identifying and targeting these overseas units would complicate North Korea’s cyber operations.

The United States should therefore impose sanctions on the foreign companies and individuals that refuse to cooperate in identifying North Korea’s overseas cyber units. The North Korean Sanctions Policy and Enhancement Act of 2016 provides the Treasury Department the authority to sanction individuals and entities that “have knowingly engaged in, directed, or provided material support to conduct significant activities in undermining cyber security.”

It is now up to Washington and Seoul to defend against and deter the North Korean cyber threat. Until the United States and South Korea respond more directly and assertively to Pyongyang’s persistent hacks, the Kim regime not only will continue cyber operations, but will also seek to upgrade the scale and quality of these attacks to pose a more severe threat to Washington’s and Seoul’s security interests.

Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber Cyber-Enabled Economic Warfare North Korea Sanctions and Illicit Finance