Last week, the Biden administration’s Department of Justice (DOJ) announced its first major cyber-related indictment. An investigation long in the works, the indictment charges three North Korean (DPRK) government officials with conducting and conspiring to conduct some of the most devastating cyber attacks in recent years, including WannaCry 2.0, the Sony Pictures hack, and the cyber heist of the Bank of Bangladesh. The indictment alleges that the government hackers are members of North Korea’s military intelligence Reconnaissance General Bureau (RGB), who engaged in a broad range of cyber attacks and operations as early as 2009.
The unsealed indictment shows a continued effort by the U.S. intelligence community and the DOJ, across administrations, to uncover and disrupt international cyber criminals, particularly those sponsored by or connected to nation states. Some of the DPRK-sponsored cyberattacks in the indictment had not been previously reported on, such as North Korea’s vast cryptocurrency theft. There are a number of important takeaways from this indictment, including evidence of increased sophistication of North Korea’s cyber capabilities, a clear public attribution of government actors, the scale of the monetary theft from the cyber operations, and involvement by Russia and China, but the more harrowing lesson should be the threat North Korean cyber operations continue to pose.
The utility of indictments for cyber operations is tenuous, particularly when we consider the lack of subsequent arrests and the ongoing malicious operations. Since they can address only past behavior, criminal indictments should be coupled with prospective action in order to mitigate ongoing or future actions by the indicted actors or their organizations. In this case, a federal advisory alert detailing the malware currently used by North Korean hackers to target cryptocurrency exchanges accompanied the DOJ indictment.
The DOJ Indictment: What Can We Learn?
- North Korean cyber operations should be taken seriously as a threat. The indictment is the latest confirmation of the growth in sophistication that the DPRK has achieved in its cyber operations, a sophistication that not too long ago, was not taken seriously. As Assistant Attorney General John C. Demers stated while announcing the indictment, North Korean operatives are now “the world’s leading bank robbers,” albeit with computers instead of sock masks. The breadth and success of the activities alleged in the indictment comport with the Department of Homeland Security’s warning in December 2020 that North Korean state-sponsored hackers are “develop[ing] and deploy[ing[ a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated.”
- The indictment provides proof for the historical record regarding North Korea’s intent and capabilities in its cyber operations. This information has been lacking in public, with researchers struggling to amalgamate the full spectrum of North Korea’s cyber capabilities with just open source information. Increasing the amount of publicly available evidence on North Korea’s methods can only serve to aid researchers and policy makers in their understanding and analysis of North Korea’s actions.
- This indictment is more specific in its attribution to naming the individual government operatives than previous DPRK cyber indictments. The indictment expands on the 2018 indictment of DPRK hackers, which had not included any information on the military intelligence affiliation of the hackers. In 2018, DOJ noted that private researchers have connected the defendants to the “Lazarus Group.” The 2021 indictment affirmatively ties the hackers to the RBG and states that the RBG has come to be known as both the “Lazarus Group” and Advanced Persistent Threat (APT) 38 in the cybersecurity community. The specificity of attribution shows improved U.S. intelligence surrounding North Korea’s state sponsored cyber activities and organization, which has been a particularly elusive target, despite overall improvements in U.S. attribution capabilities. As cybersecurity expert and former co-founder and CTO of CrowdStrike, Dmitri Alperovich, noted on Twitter, the indictment’s attribution is proof of an “impressive” level of infiltration by the U.S. government into the secretive RBG. The indictment is also one of the clearest examples of attribution publicly by the U.S. government. As experts Michael Sulmeyer and Amy Chang have written, when attribution itself is technically feasible, the more important question is whether a government will make that attribution public.
- The indictment shows just how consequential North Korea’s cyber operations are to its gross domestic product (GDP), with the hackers obtaining a total $1.3 billion from their different attacks. The 2018 indictment specified the $81 million that North Korea gained from the Bangladesh Bank heist. The 2021 indictment makes public additional money making schemes that it estimates come in at over $1.3 billion total, from multiple international bank heists, to ATM cash-out schemes, to theft of cryptocurrency assets. For a country with an estimated GDP of only $28 billion, this is an enormous sum of money obtained from hacking. The United Nations had estimated in 2019 that North Korea had amassed over $2 billion in illicit finance from its cyber operations to fund its weapons program. The money obtained from these cyber operations can have a direct security impact on the United States.
- North Korea is not acting alone. The indictment includes a curious connection to both Russia and China, both notably aggressive actors against U.S. interests in cyberspace. The DOJ announcement states that the hackers were “at times stationed by the North Korean government in other countries, including China and Russia,” marking the first time the DOJ has formally alleged that North Korean cyber operatives are operating in other countries. At an event for the Center for Strategic and International Studies (CSIS) in October 2020, Demers had flatly accused China of aiding North Korean hackers: “There is support through Chinese cyber infrastructure, there’s likely support in terms of sharing expertise and training from the Chinese side.” The indictment appears to confirm that this support exists in some form, though it may be difficult to infer from the indictment how close or attenuated this connection is. Both Russia and China could have had some level of knowledge of North Korea’s operations, or worse, could have been somehow involved in facilitating the operations themselves through infrastructure use or training. Demers hinted at the seriousness of the involvement, noting that “due to the authoritarian, totalitarian nature of those countries, there’s very little of significance that goes on without those governments knowing about it.” As an international law matter, Russia and China also risk running afoul of their due diligence obligation, which Michael Schmitt has written about for Just Security. Both countries would have a “legal obligation to put an end to another state or a non-state actor’s hostile cyber operation that is being mounted from, or that remotely employs cyber infrastructure on, its territory when that operation has serious adverse consequences with respect to a third state’s rights under international law, typically sovereignty,” and when they have knowledge of the cyber operation at issue.
