U.S.-ROK Alliance Creates a New Cyber Working Group at Summit

President Joe Biden and South Korean President Moon Jae-in agreed at their first summit on May 21 to deepen cyber cooperation by creating a new bilateral cyber working group to confront ransomware and other cybercriminal threats to both countries. These steps will improve the U.S.-ROK alliance’s coordination and information sharing in order to confront the evolving threat of North Korea’s cybercrime.

According to a White House fact sheet on the U.S.-ROK partnership, this new working group will bring together U.S. and South Korean law enforcement and homeland security agencies to “learn from past cybercrime events and combat ransomware attacks against our two countries.” The working group will likely focus on global cybercriminal and ransomware threats, not just those from Pyongyang, but North Korea will likely be a principal concern.

Since 2015, North Korean hackers have targeted banks and cryptocurrency exchanges worldwide. North Korea stole over $200 million through cybercrime between 2017 and 2019 and an additional $300 million in 2020 alone, according to UN estimates.

Several of these attacks have directly affected both South Korea and the United States. For instance, in 2017 and 2018, North Korean hackers successfully infiltrated two of South Korea’s largest cryptocurrency exchanges, Youbit and BitThumb. Hackers stole approximately $39 million, and the intrusion even led to YouBit’s bankruptcy.

Similarly, the U.S. Justice Department revealed in September 2020 how North Korean hackers stole and laundered funds from an unnamed U.S. cryptocurrency exchange in 2019 and coordinated money laundering schemes with U.S.-based criminals to support cybercriminal efforts, specifically fraudulent ATM transactions.

Daily NK, an online news publication that relies on a “robust network” of sources inside North Korea, reported in February 2021 that North Korea had established a new elite cyber organization called Bureau 325 to steal both COVID-19 vaccine research and money. Daily NK’s source added that the Central Committee, the ruling Korean Workers Party’s highest decision-making organization, ordered that North Korea’s cybercriminal efforts need to be “more professional and encompass a larger scope than before.” If this report is true, the United States and South Korea could see Pyongyang ramp up its cybercriminal efforts soon.

To respond to this evolving threat, the alliance’s new working group should focus on boosting mutual transparency by providing the most current intelligence on new malware threats, targets, and methods of intrusions. Fortunately, the U.S. Justice Department and law enforcement agencies have disclosed extensive information on a multitude of North Korean cybercriminal schemes, ranging from bank and cryptocurrency-exchange theft to money laundering operations. Leveraging Washington’s and Seoul’s insights will be essential to punishing perpetrators and anticipating and preparing for future risks and threats.

Moving forward, the U.S.-ROK alliance should also craft offensive measures to support a shared cyber strategy in order to meet the U.S. Defense Department’s objective of “defend[ing] forward to disrupt or halt malicious cyber activity at its source.” Such options could include offensive cyber operations, economic sanctions, judicial indictments, and diplomacy as well as improving the cyber capabilities of like-minded countries. Retaining coercive options as well as defensive ones will be essential for Washington and Seoul to deter North Korea’s malicious cyber activity.

Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.