North Korean Cyber Operations: At the Nexus of Geopolitics, Technology, and Policy
JOHN PARK: My name is John Park, director of the Korea Project. On behalf of the Korea Project, the Cyber Project and the North Korea Cyber Working Group, welcome to today's conference, entitled, "North Korean Cyber Operations: At the Nexus of Geopolitics, Technology and Policy." [00:00:41] Today's conference is an outgrowth of the Belfer Center's Research on North Korean cyber operations. The Korea Project has devoted several events this year to cyber issues on the Korean peninsula, including a full panel during our third Harvard Korean Security Summit in July. We continue to engage with leading scholars and practitioners working on North Korean cyber issues, both here at the Belfer Center and at other institutions around the world.
Situating North Korean cyber operations at the interaction of multiple disciplines, today's conference also reflects the Korea Project's belief that bringing together specialists with diverse functional and regional backgrounds can lead to fresh insights. [00:01:24] Today, we'll hear from researchers who approach this topic from very different perspective – technical and non-technical, regionally and globally focused, and as scholars and as practitioners. One of the Korea Project's key priorities is to develop and provide a platform for the next generation of researchers in the Korean security studies field. Through the North Korea Cyber Working Group, the Korea Project brings together emerging scholars from academic, the policy community and the private sector.
Now in its second year, the North Korea Cyber Working Group has already generated important findings. A report from this past March by Alex O'Neill explored North Korea's cyber criminal statecraft model for generating revenue through illicit cyber means. Another report from this past May by Millie Kim, June Lee and Rachel Paik analyzed North Korea's exploitation of the cryptocurrency ecosystem. These reports and other research by the North Korea Cyber Working Group members have contributed to our understanding of North Korea's cyber operations.
[00:02:29] I'd like to now introduce June Lee, who co-leads the North Korea Cyber Working Group. June's research focuses on the law and policy surrounding cyber conflict, with a focus on the Indo-Pacific. She's previously worked as a program coordinator and researcher at the Carnegie Endowment's Tech and International Affairs program. June graduated from Stanford with a BA in international relations, a minor in computer science, and honors in international security studies.
Over to you, June. JUNE LEE: Thanks so much, John. And thank you, everyone, for tuning in for our conference today.
As John mentioned, the goal of the North Korea Cyber Working Group is to generate new analysis and ideas for combatting North Korea state-sponsored cyber activity. We do this by bringing together next-gen researchers from diverse fields to conduct original research, hosting networking events and convening private and public events, such as this one. Today's conference cannot be more timely. In the past few weeks, tensions on the Korean Peninsula have escalated rapidly with North Korea launching a record number of missiles, including several yesterday and this morning, and hinting at a potential nuclear test.
[00:03:41] While headlines have focused on kinetic threats from physical weapons, the threat from North Korea cyber capabilities persists. North Korea cyber criminals continue to conduct cyber espionage operations against targets of interest to the regime. Crypto operations provide North Korea with the funds to further its WMD capabilities. And the use of destructive cyber capabilities could complement and potentially intensify the harm from kinetic attacks.
[00:04:09] The US, South Korea and Japan, alongside other countries, have pursued renewed cooperation to counter this threat, participating in join cyber military exercises, law enforcement coordination and increased cyber information-sharing. Yet, continued thinking and innovative solutions are required as North Korea continues to exploit the gap between policy and cutting-edge technology. Our conference today will being with keynote remarks from Dr. Jackie Schneider, followed by two blended panels of experts and working group members. The first panel will focus on novel approaches to countering North Korea cyber activity, while the second will discuss geopolitical implications and opportunities for international cooperation. [00:04:55] And with that, let me introduce our keynote speaker.
Dr. Jackie Schneider is a Hoover fellow at the Hoover Institution and an affiliate with Stanford's Center for International Security and Cooperation. Her research focuses on the intersection of tech, national security and political psychology, with a special interest in cyber security, autonomous tech, war games and Northeast Asia. She's a non-resident fellow at the Naval War College's Cyber and Innovation Policy Institute, and was previously a senior policy advisor to the Cyberspace Solarium Commission.
[00:05:29] Before beginning her academic career, she spent six years as an Air Force officer in South Korea and Japan, and is currently a reservist assigned to US Space Systems Command. She received her PhD from George Washington University. And with that, Dr. Schneider, the floor is yours.
JACKIE SCHNEIDER: Thank you so much for having me. It's extraordinary what this group is doing. And you mentioned a little of my background, and that's kind of where I want to start because almost 20 years ago I was sitting in South Korea, a brand new 22-year-old, maybe 23-year-old lieutenant.
And I was sitting in the watch in Osan Air Base. And the North Koreans had just developed what potentially was going to be a long-range ballistic missile, the Taepodong. And they were launching shortrange Scuds and intermediate-range ballistic missiles from the coastline.
And just a few months later, they would test a nuclear weapon. [00:06:32] And at the time, we really felt like this was as good as it was going to get. It was a shocking moment for North Korea to introduce themselves as a nuclear power. But over the last 20 years, that threat from North Korea has only become more dangerous. And the interesting thing, coming from a cyber perspective, is that relationship between the cyber capabilities that look extremely different and the missile and nuclear capabilities which are really threatening instability in the Peninsula. So I think for so many years the question when we looked at North Korea was whether they could do two things, and those two things would be the most important to the balance of power and stability within the Peninsula and broader East Asia.
