In only a few short years, North Korea’s hacking operations have emerged as a serious threat to governments and industries around the world. The country is indiscriminate in its targets, hacking financial systems to fund its operations, disseminating ransomware to create more mischief, and breaking into companies and government agencies to steal industrial and state secrets.
This combination of cybercrime and cyber-terrorism makes it unique. Unlike China or Iran, also state sponsors of cyberterrorism, North Korea doesn’t focus just on intelligence targets. It goes after the money, and it’s been highly successful. According to the U.S. Justice Department, North Korea has stolen more than $1.3 billion through its cybercrime attacks.
That doesn’t mean that North Korea is motivated only by financial gains or, in the case of the 2014 Sony Pictures breach, to slap at a giant corporation it saw as disrespectful. The tiny, secretive nation uses cybercrime to fund its military, and it uses cyber warfare to continue its conflict with South Korea and its biggest ally, the United States. The U.S. has invested heavily in the safety of South Korea. Imagine if the U.S. is rendered helpless from a cyber-attack. It could leave South Korea vulnerable to attack from its most dangerous enemy. As far as North Korea is concerned, its use of cybercrime is a form of asymmetrical warfare, and it’s how they attack nations that are larger and better armed with conventional weapons.
Why North Korean Cyberwarfare Is So Effective
North Korea stands out among other cybercrime operations and state-sponsored cyberterrorists for several reasons. For one thing, they overtly train their people for cyberwarfare, and as a result, they are far more technologically adept than Russian or Iranian hackers, for instance. They identify promising students early, in some cases as young as 10, and give them intensive computer science training, rewarding them with perks that are rare for their impoverished country. They’ve specifically trained their hackers to conduct coordinated attacks on ATMs, using “white plastic” (unmarked debit cards with stolen account numbers and pins) to withdraw money under the reporting limit.
North Korean hackers are masters at social engineering and phishing. They’ve inserted state-sponsored individuals into government agencies. No other Advanced Persistent Threat (APT) group can match their technological prowess. They are extremely good at zero-day exploits, in which they can make an attack as soon as they discover a weakness. And as mentioned above, they see South Korea and the U.S. as an existential threat, and so they are driven by ideology. There’s nothing off the table for them.
U.S. Critical Infrastructure: Vulnerable to Exploitations
The Cybersecurity and Infrastructure Security Agency lists 16 critical infrastructure sectors, including chemicals, communications, transportation, dams, defense, energy, nuclear, food & agriculture, and water and wastewater. These industries seem so massive and impregnable, it’s hard to imagine that they’re vulnerable to attack. Yet it is precisely because they are critical and massive that they are at risk. We can’t live and work without this infrastructure, and a crippling attack on any sector will cause great damage, potentially shutting down parts of the economy and possibly causing great loss of life.
As we saw with the Colonial Pipeline ransomware attack, any attack on U.S. critical infrastructure will be more than an inconvenience. That breach, attributed to an affiliate of the Russian hacking organization DarkSide, caused the company to shut down the flow of gas, causing disruption in a region of the country, leading to panic buying and hoarding. An attack on the electrical grid can leave millions of citizens without power for hours or days. An attack on a city water supply could turn clean water into unpotable water. Subways, rail, and air transportation can be hacked, causing disastrous accidents that could lead to loss of life. A nuclear reactor hack could be devastating.
We know that North Korea’s attacks on U.S. infrastructure have been ongoing. The country is known to have infiltrated defense, finance, telecommunications, and healthcare organizations via the so-called Operation Sharpshooter. This highly sophisticated attack uses social engineering and other methods to gain access to vulnerable systems. Because of North Korea’s ideology and its focus on cyber warfare, it might be only a matter of time before North Korea goes after mass transportation, say, or the water supply, or electrical grid – if it hasn’t already. One of the signature moves of North Korean hackers is to get in and then wait, sometimes months, for the right time to pull the trigger.
Protecting Critical Infrastructure: What Needs to Be Done
It’s only relatively recently that cybersecurity has become a priority for company executives, and even today, cybersecurity still isn’t top of mind for some company and industry leaders. Even though WannaCry was unleashed in 2017, there are still company networks out there that haven’t been patched, allowing cybercriminals to break in using the same vulnerability. Business owners may think they’re too small, or they fly under the radar, or any number of reasons why they won’t be attacked. They’re wrong. By leaving themselves vulnerable, they’re leaving all of us vulnerable.
Human nature is a funny thing. Some company executives think that getting hacked is like getting struck by lightning. Unfortunately, that’s not true – if your company has been breached once, the criminals are likely to try again. After all, they’re criminals. They’re going after the data, or the ransom, or the intelligence. If a company has lax or no security the first time, the attackers will be back.
Fortunately, there are signs that more executives are taking cybersecurity seriously. Business leaders have started to realize that the black eye from hiding a data breach is far worse than just announcing what happened and trying to rectify it. Chief information security officers used to be afraid of that first breach, and for good reason. They were usually fired along with the rest of their team. As we saw in 2017, this happened with the Equifax hack – the entire IT security group was let go. Now, we see more and more that the team stays on and works together to repair the breach.
