• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • [email protected] Newsletter
    • Other Research
      • Future Issues And Technology (FIT)
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Cohesive Societies
    • Great Powers
    • Sustainable Security
    • COVID-19 Resources
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • [email protected] Newsletter
      • Other Research
        • Future Issues And Technology (FIT)
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Cohesive Societies
      • Great Powers
      • Sustainable Security
      • COVID-19 Resources
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • The Cyber Threat from Pyongyang
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO23001 | The Cyber Threat from Pyongyang
    Nah Liang Tuang

    05 January 2023

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Poverty-stricken North Korea spends a lot of its national resources on the military, including cyber, capabilities. Its cyber units, especially Bureau 121, are assumed to possess sophisticated cyber espionage capabilities, operating systems, and intrusion software; and the expertise to create highly destructive malware deliverable online to networked computers, or to standalone systems autonomous of the internet. Military and national security planners must implement relevant threat mitigation measures in the face of Pyongyang’s cyber offensives.

    230601 CO23001 The Cyber Threat from Pyongyang
    Source: Freepik

    COMMENTARY

    North Korea’s numerous missile tests in 2022, amid fears that it could also test a nuclear device, amounted to a well-worn strategy designed to put pressure on the US, South Korea, and Japan. However, it is inconceivable that Pyongyang would actually launch ballistic missiles at any of these countries as this would invite massive retaliation from the US and its allies. North Korea is more likely to continue with its cyber operations, which have been disruptive. The international community ought to be on guard against the actions of its cyber units, including the elite Bureau 121.

    Refocusing on the Cyber Threat

    For a nation where few have access to computers of any kind, and internet access is prohibited, North Korea or the Democratic People’s Republic of Korea (DPRK) maintains a well-resourced, talented and highly trained cyber unit in the form of Bureau 121. This unit also operates from DPRK-friendly states like Belarus, China, India and Russia in order to circumvent North Korea’s poor IT infrastructure and to mask the source of its online offensives.

    From what is publicly known, in retaliation for the 2014 release of the movie, “The Interview”, which was about the fictional assassination of Kim Jong-un, Bureau 121 or associated cyber operatives were thought to be responsible for the online theft of commercially damaging confidential information belonging to Sony Pictures Entertainment. Additionally, malware was used to erase Sony’s vital operating systems.

    Another cyber-attack by Pyongyang was the 2016 online infiltration of the Central Bank of Bangladesh, which resulted in US$81 million of Bangladesh’s sovereign funds being illicitly withdrawn from their Federal Reserve Bank of New York account. Of this, only US$18 million was recovered.

    But beyond commercial sabotage and grand theft, North Korean cyber-attacks can jeopardise national security and cause massive damage. The following section provides three possible scenarios in which such attacks can take place and for which countermeasures would be advisable.

    Possible Cyber-attack Scenarios

    The first scenario begins with the identification of key personnel from the military industrial complexes or government defence establishments of adversary states, who are deemed to be corrupt, susceptible to corruption or have compromising weaknesses. Pyongyang’s cyber agents then employ purpose-built search engines to conduct exhaustive reconnaissance of the targeted organisation’s system portals, which are in contact with the internet. Those managed by vulnerable software are then subjected to intrusion attacks by dedicated operating systems optimised to exploit such vulnerabilities.

    Once entry into targeted networks is made, Bureau 121 then proceeds to steal non-encrypted data. A greater danger lies in its use of the organisational databases to locate the accounts of susceptible individuals, whose passwords can be derived from the victims’ background details using software applications. Thereafter, these victims can be framed by the planting of fake evidence alleging corruption, or be bribed in various ways, or blackmailed into performing nationally detrimental activities such as providing de-encrypted secrets. Such cyber espionage is insidious as it quietly undermines the targeted state’s security apparatus from within.