And the two questions were: Could North Korea win a war against South Korea? And the second question was, could North Korea reach out and threaten the US beyond the Peninsula? And the first question was, could they do it against US forces in Japan. Then it was US forces in the Pacific. And finally, US, writ large. [00:07:51] Now, in 2006, when I was first in South Korea, the answer to both those questions was no. In 2006, the conventional asymmetry between North Korea and the combined [8:07] the US forces Korea and the CFC, the combined forces, was– there was no question that the North Koreans could not win.
And in fact, that delta between the US and South Korean capabilities and the North Korean capabilities really led to big doubt that the North Koreans would ever make a significant intrusion into South Korea. But in 2006, this starts to change with the development of the nuclear capabilities and the missile capabilities. [00:08:48] So over the last 20 years, what we're finding is that even while the conventional capability of North Korea to defeat a US/South Korean force has not really changed and has not gotten significantly better. The asymmetries of conventional power are perhaps even greater now than they were in 2006. But the ability for the North Koreans to reach out and threaten beyond South Korea has significantly increased. At first it was Japan, and now reaching out with cyber attacks all the way to the US homeland, and being able to do this, being able to reach out and touch and threaten the US increasingly further from the Peninsula, all while maintaining– the Kim family maintained control.
[00:09:42] And this is a bit of an extraordinary story because in 2006, when we were staring at this problem, the general consensus within the intelligence community was that any significant transition of power, especially in a North Korea that was facing declining economic potential, a population that was generally famished, that the North Koreans would not be able to continue to invest in these high-power missile capabilities and that increasingly the Kim regime would not be able to stay in power. And when Kim Jong-il passed away, there was a lot of hope that this would lead to a regime change. What has happened is a remarkable consolidation of power despite no increase in economic power.
So all this is not talking about cyber. But it comes back to cyber because cyber ends up playing a huge role in the ability for that Kim family to maintain control and to be able to continue to threaten the United States in a way that makes a conventional asymmetry of power less important for the North Koreans. [00:10:55] So they've done this in two ways.
And the first is the obvious; this is the development of ballistic missiles and nuclear weapons. So that development, becoming a nuclear state, a nuclear state that can reach out and touch US territories, becomes an extremely important element in the Kim regime maintaining control and in changing that asymmetry of power that really was a huge delta before the advent of nuclear weapons in North Korea. [00:11:27] But how can a regime that has so little money manage to make such a technological leap? And a large part of this is related to cyber, which June already alluded to. But the fact that they're able to use cyber capabilities, not just as an asymmetric threat against the United States, but instead as a way to bring in revenue for the ballistic missile and nuclear program and to keep the Kim family in control is a remarkable testament of the grand domestic and international power of cyber. And it's interesting in comparison to the way the West has often thought about cyber power, cyber as a bomb, cyber as a substitute for conventional military power. And here we see cyber not as a substitute for conventional military power, but instead as an asymmetric coercive tool in its own.
And not a coercive tool to necessarily change behaviors but instead of generate revenue and to support the development of bombs. Not cyber as a bomb, but cyber as the development of bombs. [00:12:44] So cyber and North Korea matters. But I'm telling a group of people that knows this. Nothing I've said is new to what you guys are doing. So what I want to really leave you with is, how do we better understand this problem? This problem matters.
It matters not just because of the economic threat of these cyberattacks and the proliferation of these cyber actors, threatening critical infrastructure; it matters because it ends up increasing the ballistic missiles and the nuclear capability in North Korea. Which, in the end, can be extremely destabilizing. [00:13:21] So how do we better understand this problem? Now, when I used to run war games for the DoD, we used to bring in North Korea experts to play North Korea. And I always said, why are we doing this? Let's just bring in a Magic-8 ball.
Anybody who says they know what the North Korean regime is going to do is full of it. It's better to actually sometimes be probabilistic about the way you think about their decision-making. All that to say, there's so much we don't know about the way in which decision-making occurs that it becomes an extremely difficult subject to study. And that's why your efforts are so important. [00:14:02] So I've broken down these three groups of potential research questions into three bins.
And the first is, how do we understand the problem? What is the nature of the problem? So how are these North Korean cyber actors organized? How are they financed? What are their motivations? What is the chain of command? What is the relationship with the domestic regime? These can be technically answered technically, either by chasing the money or chasing the cyber. And then capabilities. Where is this human capital coming from? Where are they trained? What are their technical resources? And then moving into effectiveness, how do we think about the extent of the economic damage? You see wide ranges of estimates everywhere.
But who is this damaging? What are the industries that they focus on? How do they generate their targets? How do they think about who they're going to be going after? So this is all about characterizing the nature of the problem, which I think a lot of people on this call are already doing great work to better understand the overall nature of the problem. [00:15:10] And I think once you know more about the nature of the problem, you can get to the question of how that problem could be used in potential scenarios. So, how might the North Koreans use cyber operations at the beginning of a crisis? What would be the types of targets that they would be going after? Would they change their tactics from what we see on a day-to-day basis? Are they able to convert what they've become so good at with ransomware and convert that to a much harder government or military target? [00:15:43] And this leads to the other question, which is more theoretical, which is, what are the conditions under which these cyber actions that the North Koreans might take could be destabilizing? Or, what are the actions they could take that could give them an asymmetric advantage? Are there decisions that the South Korean military is making, or that the US military is making about the way in which it develops its networks, the way in which it deploys its data-enabled resources that might give the North Koreans some sort of advantage? How should we think about resiliency in dealing with the North Korean cyber threat? Is that something that the US military or the South Korean military really even need to think about, or are these too hard of targets for the North Korean cyber actors? And I think outside of this context of crisis and war, there's a larger question about whether there is an overarching economic advantage, that the North Koreans get to a point where they have created so much damage or so much financial cost from their cyber attacks that there becomes a tipping point where they're able to actually use cyber in a way to change the asymmetries of power, or if there are particular industries in which we might see a very significant tipping point of asymmetry of power. [00:17:08] I think more in a broader sense about how the US and South Korea think about fighting wars or deterring North Korea, have the North Koreans been able to use cyber in a way that decreases the intelligence advantage of the US and South Korea? How do we need to think about deception? Can we think about deception at all? Should the US and South Korea still be thinking about fighting the same types of campaigns they've planned for? Or should they assume that there's some sort of cyber information advantage that the North Koreans have gleaned? [00:17:48] I think broadly we're seeing this play out in Ukraine and Russia where cyber, and especially the information that cyber might give to either side, can reveal information about targeting information, about campaign objectives.