So, what has to be done to secure our critical infrastructure? There’s no one quick fix, that’s for certain. However, company leaders can take steps to create a culture of security that can help prevent breaches, and, if hacked, help them get their systems back.
Invest in IT Security: IT should be a budget item and part of a company’s financial plan. It’s very expensive, to be sure, but the IT security team should be part of the decision-making and planning from the start. They shouldn’t just be brought in after a data breach has occurred. Companies must invest in IT security leadership, software, and employees. I’m starting to see cybersecurity operations centers in large corporations, and this is a welcome change.
Cooperate with Competitors: Companies might be competitors, but they have a common enemy in hackers. Cooperating with competitors means keeping the lines of communications open and letting each other know what your IT security team has been seeing. This goes for any company in any of the critical infrastructure sectors. Communicate with your competitors.
Employee and Executive Training: Every company, no matter how small, can establish a cybersecurity training plan. Make cyber awareness a priority for your company. Establish policies that protect data, even something as simple as a clean desk policy, and enforce it for everyone. The North Koreans excel at spear-phishing and social engineering. Conduct ongoing training of your employees and executives on how to identify and report phishing attempts. Penetration testing should be a regular part of your cybersecurity operations.
Work with CISA: CISA acts as a clearinghouse to identify attacks. Regional security advisors work with private companies and the federal government to collect and collate information on attacks. Right now, it’s not mandatory for private companies to share information, but it could very possibly become a federal requirement, especially as attacks become more egregious.
If Hacked, Act Fast: Companies need to act fast if they’ve been hit with malware or ransomware. They need to contact law enforcement and put their recovery plan into action. Companies may have an internal security operations center, or they can contract out to an incident response team. Again, communication is key, especially with internal or external security experts, CISA, and government officials.
Endpoint Security Tools: Managed security services providers offer a range of tools to protect companies against attack, but they don’t come cheap. Their price tags can be in the millions of dollars, and they require a lot of computing power as well, especially for cloud-based solutions. However, these tools are an effective defense against cyberattacks. Endpoint security tools let network administrators isolate a virus before it gets into a network, and reverse-engineer it. It’s a great way to get vital intelligence about what kind of virus it is, and which Advanced Persistent Threat group is responsible for it.
End-User Behavioral Analytics: Another technology, end-user behavioral analytics, lets a company establish a baseline of employee activity, and then analyzes employee behavior to see what changes. This can help identify an employee who is acting with ill-intent or who has been compromised, potentially cutting off an attack before it gets established, or stopping a social engineering or phishing attempt.
Federal Law Enforcement: Federal law enforcement agencies work together to counter cyberattacks. As a former FBI analyst and Secret Service agent, I can promise you that there’s some friendly rivalry between agencies, but government organizations are mandated to cooperate. We also work with our foreign counterparts, exchanging information through our respective embassies. Preventing cyberattacks is an “all hands on deck” operation, and the more private companies work with federal agencies, reporting breaches and exchanging intel, the stronger we will be.
Critical Infrastructure Attack: Not If, But When
It’s my belief that the spate of cyberattacks has finally gotten the government and industry attention that it needs. In my career as a cybersecurity analyst and now as a professor, I’ve seen a change in attitude from industry and government leaders. What was once considered a rare event, nothing more than a nuisance, has finally gotten the attention that in my opinion it has always deserved.
We need to make use of this attention to think about preventing the "Big One," a major disaster caused by a foreign state-sponsored cyberattack, most probably from North Korea. The country has the means, the motive, the technology, and perhaps most importantly, the ideology to drive such an attack.
Imagine an attack on the D.C. Metro, or the New York City subway, or the recent hammer passenger attack on the Chicago CTA Red Line, which was horrific because it’s a very accessible sector and it involves the loss of human life, not just a data breach. These are the things we have to be on guard about, and we have to be proactive about preventing such an attack because if we aren’t, the alternative is unthinkable.
It’s not too late to look for solutions. President Biden signed an executive order mandating government agencies to share information regarding cyber threats and incidents. We need to focus on training and prevention, as outlined above. And we need to overcome our shortage of cybersecurity talent to counter the threat from North Korea. As a professor, that’s one of the challenges I am trying to address, to help build that pipeline of skilled students and graduates who can take on the role of protecting our critical infrastructure.
Finally, every company, no matter if it’s a small shop or a publicly traded corporation, must take cybersecurity seriously. Gone are the days when a company can put off a cybersecurity strategy or wait until they get hacked to do something about it. Company leaders have to be proactive, despite the expense, because the alternative could be a catastrophe.
So, develop a plan. Train employees and executives in best practices. Hire a cybersecurity team in-house or outsource to a managed security services provider. Communicate with government officials, industry colleagues, and others to identify anomalies and compare notes.
The time to act is now.
Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville University and has over 18 years of corporate and federal government experience in analytics, threat intelligence, critical infrastructures and executive protection.