Despite the ever-increasing number of cyberattacks publicly attributed to North Korea, the regime does not publish an official cyber-strategy doctrine. Based on the analysis conducted in this report, North Korea’s cyber strategy is aggressive, high-tempo information collection and financial theft operations to support its broader goals of perpetuation of the Kim family dynasty and unification of the Korean peninsula under North Korean leadership. North Korea conducts information collection operations to gain insight into how its adversaries think — including academics, media, defectors, and others with a nexus to North Korea — to better anticipate the operational environment during heightened tensions or conflict. Additionally, it attempts to gain access to information on technologies, such as missile technology, which will help it gain an asymmetric advantage during the aforementioned times of crisis. It also uses financial theft to supplement its continued funding of the regime, including its nuclear and missile programs, while under international sanctions. It does all this by creatively targeting a geographically diverse, wide range of industries, despite its centralized leadership system.
Insikt Group conducted a quantitative analysis of 273 cyberattacks attributed to North Korean state-sponsored threat actors to assess the regime’s cyber strategy based on past actions. Overwhelmingly, North Korea’s actions in cyberspace consist of cyber espionage and financial theft in support of the regime. Despite the asymmetric advantage of being able to conduct disruptive or destructive cyberattacks with limited resources and a low risk of retaliation, threat actors linked to the Democratic People’s Republic of Korea (DPRK; North Korea) rarely conduct such disruptive or destructive computer network operations.
Entities in the Republic of Korea (ROK; South Korea) and the United States (US), North Korea’s 2 longtime geopolitical adversaries, are the victims of the majority of cyberattacks attributed to threat actors sponsored by the DPRK. However, North Korean threat actors maintain a global reach as well, targeting entities in at least 29 different countries since 2009. The targets and purpose of cyberattacks vary between threat actors — for instance, Kimsuky-attributed attacks have targeted entities in South Korea for espionage purposes, while Lazarus Group appears to have a much more diverse scope and global purview, targeting entities in a multitude of countries for various reasons. North Korea has been linked to an ever-increasing number of cryptocurrency heists, but the regime’s primary goal in its use of cyberattacks continues to be espionage.