And in a way, that changes the battlefield advantage. And it allows states that are able to access vast amounts of digital information, gives them an advantage they might not normally have. So can the US and South Korea still expect to be able to conduct the same operations they would prior to the cyber revolution that the North Koreans have advanced on? And I think this leads to the most important questions which I think your group is probably designed to do, which is the solutions to the problem. And this has been such a problem for policymakers when thinking about North Korea. [00:18:43] I remember in 2006, when I was sitting in Osan, it was before they had tested the nuclear weapon, and the four-star at the time was a guy named General BB Bell, and I was a brand new lieutenant.
And he came to me and he said, "Lieutenant, what should we do if the North Koreans test the nuclear weapon?" And I had just come from classes at Columbia, and I said, "Nothing!" Because there was the fear at the time, the artillery that was on the border was a very strong deterrent. And this has been the answer to the vast majority of North Korean aggression, North Korean buildups, has been shows of force and not a lot of solutions. They've circumvented many sanction regimes, either with the support of the Chinese or with cyber bringing in revenue. So I think if we can provide solutions to the policy world about North Korea, more tools to potentially deal with these problems, then this is a huge advantage and a huge value-add that this group can provide.
So some problems that I was thinking through about how this group could help, I think work that looks at that financial link between cyber and the missile programs or the nuclear program and how to think about cutting off that financial link. That becomes an extremely important potential solution, and one which we've always seen some experimentation being done with some success. [00:20:37] What can we do in the United States or in South Korea to work with private firms to decrease their vulnerability. This is agnostic to the North Korea problem, but how do you incentivize critical infrastructure to protect themselves, and then how do you build government institutions in order to provide classified information, for example, about North Korean attacks. I think here in the US, CISA and Cyber Command are increasingly being very effective at releasing information about North Korean actors through usually DHS. And then, thinking about campaigns and military orders to battle and balances of power.
I think it would be helpful for both the South Korean and the US military to understand the ways in which they may be most vulnerable to North Korean cyber attacks, even if the answer is, you're not. But are there particular types of targets that the North Koreans might be going after? Are there some tactical data links or information repositories that are potentially vulnerable to North Korean attacks? And then the follow-on recommendation from that is, how does the US and South Korea build the networks and the capabilities in order to be more resilient in that case? [00:22:07] And like any good academic, I'm going to give you a bunch of questions and no answers. And then, I want to reiterate how important I think your group is and how exciting it is to see concrete, rigorous work about this problem, which in the past has been an extremely, extremely tough problem to research. So thank you again for having me. I'm excited to hear more from all of the participants. JOHN PARK: Thanks, Dr. Schneider, for excellent keynote remarks there and setting the stage
so well for us for the panels ahead. [00:22:47] I'd like to now turn it over to Alex O'Neill. And by way of introduction, he'll be moderating the first panel on "novel approaches to countering North Korean cyber operations." Alex is coordinator of the Korea Project and a co-lead of the North Korea Cyber Working Group.
His research focuses on North Korean financially motivated cyber operations, especially links between North Korean cyber actors and Russian-speaking criminals. His most recent publication is, "Cyber Criminal Statecraft: North Korea Hackers' Ties to the Global Underground." Alex holds a master's in Russian and East European studies from the University of Oxford and a BA in history from Yale University.
Over to you, Alex. ALEX O'NEILL: Thanks very much, John. And thank you, Jackie, for those excellent framing remarks. [00:23:30] Good afternoon, everyone. As John said, I'm Alex O'Neill.
I'm the coordinator of the Korea Project here at Belfer and a co-lead of the North Korea Cyber Working Group. I'll briefly introduce our panel now as well as our four panelists and then we'll dive right in. [00:23:43] The focus of this session, entitled, "novel approaches to countering North Korean cyber operations," is a new twist on a very familiar topic. We've often sought to define and understand North Korean cyber activity by looking at motivations, key players and pathways involved. We've looked especially closely at North Korea's cyber criminal statecraft, the model the regime has pioneered for generating illicit revenue through cyber means.
Today we'll focus on the other side of the equation, which is defending against and countering malign North Korea cyber activity. We'll cultivate a set of actual recommendations and take a close look at recent innovation in policymaking circles, in law enforcement and the private sector. [00:24:18] With that in mind, we've assembled a panel representing many of the key stakeholders on this issue and I'll introduce them now. And I invite our panelists to please turn on their cameras, but keep their mics muted. [00:24:29] First up, we have Ashley Chafin-Lomonosov who's a cyber crimes investigator at Chainalysis, the blockchain data company serving public and private sectors globally to enable investigations and compliance in the crypto space. Ashley focuses on East Asian issues, especially North Korea's tactics, techniques and procedures in the blockchain.