- The two-time indictment club expands: one of the three North Korean hackers indicted was previously charged by DOJ in 2018 for similar crimes. Park Jin Hyok joins three Russian GRU officials in the two-time DOJ indictee club, though Pyongyang has denied his existence altogether. This raises the question of how effective indictments may be, particularly when dealing with government actors. As discussed in Just Security previously, the inability to stop these actors may cut against the effectiveness of indictments as a deterrent tool.
- The activities alleged in the indictment span one of the longest timelines of any DOJ cyber-related indictments. The various operations cover a span of over 10 years, from 2009 to the present. The first cyber indictment of PLA officers in 2014 spanned from 2006 to 2014, and the July 2020 indictment of Chinese nation state hackers also spans between 2009 and 2020, but other indictments are far more limited in their timeline and scope.
- Collaboration and information sharing between the U.S. and private companies appears to be critical to this indictment, more so than previous indictments. The indictment announcement also notes in the “Accompanying Mitigation Efforts” section that the FBI has worked with private cyber threat intelligence companies to understand the tactics, techniques, and procedures (TTPs) used by the hackers. In previous cyber related indictments, support from private cybersecurity companies was not mentioned with the exception of the 2020 indictment of GRU hackers. While the FBI certainly could have collaborated with private companies for previous indictments, the open admission of information sharing confirms the necessity of working with private companies to understand and unravel sophisticated cyber operations.
Despite the Indictment, North Korea Continues to Pose Cyber Threats
One of the most important features of the indictment in addition to those listed above is the fact that the alleged actions are ongoing.
The role and usefulness of indictments has been hotly debated (see: here, here, and here), with many scholars questioning the overall utility of indictments as a way to deter future malicious cyber operations or disrupt ongoing operations. Certainly, we should question whether the 2018 and 2021 indictments of North Korean hackers have slowed or stopped their cyber activities, which experts suspect has not been the case. However, regardless of the deterrent, disruptive, or punitive effects that can result from indictments, indictments are inherently a reactive, post hoc tool; they are used to respond to an attack (or attempt) that has already begun. While this indictment is a clear record of North Korea’s previous and perhaps ongoing actions in cyberspace, we cannot and should not overlook how these methods may be deployed in the future.
Indictments of nation state cyber criminals have rarely led to their apprehension, let alone trial, given the difficulties of seeking extradition for government actors. Since DOJ’s first indictment of Chinese PLA hackers in 2014, the U.S. government has brought indictments sixteen times against hackers (or those conducting cyber espionage) alleged to be operating on behalf of another government (according to Katie Nickels of Red Canary’s list of cyber indictments). Many of the sixteen indictments involve charges against multiple actors (for example, four defendants were charged for hacking Yahoo in 2017). Of those sixteen indictments, only six have resulted in arrests or guilty pleas for some defendants. The 2021 North Korea indictment is one of them, but it was a Canadian man, not any of the North Korean officials, who plead guilty to money laundering in furtherance of some of the alleged criminal schemes. It remains the case that the vast majority of DOJ’s indictments of nation state cyber operations go untried by the U.S. justice system. Furthermore, of the sixteen nation state indictments since 2014, only seven allege activities that could be ongoing. Taken in combination with the lack of resulting arrests, actions to combat the continuation of these cyber operations outside of the criminal justice system are necessary.
For all of that the DPRK indictment teaches us, discussed above, there must be a forward looking component of the conversation surrounding North Korea’s cyber operations, which the FBI, Department of the Treasury, and Critical Infrastructure Security Agency (CISA) have recently emphasized. The agencies released a joint advisory on the same day as the indictment, Feb. 17, highlighting the ongoing cryptocurrency threat in particular and analyzing the use of a particular type of malware, AppleJeus. As Demers confirmed, “[t]he context provided in today’s indictment underscores the necessity of paying attention to this advisory and its recommendations.” The advisory appears to be the first alert coordinated with a DOJ indictment, a trend which should continue as a way to keep the public informed about any ongoing threats from state sponsored cyber actors after indictments and proactively defend against their tactics.
Thinking prospectively, it is hard to divorce the indictment from recent allegations concerning cyber targeting of COVID-19 vaccine information. The FBI and Department of Homeland Security have both confirmed the critical nature of cyber threats against COVID-19 vaccine information and distribution. The development of COVID-19 vaccines has been an appealing target particularly for nation state actors, evidenced in 2020 by DOJ indictments against hackers linked to China’s Ministry of State Security and a multi-nation advisory accusing Russia of targeting vaccine development. North Korea has also been singled out for targeting vaccine information. In November 2020, Microsoft announced that Russia and North Korean state actors had targeted numerous healthcare organizations. North Korea was specifically accused of targeting the World Health Organization (WHO) and Microsoft noted that some of its operations had indeed been successful. Most recently, on Feb. 16, 2021, news broke through a South Korean lawmaker that North Korea has been attempting to penetrate Pfizer’s networks to access information about its COVID-19 vaccine. South Korean intelligence denied that Pfizer was listed as a target in its intelligence briefing and U.S. government officials have not yet responded.
North Korea has shown, through the details provided in the indictment as well as private sector analysis, that it is only increasing the sophistication of its cyber operations and branching out to new methods. From its targeting of cryptocurrency exchanges to utilizing social media platforms and social engineering to deploy malware, to targeting COVID-19 information, it is clear that the threat is ongoing and evolving. The indictment offers important information for the public record, adds evidence of Russia and China’s involvement in North Korean cyber operations, and is a clear cut example of the U.S. government publicly attributing an attack to a forieign military intelligence service. But taken alone, the indictment is not equipped to address actions that the RGB can and will take in the future. The FBI and CISA alert highlights the importance of concurrently addressing these future threats while criminal indictments address North Korea’s past behavior.