    In the second scenario, the vulnerabilities created in the first scenario could be exploited to inflict greater harm. If compromised victims can be manipulated, motivated, or coerced into inserting a malware-infected data storage device into the standalone systems of vital infrastructure like water purification facilities, road traffic management systems, and rail transportation control systems, the results could be disastrous.

    For government departments or large firms whose computer networks are linked to their employee’s emails, the risk of malware infection is even greater. In such cases, the hackers can employ “spear phishing” attacks where small groups of individuals within these entities, identified via intrusion-based database reconnaissance, are investigated using available information sources. Emails can then be sent bearing malware infected attachments, which when opened, would spread malware into the network.

    Beyond the physical catastrophes that could result from a malware-induced collapse of the aforementioned essential public services, public confidence in the authorities could also be affected. For instance, if “spear phishing” implanted malware resulted in incorrect pension payments and overstated tax bills nation-wide, there would be much public anger. During an election year, such vulnerabilities would allow the Kim regime to interfere in the domestic politics of targeted countries.

    The third scenario is surgical and nefarious. After a successful network intrusion, the cyber operatives could seek out the personnel records of significant foreign officials strongly opposed to Pyongyang. The objectives would be to uncover the residential addresses of such persons, along with their vehicle licence plate numbers, and any other downloadable non-encrypted professional details. As with “spear phishing”, internet-based research will collect available information about the target’s private life to derive a holistic individual dossier, which can assist in creating an invitation to a fictitious event.

    When the fake invitation is accepted, the espionage agents will then plant a remotely activated GPS spoofing device on the victim’s car. Since the fictitious event will be held in an unfamiliar location, the victim will probably rely on GPS for navigation wherein the spoofing device would be activated. This device will replace the real GPS map with one that will lead the victim to a location where he or she would be kidnapped or dispatched. The technology to undertake this is available.

    These scenarios could apply to any nation with a sufficiently developed IT infrastructure. In the case of North Korea, concerns about its nuclear weapons programme should not cause us to overlook the threat of its cyber capabilities. How then should we deal with the threat?

    Constant Vigilance and Preventive Measures

    At the operational level, IT security technicians need to ensure that online infiltration filters like firewalls are constantly updated, networks frequently screened for malware, security software kept current, and data encryption protocols enforced, amongst other essential measures. Relevant authorities need to mandate that cyber security procedures be followed not only by government organisations and the defence industry, but also by all national security contractors.

    Employees and IT users at all levels and in all security and defence related entities need to be taught network security and cyber hygiene, with annual recertification tests. Secure use of the internet and email including password setting, guarding against “spear phishing”, etc., need to be taught.

    As for protecting standalone systems from physical malware infiltration, the recommendations include hardware surveillance like monitoring of equipment to detect abnormalities, and automatic shutdown to prevent damage from sabotage. Additionally, a precaution against compromised staff wilfully infecting the system is malware screening of all data storage devices, and regulated access to industrial networks guarded by biometric scans and security cameras.

    Regarding abduction and/or assassination facilitated by GPS spoofing, preventive avoidance involves greater attention to personal security. Specifically, senior personnel should be advised that they are at risk from hostile intelligence agencies and to exercise caution when accepting invitations. When travelling to unfamiliar destinations, they ought to preview what the venue and its vicinity look like at street level using reliable e-platforms or be accompanied by other staff members.

    Finally, cyber defence cooperation ought to be coordinated at the regional level, with friendly countries sharing intelligence about new malware, attack methodologies, target emphasis or other useful information about hostile cyber agencies.

    Notwithstanding the headline grabbing potential of the DPRK’s missile and nuclear programmes, it bears emphasising that the North Korean cyber threat is ever present, which necessitates sustained vigilance and defensive efforts.

    About the Author

    Nah Liang Tuang, PhD, is a Research Fellow at the Institute of Defence and Strategic Studies (IDSS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. His research interests include nuclear weapons politics, North Korean affairs, and the role of nationalism in the defence of small states.