Great to have you back with us, Ashley. Helen Lee is a member of the North Korea Cyber Working Group and a researcher with 38 North. Helen's research focuses on cyber power on the Korean Peninsula and on the role of United States in East Asia cyber conflicts. She recently published an article in Diplomat, entitled, "The Future of South Korea and US Cyber Cooperation."
[00:25:06] We also have with us today Prashil Pattni, who is a principal threat intelligence analyst at BAE Systems where he researches state-sponsored cyber espionage and financially motivated activity from high-end cyber criminals and state-sponsored threat groups. Prashil specializes in tracking North Korean threat actors, and over the past five years he's analyzed numerous campaigns, including activity against SWIFT and ATM systems, as well as espionage against the defense and aerospace sectors. We're glad to have you with us, Prashil. [00:25:32] And last, but not least, we have Ahyoung Shin, who's an analyst with the ROK embassy in Washington, DC, as well as a member of the North Korea Cyber Working Group. Ahyoung's research interests include North Korean financially motivated cyber operations and the implications of emerging technologies like artificial intelligence for cyber from a national security perspective. With that, we'll dive right in.
For our first question, we'll start with Ashley and then we'll go around to Prashil, to Helen and then to Ahyoung. So Ashley, to start us off, I wonder if you can describe the current North Korean cyber threat in your own words. What are you most concerned about right now? ASHLEY CHAFIN-LOMONOSOV: Thanks for having me this evening, Alex, I really appreciate you. [00:26:09] To answer your question with the most realistic response possible, the financial element of the cyber threat is ever-growing.
It's extremely taxing to try to figure out what the severity of the problem is there. So being cut off from the global financial system, North Korea should not be able to sustain an economy; yet, they still are. So coming from Chainalysis, a blockchain analytics, my employer, I'm concerned with how they're funding their economy and how they're continuing to fund proliferation efforts, keep their people alive. It's really, really arduous. ALEX O'NEILL: Prashil, same question to you. What are you most concerned about with regard to the North Korean cyber threat? PRASHIL PATTNI: Thanks, Alex.
Yeah, I think there's definitely a fair amount going on from North Korea right now. And certainly they're making a lot of money from the cryptocurrency sector, which is of concern. [00:27:18] I think one campaign in recent memory for us was a bit more unique from the cyber perspective in tracking things was a lot of their espionage activity against the [27:28] defense sector. And this was kind of activity where really they put a lot of effort into their social engineering unit, going to LinkedIn, Twitter, WhatsApp [27:40] recruiters, ultimately hoping to get a compromise of personal devices and then move to corporate networks through that. [00:27:47] And from us, being a partner of [27:51] defense firm, it's really quite hard to pick up and defend against those, especially if your employees don't know about that threat.
Most people know the risks behind email, but aren't really expecting a recruiter with hundreds of connections seemingly part of a legitimate organization with mutual connections with you on LinkedIn to actually be a nation-state adversary. And they definitely don't put all that kind of effort into social engineering in all of their campaigns, but the fact they have that awareness and ability to do that with some of their campaigns, where they thought they needed that extra effort to get that initial intrusion factor was definitely quite interesting for us. ALEX O'NEILL: Definitely. No, it's a great flag.
Helen, we'll go to you next. What elements of the North Korean cyber threat are you most concerned about right now? [00:28:37] HELEN LEE: Thanks, Alex. I think for me, adding on to what has been said, the most concerning element is that North Korea cyber actors are very opportunistic. So like what he just said, they've been using LinkedIn to do Operation Dream Job, but they're not just using LinkedIn; they're using everything in all the geopolitical context that's going around them. For example, when the recent KakaoTalk fire happened, allegedly and potentially, North Korea also used that as an opportunity to do some spear phishing attacks against North Korea-related defectors and academics. I think the fact that our world and our international order is getting more chaotic, there's just more opportunities for North Korea to use to leverage their cyber attacks.
ALEX O'NEILL: Thanks, Helen. And Ahyoung, same question to you on the elements of the North Korean cyber threats that you are most concerned about? [00:29:34] AHYOUNG SHIN: Thank you, Alex. So among many different North Korean cyber threats, I think the potential malicious use of advanced technologies like artificial intelligence and particularly in cyber space is most concerning to me. Because AI augmentation in cyber can significantly [29:56] in terms of scale, speed and success for both offense and defense. But since North Korea has prioritized offense over defense, I think it is more likely that North Korea might be interested in augmenting offensive cyber campaigns with AI.
[00:30:15] And although North Korea appears to be at an early stage of AI development, compared to the US, South Korea or China, they can really speed up AI research and development by taking advantage of the lack of regulations around AI and also the high level of bulkiness in AI research. So this means that North Korea can easily exploit open source data and commercially available software like deep fake generation to leverage AI for their cyber campaigns. They maybe proved how they could really operate in the murky regulatory cyber space before. [00:31:01] Lastly, there's a China piece. So in addition to using open source data, I think North Korea can also build on education exchanges with countries like China to gain access to the information and hardware that are otherwise not available. ALEX O'NEILL: Thanks, Ahyoung.
I wanted to ask you a follow-up on that. I wonder if you can speak a little bit further about North Korea's innovation in the AI space, particularly with relevance to cyber. I know you've been looking in to that as part of your research project with the working group. [00:31:34] AHYOUNG SHIN: Yes, thank you. So North Korean regime has long prioritized science and technology developments, especially in information and technology sector.
And they have been very publicly celebrated. There are breakthroughs in AI in state media and journal publications. And in fact, in 2019, top universities like Kim Il-sung and Kim Chaek Universities, they announced that they are going to build new AI-related courses and departments. So I think such continued investments in AI by the regime really indicates that they might be interested in building AI and machine learning technologies in cyber space.
