North Korea’s evolving and flexible hacking structure encompasses a wide range of malicious activity beyond stealing from cryptocurrency exchanges, fueled by a small but nimble cyber workforce.

State-backed North Korean hackers have stolen an estimated $2 billion or more in funds from cryptocurrency organizations and banks in 30 cyberattacks over the past five years, primarily to help fund its weapons of mass destruction and ballistic missile programs. In 2023 alone, North Korean hackers have stolen $340 million in cryptocurrency assets, not including the estimated $150 million US government officials believe they stole from blockchain transaction firm Mixin in late September 2023.

But a timeline of recent cyber-related efforts shows that the North Korean regime has broader goals extending far beyond financial theft, illustrating how one of the world’s top digital adversaries is a versatile threat actor capable of a range of malicious acts.

Experts say that the cyber program run by North Korea, or the Democratic People’s Republic of Korea (DPRK), is fluid and flexible, nimbly adapting to various activities, thanks partly to highly skilled, youthful hackers. Finally, some experts suggest that while North Korea has seemingly cooled its destructive actions since creating global havoc with the WannaCry worm in 2017, that’s because of a change in Pyongyang’s focus and not a diminution of capability.

Recent North Korean cyber timeline

On top of the continuous financial threats, a steady stream of diverse verified and suspected North Korean malicious cyber activity has come to light over the past two years, including:

• April 2022: The North Korean group known as Lazarus conducted an espionage campaign targeting organizations operating within the chemical sector as part of Operation Dream Job.
• April 2022: The North Korean-linked Stonefly group continues to mount espionage attacks against highly specialized engineering companies to obtain sensitive intellectual property from critically essential sectors such as energy, aerospace, and military equipment.
• February 2023: The US National Security Agency (NSA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA), along with other groups, released an updated cybersecurity advisory related to the ransomware activities of a DPRK group known as Andariel.
• April 2023: ARCHIPELAGO, a subset of a North Korean threat group known as APT43 or Kimsuky, was targeting with spear phishing emails individuals with expertise in North Korean policy issues such as sanctions, human rights, and non-proliferation issues, directing them to a phishing page with supposed media interview questions or RFIs to steal their Google passwords.
• April 2023: In a double supply chain attack, a nexus cluster of activity tracked as UNC4736, related to financially motivated North Korean AppleJeus activity, compromised enterprise software company 3CX’s network via malicious software downloaded from futures platform Trading Technologies website.
• August 2023: North Korean hackers compromised the sensitive internal IT infrastructure of US-sanctioned Russian missile engineering company NPO Mashinostroyeniya, with North Korean threat actor ScarCruft compromising the email service and Lazarus compromising the company’s internal network.
• September 2023: After masquerading as a recruiter for Meta in a credential-stealing phishing campaign, North Korea’s Lazarus group attacked an aerospace company in Spain where it deployed several tools, including a publicly undocumented backdoor called LightlessCan.
• October 2023: South Korea’s National Intelligence Service said that North Korean hackers are targeting the South’s shipbuilding industry to steal technical data that could strengthen the North’s navy.
• October 2023: Two North Korean nation-state threat actors, Diamond Sleet, also known as ZINC,  and Onyx Sleet, also known as Plutonium, are exploiting a remote code execution vulnerability affecting multiple versions of JetBrains TeamCity server, opportunistically compromising vulnerable servers while also deploying malware and tools and using techniques that may enable persistent access to victim environments.
• October 2023: The US government seized 17 website domains used by North Korean information technology (IT) workers to defraud US and foreign businesses, evade sanctions, and fund the development of the government’s weapons program.

Evolving, adaptable structure makes attribution difficult

Based on these wide ranges of activities, it’s clear that North Korea’s cyber program is adaptable and complex. Researchers at Mandiant recently produced an updated assessment of North Korea’s cyber structure, noting a “significant multiyear shift and blend in the country’s cyber posture,” with overlaps in targeting and tool sharing among the various arms of the DPRK cyber program, making attribution to any particular North Korean group challenging.

Mandiant concluded that “the DPRK cyber landscape has changed tremendously, and overlapping indicators, which would traditionally be tracked individually to these separate organizations, seemingly signal a growing adaptability and collaboration” among the various groups that collectively make up North Korea's cyber program.

“We have too many people right now in the public and the private sector that are focusing on who done it when really Kim Jong Un, he’s trying to confuse you,” Michael Barnhart, Mandiant’s lead on DPRK cyber collection, analysis, reporting, and tracking, tells CSO. “He’s moving people around. He doesn’t care that we have a hard time tracking him. It’s not in his best interest to do that. Attribution matters, but we might have to go about it a different way because it’s very clear that they’re muddling everything.”

