The DPRK Threat Brief

This special report captures insights into the capabilities and intent of North Korea (officially the Democratic People’s Republic of Korea or DPRK), with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.


North Korea describes itself as a “self-reliant socialist state” but it is really best described as a Stalinist dictatorship. Leader Kim Jong-un, like his father Kim Jong-il and grandfather Kim Il-sung, holds power and dominates all functions through a mix of violence, rewards and intense propaganda. A common misperception about the DPRK is that they are so backwards and poor that they cannot mount a modern cyber war. But reality is that their policy of “Songun” (military first) means there are resources for capabilities considered strategic, and that includes cyber war. 

DPRK Military:

North Korea will be among the most volatile and confrontational WMD threats to the United States over the next year. North Korea’s history of exporting ballistic missile technology to several countries, including Iran and Syria, and its assistance during Syria’s construction of a nuclear reactor— destroyed in 2007—illustrate its willingness to proliferate dangerous technologies.

In 2017 North Korea, for the second straight year, conducted a large number of ballistic missile tests, including its first ICBM tests. Pyongyang is committed to developing a long-range, nuclear-armed missile that is capable of posing a direct threat to the United States. It also conducted its sixth and highest yield nuclear test to date.

We assess that North Korea has a longstanding BW capability and biotechnology infrastructure that could support a BW program. We also assess that North Korea has a CW program and probably could employ these agents by modifying conventional munitions or with unconventional, targeted methods.

DPRK Geopolitical Objectives and Actions:

North Korea’s weapons of mass destruction program, public threats, defiance of the international community, confrontational military posturing, cyber activities, and potential for internal instability pose a complex and increasing threat to US national security and interests.

In the wake of accelerated missile testing since 2016, North Korea is likely to press ahead with more tests in 2018, and its Foreign Minister said that Kim may be considering conducting an atmospheric nuclear test over the Pacific Ocean. Pyongyang’s commitment to possessing nuclear weapons and fielding capable long-range missiles, all while repeatedly stating that nuclear weapons are the basis for its survival, suggests that the regime does not intend to negotiate them away.

Ongoing, modest improvements to North Korea’s conventional capabilities continue to pose a serious and growing threat to South Korea and Japan. Despite the North Korean military’s many internal challenges and shortcomings, Kim Jong Un continues to expand the regime’s conventional strike options with more realistic training, artillery upgrades, and close-range ballistic missiles that improve North Korea’s ability to strike regional US and allied targets with little warning.

The DPRK Cyber Threat:

The US Intelligence Community’s annual threat assessment considers DPRK one of the four greatest cyber threats to the United States, with the others being China, Russia and the Iran. 

North Korea can be expected to use cyber operations to raise funds and to gather intelligence. Cyber operations are also being used to position DPRK for cyber attacks against South Korea and the United States. Pyongyang has a number of techniques and tools it can use to achieve a wide range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion and deployment of ransomware. 

North Korean actors developed and launched the WannaCry ransomware in May 2017, judging from technical links to previously identified North Korean cyber tools, tradecraft, and operational infrastructure. DPRK attackers also conducted a theft of $81 million from the bank of Bangladesh in 2016. 

Economic and Industrial Espionage Threat against the US and US Companies:

The DPRK maintains a well resourced capability to conduct cyber espionage for economic gain and will continue to target sensitive U.S. economic information and technologies through cyberspace. 

Overall Assessment:

Businesses in the U.S. will come under attack from DPRK cyber operators seeking to gain useful information or to find ways to steal resources. 

Our Recommendations:

Raise your defenses against cyber crime. There are many things that businesses can do that make it harder to have secrets stolen, and most of these things are low cost.  Kick start your actions with our list of best practices, available here:

Current Intelligence On The DPRK Cyber Threat

Cyberwar predictions for 2019: The stakes have been raised

January 1, 2019

Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. It’s therefore no surprise to find nation-state cyber activity high on… Read more

The Most Dangerous People on the Internet in 2018

December 31, 2018

This year thankfully avoided any world-breaking ransomware attacks like NotPetya. It even had some small victories, like GitHub beating back the biggest DDoS attack in history. Still, online threats are manifold, lurking and evolving, making the internet a more hostile place than ever. The biggest threats online continued to mirror the biggest threats in… Read more

North Korea Implicated In Attack That Stops Wall Street Journal And New York Times Presses

December 31, 2018

A server outage at Tribune Publishing on Saturday that prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun was actually nothing of the sort. Instead, it appears to have been a cyber-attack involving what is… Read more

How Hackers Stole $1B From Cryptocurrency Exchanges In 2018

December 31, 2018

According to the Cryptocurrency Anti-Money Laundering Report from Ciphertrace some $927 million has been stolen from cryptocurrency exchanges in the first three quarters of 2018 alone. That total will almost certainly have hit, if not smashed straight through, the $1 billion mark by now. So, who were the hackers behind the heists… Read more

Why Microsoft is fighting to stop a cyber world war

December 13, 2018

Two days last year finally woke the world up to the dangers of cyberwarfare, according to Microsoft’s President Brad Smith: 12 May and 26 June. On 12 May the WannaCry ransomware attack created havoc by encrypting PCs across the world and costing billions to repair the damage. Just over a month later… Read more

Cyber-espionage group uses Chrome extension to infect victims

December 6, 2018

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. This is the first time an APT (Advanced Persistent Threat –an industry term for nation-state hacking groups) has… Read more

2019 Security And Defence Predictions

November 30, 2018

It’s the time of the year for cybersecurity predictions. This time, Suzanne Spaulding, former DHS Under Secretary and Nozomi Networks advisor believes that in 2019, provides her insights. The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could… Read more

Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018

November 13, 2018

Internet Explorer’s scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities. The group’s name is DarkHotel, a cyber-espionage group that McAfee and many other cyber-security firms have already linked to the… Read more

Symantec Uncovers North Korean Group’s ATM Attack Malware

November 9, 2018

Researchers from Symantec have uncovered the malware tool North Korea’s infamous Lazarus Group has been using since 2016 to empty millions of dollars in cash from ATMs belonging to mostly small and midsize banks in Asia and Africa. In a report this week, the security vendor described the malware as… Read more

North Korea continues to hack computers to mine cryptocurrency

November 1, 2018

North Korea is hacking computers to mine cryptocurrency to bring extra cash into the country, according to South Korea’s intelligence service. North Korean hackers also continue to hack computers in South Korea and abroad to steal confidential information, the state intelligence agency said in a parliamentary audit, Yonhap News reported. A U.S. cybersecurity… Read more

Destructive Cyberattacks Spiked in Q3

October 31, 2018

New data gathered from more than three dozen providers of incident response services reveals a disturbing increase in the past quarter of destructive cyberattacks targeting US organizations. It is not clear whether the attacks—many of them from countries like China, Russia, and North Korea—are a response to the current geopolitical… Read more

Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate

October 29, 2018

Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet. Cryptocurrencies are known to be used by… Read more