So hypothetically, once North Korea achieves a level of development in AI, they could super charge their financially motivated cyber operations, like cryptocurrency theft or ransomware attacks for new generation [32:42] scale by using AI-augmented credential harvesting or social engineering techniques like phishing attacks. And this will be very hard to detect and more successful. [00:32:58] And in fact, from my research, phishing can benefit the most from AI as North Korea mostly relies on phishing attack. But it is also very resource-intensive because the hacker needs to do a manual research, manual detailed research on the target, befriend the target and create personalized messaging for phishing. [00:33:23] So in this sense, if they could use AI technologists for their phishing attacks, AI systems cannot only automate the entire process and those written tasks like selecting the target, researching about the target, and finding vulnerabilities and executing attacks, but specific AI programs, like a natural language processing program, can also tailor text or audiovisuals to make them appear more authentic, convincing and targeted. And also, AI-generated deep fakes, they are already available on line, can mimic the behavior of humans, and even engage in a conversation via text or voice.
[00:34:13] So this all means that North Korea might be interested in AI augmentation to launch far more effective and successful phishing attacks with less personnel and cost, which will be very appealing to North Korea in light of their very limited labor force with foreign language skills. And lastly, in fact North Korea appears to be conducting extensive research in NLP, like keyword extraction, machine translation and voice recognition technologies. So I think these are some innovations that have taken place that are very interesting. ALEX O'NEILL: Thank you for that, Ahyoung, super comprehensive and quite frightening as well. Prashil mentioned in his opening comments spear phishing and threats posed that way, and so if they're able to potentially use AI to, like you said, super charge those spear phishing tactics, that seems like a very serious problem. [00:35:11] Ashley, I wanted to ask a broader question to you on the evolution of the North Korean threat.
I wonder what innovation you've noticed in the course of your work, focusing especially on the crypto and blockchain space in the last couple of years. ASHLEY CHAFIN-LOMONOSOV: First and foremost, the creativity has evolved. All of the phishing attempts, whether it's speaking generally or specifically, have just gotten more involved and more creative over the years. So yes, you have individuals, hackers, spending a lot of time and resources, building friendships. But as they're moving to an AI or a bot-like existence, they're optimizing their processes and procedures and successfully breaching more systems.
[00:35:56] In terms of the cryptocurrency industry specifically, obviously we have seen an extensive amount of hacking, breaking, entering, theft, data-stealing, but also, ultimately, funds-seizing as well. The technical acumen of each of the hackers of the hacking groups has gotten extremely advanced. They're consistently evolving with the technology in the decentralized finance space, which, Ahyoung said, could show an evidence of successful education and how much they're investing in education. [00:36:32] So as far as the evolution goes, yes, there's the creativity of the initial attack vector, but what's also important to note is that they're operating mostly in the decentralized finance space when they do steal this cryptocurrency.
So they're blatantly moving their funds about the blockchain without a regard for privacy or anonymity like they used to. So it's, from a psychological perspective, just very interesting to see how their tactics have kind of evolved. And I could get deeper into the crypto space, but I'll pass it off to the next respondent so that way we can get all sectors involved. ALEX O'NEILL: I think your comments raised a couple of follow-up questions.
We'll hold those for now and come back, just like you said. Prashil, I want to give you the same question on the recent evolution of North Korean cyber threats. And I wonder if we can draw on your background in threat intelligence, kind of round out the discussion. [00:37:27] PRASHIL PATTNI: Thanks, Alex.
I think from our perspective, the threat, because we're particularly interested in Lazarus, I think we said it a few times now, there's kind of always just been two halves to conduct espionage and gain intelligence and then steal money to fund that intelligence. We've said that a few times now. So maybe a bit of a less glamorous evolution is that those priorities and those things haven't changed that much. They're actually held quite strong.
[00:37:57] But actually tracking from the cyber perspective, for us, how they've handled those two priorities over the years has actually been quite interesting. So they were obviously quite prolific at targeting banks prior to the pandemic, which the situation of travel put a halt to that and their cryptocurrency campaigns really took off. But from our perspective, all that tooling and knowledge and infrastructure that they created doesn't just go away.
So a really interesting evolution for here, for us, was seeing what happened to all those hallmark tools that Lazarus and North Korea and so on had made and relied on on those bank compromises. We can actually draw a quite nice line from that pandemic hitting, moving away from the financial sector. Those tools then get recast into kind of cryptocurrency trading applications for a short period of time, and now most recently have actually come full circle and put into use for their espionage campaigns. [00:38:59] And when it was their hallmark tools and particularly their primary backdoors and things of that, it kind of gives us a sense of how sorted their priorities are at any point. That priority of getting money hasn't really changed, but often at times we've seen what they're looking to gain on the espionage side change a lot. The different sector has always been of interest.
But it seems to adapt to their priorities. And so the targeting of vaccine research when the pandemic was at height, and then recently even the targeting of security research is quite unique to seemingly fund their own vulnerability research. I'd say there's nothing too glamorous in their innovation, particularly on the intel side. But overall, a lot of their tools have improved. So the cryptography, the opsec of their infrastructure and all these kind of things, they're slowly cleaning up floors from previous years and mistakes. And a lot of times adapting open source code as well, we've seen that.
So yeah, I'd said maybe the best innovation they've taken is just really improving their operational security over generations of these tools. ALEX O'NEILL: It's a really interesting point. I guess for Ashley, that throws a couple of different follow-up questions.