    Categories: Commentaries / Country and Region Studies / International Politics and Security / Technology and Future Issues / East Asia and Asia Pacific / Global / South Asia / Southeast Asia and ASEAN

    Last updated on 05/01/2023

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Poverty-stricken North Korea spends a lot of its national resources on the military, including cyber, capabilities. Its cyber units, especially Bureau 121, are assumed to possess sophisticated cyber espionage capabilities, operating systems, and intrusion software; and the expertise to create highly destructive malware deliverable online to networked computers, or to standalone systems autonomous of the internet. Military and national security planners must implement relevant threat mitigation measures in the face of Pyongyang’s cyber offensives.

    230601 CO23001 The Cyber Threat from Pyongyang
    Source: Freepik

    COMMENTARY

    North Korea’s numerous missile tests in 2022, amid fears that it could also test a nuclear device, amounted to a well-worn strategy designed to put pressure on the US, South Korea, and Japan. However, it is inconceivable that Pyongyang would actually launch ballistic missiles at any of these countries as this would invite massive retaliation from the US and its allies. North Korea is more likely to continue with its cyber operations, which have been disruptive. The international community ought to be on guard against the actions of its cyber units, including the elite Bureau 121.

    Refocusing on the Cyber Threat

    For a nation where few have access to computers of any kind, and internet access is prohibited, North Korea or the Democratic People’s Republic of Korea (DPRK) maintains a well-resourced, talented and highly trained cyber unit in the form of Bureau 121. This unit also operates from DPRK-friendly states like Belarus, China, India and Russia in order to circumvent North Korea’s poor IT infrastructure and to mask the source of its online offensives.

    From what is publicly known, in retaliation for the 2014 release of the movie, “The Interview”, which was about the fictional assassination of Kim Jong-un, Bureau 121 or associated cyber operatives were thought to be responsible for the online theft of commercially damaging confidential information belonging to Sony Pictures Entertainment. Additionally, malware was used to erase Sony’s vital operating systems.

    Another cyber-attack by Pyongyang was the 2016 online infiltration of the Central Bank of Bangladesh, which resulted in US$81 million of Bangladesh’s sovereign funds being illicitly withdrawn from their Federal Reserve Bank of New York account. Of this, only US$18 million was recovered.

    But beyond commercial sabotage and grand theft, North Korean cyber-attacks can jeopardise national security and cause massive damage. The following section provides three possible scenarios in which such attacks can take place and for which countermeasures would be advisable.

    Possible Cyber-attack Scenarios

    The first scenario begins with the identification of key personnel from the military industrial complexes or government defence establishments of adversary states, who are deemed to be corrupt, susceptible to corruption or have compromising weaknesses. Pyongyang’s cyber agents then employ purpose-built search engines to conduct exhaustive reconnaissance of the targeted organisation’s system portals, which are in contact with the internet. Those managed by vulnerable software are then subjected to intrusion attacks by dedicated operating systems optimised to exploit such vulnerabilities.

    Once entry into targeted networks is made, Bureau 121 then proceeds to steal non-encrypted data. A greater danger lies in its use of the organisational databases to locate the accounts of susceptible individuals, whose passwords can be derived from the victims’ background details using software applications. Thereafter, these victims can be framed by the planting of fake evidence alleging corruption, or be bribed in various ways, or blackmailed into performing nationally detrimental activities such as providing de-encrypted secrets. Such cyber espionage is insidious as it quietly undermines the targeted state’s security apparatus from within.

    In the second scenario, the vulnerabilities created in the first scenario could be exploited to inflict greater harm. If compromised victims can be manipulated, motivated, or coerced into inserting a malware-infected data storage device into the standalone systems of vital infrastructure like water purification facilities, road traffic management systems, and rail transportation control systems, the results could be disastrous.