This muddling has accelerated since the COVID-19 pandemic, when “the regime was forced to modify their operations in 2020 as the pandemic hardened borders around the world; most notably within the Korean Peninsula and China,” Mandiant concluded.

“So, whenever they got blocked and couldn’t return to the country, they had to get crafty,” Barnhart says. “And you can see that [the various DPRK hacking groups] are talking more, and they’re collaborating more, and that’s going to be problems for us.”

Nimble cyber workforce punches above its weight

Unlike the offensive and defensive teams in other countries with well-established cyber units, North Korea’s hacking unit is comparably small. It is also stocked with skilled, all-purpose workers capable of shifting from mission to mission. “They can do it all, and it’s unreal,” Barnhart says.

Mandiant highlights Park Jin Hyok, currently on the FBI’s most-wanted list, as an example of DPRK hackers’ “ability to conduct activities at high levels of sophistication and execution, then immediately pivot to separate tasks and maintain that same level of execution” from blockchain and cryptocurrency hacking to supply chain attacks to espionage and more.

“This guy was involved in the Sony hack [in 2014]. That’s the first big indictment,” Barnhart says. Park is also connected to the 2016 theft of $81 million from Bangladesh Bank, the development of WannaCry, and the infiltration of US defense contractors in 2016 and 2017, among other campaigns. “These guys are absolutely skilled at the very, very top levels. And they can pivot on those levels, too,” according to Barnhart.

“North Korea is one of those states that tends to punch above its weight in cyberspace,” Dick O’Brien, Principal Intelligence Analyst at Symantec, tells CSO. “They have, relative to the country’s size, quite a large cyber-espionage capability that is particularly active.”

North Korean cyber workers are 'very capable'

Although lacking the same kind of scale of capability and resources as, for example, Russia, North Korea is “quite an unusual power in cyberspace,” O’Brien says. “A lot of nation-state sponsored activity is old-fashioned, old-school espionage intelligence gathering, whether for political purposes or the acquisition of intellectual property. North Korea does do that, but it does an awful lot more than that.”

O’Brien echoes Barnhart’s estimation of the skill of DPRK cyber workers. “Some of the people they have working for them, I would consider to be very, very capable. There is one group that we call Stonefly, and every attack we’ve seen them involved in, they’re quite selective. We don’t see them that often, but it’s usually been against some high-value intellectual property. They are very good at staging intrusions on fairly well-resourced organizations, organizations that prioritize their security, and that’s not easy.”

Given the closed and tightly controlled nature of North Korea, it’s hard to gain clear visibility into the country’s cyber workforce. Still, Tom Hegel, Principal Threat Researcher at Sentinel One, thinks a lot of innovation is coming from a creative, young, technically savvy group of hackers that probably “has no other option but to just do whatever they can to get the mission done just by pure force on their end.”

“They’re doing things that you would never see like a professional state-backed operation doing, just throwing darts at the wall and seeing what sticks,” Hegel says. “So, to me, it signifies a very creative operator-driven environment rather than a top-down orchestrated world that you’d see in China, the West, or anything like that.” But, he adds, “I would say every leading nation right now has one division or another within their structure that is highly skilled, highly nimble, and is typically given free rein to do what they need.”

Will the DPRK return to destructive operations?

While diverse and sophisticated, none of the recently revealed activity of North Korea’s hacking efforts falls in the category of destructive activity on par with WannaCry or the Sony hack. But experts say that’s cold comfort because the North Korean hacking apparatus can still launch destructive operations if given the mission to do so.

“You need to take a step back and look at what they’ve done because then that’ll tell you how far they’re willing to push the envelope,” Mandiant’s Barnhart says. “Sony happened because they got upset because Kim Jong Un was made fun of in a movie. They shut down an entire multi-billion-dollar business and did a destructive attack there. So, we know that they will use destructive malware.”

Symantec’s O’Brien says that North Korea these days mainly operates along the twin tracks of cybercrime and espionage, but “the destructive element has reared its head from time to time, particularly when it comes to targets who have somehow irked or annoyed the regime,” he says.

However, Sentinel One’s Hegel suggests North Korea got spooked by the global focus on the publicity-shy country following WannaCry, particularly given how easy it was to attribute the attack. North Korea is now more “focused on the financial or the hardcore espionage that typically not a lot of people see just because of the limited scope and who they’re targeting,” he says.