We'll circle back in just a moment. Helen, I want to go to you next for the other side of that question. I wonder if you can speak about how the toolkit for countering North Korea cyber threats has developed over the last two years.
Are there new capabilities that are available to policymakers or law enforcement or private sector partners? [00:40:30] HELEN LEE: Thanks, Alex. I think I'm going to answer your question mainly from the South Korea government and policymaker point of view. definitely in the last two years, I think especially since 2019, South Korea has done a lot of investing and put a lot of attention into their policy work and how to deal with cyber attacks, specifically North Korean cyber attacks.
[00:40:54] So in 2019– let me go back a little bit more. In 2014, the 2014 KHNP hack happened. I think South Korea really started realizing that cyber attacks from North Korea was something that needed the attention of higher level policymakers. So it established different training centers, like the Cyber Security Training Education Center, and then within that they established the National Security Research Institute, which now hosts cyber security academic conferences for various topics, including for cryptography. And it also started overseeing different types of training exercises, which has a cyber conflict exercise contest to train for crisis response capabilities.
[00:41:39] So all these different agencies and trainings and academic conferences are creating a new capability for policymakers, as well as the private sector to engage with the policymakers of South Korea to do more information-sharing and to collaborate on what the next North Korean threat might be and how to defend against those threats. And I think from then on, especially since 2019, we started seeing the national cyber security strategy and the national cyber security basic plan, which really put South Korea at the forefront of working on international and bilateral cyber cooperation with the United States. [00:42:18] So then since then, we saw in 2020, 2021 and 2022, annually, we saw joint statements between the United States and South Korea, different communiqués discussing stronger cooperation, closer communication, deeper coordination in the cyber domain. And most recently, in May 2022, we saw that the joint statement created our working group, which actually already did meet in August once. And actually, today, the 54th security consultant meeting between the US and ROK counterparts took place and they released a joint communiqué reaffirming strengthening cyber cooperation and reaffirming their support for this cyber working group that was created in May. [00:43:03] So I think mostly we have definitely seen an increase in policy tools, different agencies and personnel that can be targeting, or that can be responding to cyber attacks from North Korea.
And I think that's reflected in the recent Belfer Center's cyber power ranking that showed that South Korea is now the sixth cyber power in the world, which it wasn't there a couple years ago when it first released that ranking. ALEX O'NEILL: Thank you, Helen, for that. Ashley, I want to go to you next. Based on your perspective as someone working, one, in the private sector, but specifically on the blockchain analysis end goal, I wonder if you feel that in the last couple of years, your capabilities or the capabilities of your company and firms like that, if those have expanded. And then especially in the blockchain department; you mentioned that North Korea has been exploiting decentralized finance, plenty of other cryptocurrency angles, exchanges, bridges, things like that.
I wonder if you feel that the capabilities in your field have also expanded over the last couple of years. [00:44:10] ASHLEY CHAFIN-LOMONOSOV: Thanks, Alex. They've absolutely expanded.
And it's a beautiful, incredible, awesome growing space. You're taking a philosophical concept of making the financial system open to more people, despite maybe not having access to banking or otherwise facing barriers that don't allow for access to traditional finance, and the beauty of that is, yes, tools are growing, efficiencies are being created, capabilities are being created as well. As the technology itself advances, so do the people.
But also the bad actors. So the unfortunate side of the crypto industry, the blockchain industry growing is that a lot of people recognize the business potential there and are hoping that they can turn a quick profit by getting into the industry as a relatively early adopter. And the result of that is exactly how North Korea's successful. [00:45:08] People are, especially in the decentralized finance realm, rushing to put up liquidity providers or smart contracts that maybe not have the best either code security or, in the case of companies, network security. And because they're not investing time and resources into setting up a great business with proper cyber security practices or completely solid contract code for smart contracts, DPRK has also at the same invested in their education and their hackers' abilities and can now exploit those.
[00:45:44] And because this is an innovation, the industry as a whole is an innovation in financial technology, there's lot of money floating around. And unfortunately, North Korea has found an absolutely ideal way to exploit that. And oftentimes the decentralized finance is [46:02] trustless and permissionless and often– it exists because it aims to remove the intermediaries from financial and other transactions.
So they're doing this without anyone in the way to stop them. ALEX O'NEILL: I'd like to go to Prashil next. Same question on how the toolkit has expanded, but I want to ask both from an instant response and whether its attributions are breaking down the TTPs on the one hand, but then also on the defense and cyber security side on the other hand. I wonder if you feel that your toolkit, your capabilities have expanded.
PRASHIL PATTNI: Yeah, definitely. I'll probably speak towards the kind of tracking of threats and that threat intel side. But what we always say when we're tracking these groups is that we're pretty much tracking their choices, and particularly when those choices touch the internet. And so, the infrastructure behind all these North Korean groups, where do they buy their domains from, where do they host their servers, what website or software do they want to use, and so on. [00:47:04] And over time, I'd like to say things have developed in our favor because you actually just have more and more options in those choices as the internet has expanded.
And then the tools, both in private and public sectors, have improved to track those choices. So, things like your internet scanners, malware repositories, DNS repositories, et cetera. [00:47:27] Trying to make all these different choices with no patterns we can track is really quite difficult for anyone, let alone those North Korea groups. Particularly when they aren't quite aware of the patterns that we're exploiting.
And so, trying to ensure randomness for all those different choices is a lot of work. And countering, for us, those cyber threats through cracking them can be quite fun, trying to figure out which combinations of choices actually result in resilient patterns for tracking. I don't want to paint too much of a rosy picture for the threat intel method of tracking North Korean groups through their infrastructure and malware.