    For government departments or large firms whose computer networks are linked to their employee’s emails, the risk of malware infection is even greater. In such cases, the hackers can employ “spear phishing” attacks where small groups of individuals within these entities, identified via intrusion-based database reconnaissance, are investigated using available information sources. Emails can then be sent bearing malware infected attachments, which when opened, would spread malware into the network.

    Beyond the physical catastrophes that could result from a malware-induced collapse of the aforementioned essential public services, public confidence in the authorities could also be affected. For instance, if “spear phishing” implanted malware resulted in incorrect pension payments and overstated tax bills nation-wide, there would be much public anger. During an election year, such vulnerabilities would allow the Kim regime to interfere in the domestic politics of targeted countries.

    The third scenario is surgical and nefarious. After a successful network intrusion, the cyber operatives could seek out the personnel records of significant foreign officials strongly opposed to Pyongyang. The objectives would be to uncover the residential addresses of such persons, along with their vehicle licence plate numbers, and any other downloadable non-encrypted professional details. As with “spear phishing”, internet-based research will collect available information about the target’s private life to derive a holistic individual dossier, which can assist in creating an invitation to a fictitious event.

    When the fake invitation is accepted, the espionage agents will then plant a remotely activated GPS spoofing device on the victim’s car. Since the fictitious event will be held in an unfamiliar location, the victim will probably rely on GPS for navigation wherein the spoofing device would be activated. This device will replace the real GPS map with one that will lead the victim to a location where he or she would be kidnapped or dispatched. The technology to undertake this is available.

    These scenarios could apply to any nation with a sufficiently developed IT infrastructure. In the case of North Korea, concerns about its nuclear weapons programme should not cause us to overlook the threat of its cyber capabilities. How then should we deal with the threat?

    Constant Vigilance and Preventive Measures

    At the operational level, IT security technicians need to ensure that online infiltration filters like firewalls are constantly updated, networks frequently screened for malware, security software kept current, and data encryption protocols enforced, amongst other essential measures. Relevant authorities need to mandate that cyber security procedures be followed not only by government organisations and the defence industry, but also by all national security contractors.

    Employees and IT users at all levels and in all security and defence related entities need to be taught network security and cyber hygiene, with annual recertification tests. Secure use of the internet and email including password setting, guarding against “spear phishing”, etc., need to be taught.

    As for protecting standalone systems from physical malware infiltration, the recommendations include hardware surveillance like monitoring of equipment to detect abnormalities, and automatic shutdown to prevent damage from sabotage. Additionally, a precaution against compromised staff wilfully infecting the system is malware screening of all data storage devices, and regulated access to industrial networks guarded by biometric scans and security cameras.

    Regarding abduction and/or assassination facilitated by GPS spoofing, preventive avoidance involves greater attention to personal security. Specifically, senior personnel should be advised that they are at risk from hostile intelligence agencies and to exercise caution when accepting invitations. When travelling to unfamiliar destinations, they ought to preview what the venue and its vicinity look like at street level using reliable e-platforms or be accompanied by other staff members.

    Finally, cyber defence cooperation ought to be coordinated at the regional level, with friendly countries sharing intelligence about new malware, attack methodologies, target emphasis or other useful information about hostile cyber agencies.

    Notwithstanding the headline grabbing potential of the DPRK’s missile and nuclear programmes, it bears emphasising that the North Korean cyber threat is ever present, which necessitates sustained vigilance and defensive efforts.

    About the Author

    Nah Liang Tuang, PhD, is a Research Fellow at the Institute of Defence and Strategic Studies (IDSS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. His research interests include nuclear weapons politics, North Korean affairs, and the role of nationalism in the defence of small states.

    Categories: Commentaries / Country and Region Studies / International Politics and Security / Technology and Future Issues

    Last updated on 05/01/2023

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    The Cyber Threat from Pyongyang

    SYNOPSIS

    Poverty-stricken North Korea spends a lot of its national resources on the military, including cyber, capabilities. Its cyber units, especially Bur ...
    more info