And the flip side to all of this is that as we've got more and more ways of tracking them, how these groups track with the internet, when people blog about those things, as you want to do when you've done some really interesting research, things can get quite tricky. And so, the group themselves are starting to understand how we track them as well. [00:48:33] One definite recent example: There was a tool called Dacls[?] and this received a number of fairly detailed blogs on its use and how to track it in 2020. And we could almost draw a line between those blogs coming out and the tool going away effectively and the infrastructure going away. And only just a few months ago now, we've picked up that tool again and the infrastructure and the malware is vastly improved, and all the ways we were using to track it before are gone.
And we can never know if they've actually read those blogs, but it definitely feels that way from the tracking perspective. But yeah, definitely. I think the toolkit for us has always been trying to figure out what their malware and infrastructure is doing and has paid great dividends for us both on the threat intel side and the incident response side. ALEX O'NEILL: It's a super interesting point because on the one hand it's clearly such a technical field; you have to be very specialized, you have a lot of highly technical tools. And on the other hand, there are some psychological or decision-making elements to it as well.
And so it's interesting to blend those two together in that field. Prashil, I want to stay with you for a moment and ask a related follow-up question, which is, we've spoken thus far about things that we are paying attention to, areas where we do have innovation and our capability's expanded. Conversely to that, are there areas that policymakers or private firms like your own or like others should be paying more attention to? Are there tools that exist but that have gone underutilized essentially? [00:50:01] PRASHIL PATTNI: I think for this point I might wait till the cryptocurrency sector as there's a lot going on there, and perhaps more that could be done.
We've obviously seen, from the policymakers' perspective, sanctions. I don't want to speak too much out of turn as policy-making isn't really my expertise. But sanctions have been great for combatting things and money laundering post-compromise. But it would be great to see some attention given to things pre-compromise. I think we often assume with the cryptocurrency sector that it doesn't want to be regulated or maybe it can't be regulated.
But it also seems to be moving that direction on its own. [00:50:45] We recently finished up our yearly stats for cyber crime in the cryptocurrency sector, as well as North Korea. And what we found there was this idea of auditing in the cryptocurrency sector, which has already become kind of its ecosystem there where you now have organizations that are specifically selling services to audit smart contracts in your application.
And then people, these organizations get an audit done and then kind of use it as a seal of approval in some sense, kind of putting it on their documentation, their website, their Twitter, and so on. [00:51:22] It sounds like a logical idea, but what we ended up finding was that most victims of cryptocurrency heists this year either didn't do an audit or they'd just done one or two and then they plastered it on their website that they had those audits. In the rest of the software development world and the traditional finance, we'd never be able to release a product or an update of a product without some kind of red-teaming activity. And there's a lot of documentation on that, on how you develop software in a skilled manner. So it would be great to see policies or standards that start helping with that field of auditing, making sure you're getting audits from organizations who know what they're doing, updates every release scoped correctly, and that hopefully you start giving more weight to that statement, "we've been audited per XYZ standards."
ALEX O'NEILL: You mentioned crypto and defi and blockchain and smart contracts. I want to go back to Ashley for your take on what policymakers should be paying more attention to or what tools exist that have gone underutilized. And then we'll go to Helen and then to Ahyoung after that. [00:52:30] ASHLEY CHAFIN-LOMONOSOV: Prashil really nailed it there. It's incredible.
First of all, I'm not a policymaker; I do deeply, deeply appreciate the art and science, take your pick, of all that goes in to policymaking. And a lot of what we've seen in the crypto space has been really effective, but it's also given pause to users in the industry. Because again, the nature of decentralized finance is to remove regulation and intermediaries. So yes, Prashil made a great point with these smart contracts, and these decentralized applications do get audited, and they use that as a seal of approval, and then they make changes and never get audited again. And that leaves room for exploitation. [00:53:10] The other potential issue in the industry is that there are a very, very, very small number of companies that are trusted and able, technically able, to audit these smart contracts; the space is ever-evolving.
Some contracts are written in coding language that was created less than five years ago so there's a lot of room to grow and learn in the industry. But then I've heard that the wait time to get some of these well-known contract audit firms to review your project is upwards of 18 months. And I go back to what I said earlier about how people are rushing to get into this space to profit, which is valid; there's a lot of room for growth and revenue here. But it comes at a cost in that anyone, you right now, could deploy a smart contract on take-your-pick blockchain network. And people do. And sometimes they're doing it without being audited.
[00:54:05] So in terms of tools that policymakers either underutilize or could pay more attention to, the sanctions have been great and revolutionary recently. But obviously that doesn't stop crypto activity. So one really, really great example that I'd like to explain is that the US Treasury Department's Office of Foreign Assets Control, OFAC, designated Tornado Cash in August of this year. And Tornado Cash is a decentralized – as in no intermediary party facilitating these transactions – code-based, smart contract-based mixer. And basically, what its goal was to obfuscate the source of funds from the destination funds.
It was very, very, very heavily utilized in some of the DPRK activity that we've seen this year. And the Treasury Department, alongside US law enforcement, alongside global law enforcement as able to take the website down in most parts of the world. However, because what you put on the Ethereum network in that case and other networks, what you put on the blockchain is permanent and you can still route funds through Tornado Cash. Now, presumably you wouldn't want to do business with the US financial, global financial system at that point because you're working with a designated entity, but sanctions have been good.
Except it doesn't really stop the problem, it just kind of forces illicit actors to do something different. [00:55:39] And again, back to Prashil's point, you do this awesome research, you do this awesome thing and you want to tell people about it; you want to publish it and talk about it. But that kind of disrupts the research and seizure element of it where, for so long we could see through these smart contract interactions and understand exactly where North Korea and other illicit groups were routing their funds, but now that they – well, in theory – shouldn't have Tornado Cash to use, they've been forced to find other methods. But as I said, you can still route funds through such a mixer. [00:56:14] Sanctions have been great, but other tools– education is paramount. There are only 24 hours in a day, but the quicker you – you, policymakers in general – get up to speed on what is happening in the crypto industry and all the intricacies and just players in the space and technical features of an ever-growing element of finance, the quicker they'll be able act and make a very comprehensive, very reasonable policy.
ALEX O'NEILL: Some really interesting points. I think, Ashley, you identified two really helpful tensions there in that crypt/ blockchain/defi space, one of which is the tension between building out as quickly as possible your user and your revenue growth, versus having good cyber security practices. There's an inherent tension there.
What have you folks done first with your limited resources? But also it sort of markets itself as promoting autonomy and freedom and immunity in certain cases. And on the flip side, right, it seems like, based on what you're saying and what Prashil was saying, there's been a push for, in some cases, more security and regulation to make sure people aren't being stolen from. So I think some really good flags in the comments that you made. Helen, I want to go to you for more of a policymaking perspective.
I wonder if you could speak about what policymakers should be paying more attention to, and if there are tools that exist that have gone unutilized. HELEN LEE: I think I want to start with something I mentioned earlier about how starting in 2019 South Korea really came out to focus more on international and bilateral cyber cooperation [57:44] as we see. One thing is that this year, South Korea did participate in some multilateral cyber exercises with the United States. But bilateral ones just don't exist yet.
[00:57:58] Also I think one thing that both South Korea and the United States have been crucially missing is there are comparative advantages that we need to really use and leverage in this space. So for example, in 2019, South Korea and the United States cooperated on taking down a child abuse website called Welcome to Video. It was a South Korea-based site. And it used Bitcoin transaction.
So it actually started with tracking Bitcoin illicit transactions and then eventually led to this huge child abuse site. [00:58:29] What made this operation really successful is that it used the power of US IRS; so, US's economic and financial power. But it also really utilized Korea's knowledge about cryptocurrency, as well as their regulations, which are a little bit different from how the United States does it.
And although this is not against the DPRK, if we were to use comparative advantages like this against DPRK cyber attacks, for example, using the United States economic power, as we just heard from Prashil and Ashley, sanctions have been working to a certain extent, that's something that only the United States can do. That's something that South Korea cannot. But if we can use that in conjunction with South Korea's knowledge about North Korea and cyber attack motivations and capabilities, as well as the language and cultural background and law enforcement mechanisms, the two nations can do a lot and make a lot of progress in stopping and preventing future North Korean cyber attacks.
[00:59:33] I think one thing that South Korean policymakers have been really missing is information-sharing. The culture in South Korea, as well as the policies that are existing right now, just are not– they don't guide companies in the private sector to report cyber incidents, to require information-sharing. And the culture is that none of the companies want to share it because it's going to give away trade secrets, or it's going to make them more disadvantageous economically. So if South Korea could focus a little bit more on the process of information-sharing, I think that'll create a lot of progress for South Korea as well.
[01:00:12] And finally, I think South Korea has not– and the United States can do a lot more in private-to-private partnerships. A lot of the North Korean cyber attacks that we see are not against the military; they're against the private sector or against people on LinkedIn or against the chemical companies in the UK. If the companies of various nations can work together to figure out what is a better way to defend against these cyber attacks, first they have a lot more incentive to do so, and second, we can actually defend against cyber attacks that are happening in that sector. And one example of that is, I mentioned this before, but in 2014, KHNP, which is South Korea's hydronuclear power plant, got hacked by North Korea. In 2021, they signed an agreement with US Utility Service Alliances to develop better defenses against cyber attacks.
ALEX O'NEILL: Those are very great points. And I think underlying a lot of what you said is that it's easy to say cooperation on a Zoom call here and a Zoom webinar, but the actual mechanics of getting different countries, different law enforcement organizations, different private sector companies to cooperate, either with each other and or with the government, those mechanics can have a lot more friction than you would anticipate. It's a really good flag, Helen. Ahyoung, we'll go over to you next.
What should policymakers be paying more attention to? And what tools exist but have gone underutilized? [01:01:42] AHYOUNG SHIN: So from an AI perspective, I think they should be paying more attention to the regulatory environments because extensive regulations on access to open source information and technologies do not exist yet. As I mentioned earlier, North Korea can really exploit this lack of regulation for AI. [01:02:03] So recognizing this risk, they should, first, understand how [01:02:08] regimes acquire AI capabilities so that they can tailor regulations to address education exchange and knowledge transfer, along with limiting their access to technology. [01:02:22] So specifically, they can develop AI-specific norms, regulations or technology solutions that focus on the three fundamentals of AI development, which are data, computing power and talent.
So they should be developed so that policymakers can prevent any malicious use of AI for cyber security. And one way to do so is to develop and distribute security tools for common security problems in AI systems. And another approach that they can take is similar to good cyber security; they can promote a culture of social responsibility and ethical standards in the use of AI technology or AI research. And also promote the security of open source information and software as well. [01:03:17] And lastly, it's equally important to monitor the progress and proliferation of AI-relevant resources, like the regulations, like international data protection.
And examples of these tools can be, one, introducing free publication of risk assessments in technical areas of special concern, like adversarial machine learning so that the