Cybercriminal Statecraft

North Korean Hackers’ Ties to the Global Underground

Introduction: “A Criminal Syndicate with a Flag”

Over the last decade, financially motivated operations have come to play a central role in North Korea’s cyber strategy. The illicit revenue those operations generate helps blunt the impact of tough global sanctions and supports the regime’s ballistic-missile and nuclear-weapons programs. It can enable the procurement of banned military or dual-use technology as well as luxury goods for Pyongyang elites. Profits from computerized theft are also believed to help fund other components of North Korea’s cyber program, from hacker training to tooling development to non-remunerative campaigns designed to gather intelligence or cause destruction. Crucially, as Daniel Pinkston has written, “cybercrime offers remote access to illicit revenue without the risks of being detained and prosecuted abroad.” The sharply increasing pace and scale of North Korean financially motivated operations since the early 2010’s reflects their growing importance in Pyongyang’s cyber arsenal.

North Korean financially motivated operations should be viewed dually through the lenses of criminality and statecraft.

North Korean financially motivated hackers often behave in cyberspace more like criminals than traditional state actors. Most governments concentrate their offensive cyber resources on espionage, sabotage, and information campaigns that might involve stealing military secrets or strategically leaking documents from foreign political parties. Pyongyang participates actively in those sorts of activities – the theft of classified U.S.-South Korean war plans and the attack on Sony Pictures Entertainment (SPE) come to mind – but additionally devotes significant resources to illicit revenue generation via theft. In the latter regard, North Korea is believed to be unique among states. Considered alongside cybercriminals, however, North Korea’s behavior becomes more familiar. Its opportunistic targeting of financial institutions, engaging in “big-game hunting” as well as petty e-crime, and enlistment of “money mules” to launder profits all mirror common criminal tactics. State-sponsored or not, specialized tools designed to exploit a bank network or steal credit card information from an e-commerce site are criminal in nature. FireEye notes that if not for the North Korean threat cluster APT38’s government backing, the group might have been better categorized as a “FIN” outfit. For analytical purposes, North Korean financially motivated operations should be viewed dually through the lenses of criminality and statecraft. “Simply put,” the former Assistant Attorney General for National Security John Demers remarked in February 2021, “the regime has become a criminal syndicate with a flag.”

Collaboration with foreign groups has long been a key feature of Pyongyang’s criminal initiatives in the physical world, and cyberspace is no exception. Just as North Korean smugglers have relied on organized crime syndicates like the Japanese Yakuza to traffic narcotics and launder money in the physical world, North Korean hackers appear to have engaged in cyberspace with foreign criminals to obtain advanced tools and organize collection of in country payouts. The dominance of the Russian-speaking cybercriminal underground makes it a logical target for collaboration. Top Russian-language forums like Exploit, whose tens of thousands of users have made more than one million posts since it launched in 2005, represent some of the world’s leading platforms for exchanging illicit products, services, and knowledge.

Russian-speaking gangs have stolen hundreds of millions of dollars from victims around the globe, often using innovative proprietary methods. Russian authorities’ willful blind eye toward domestic e-crime – so long as its victims lie outside the Commonwealth of Independent States (CIS) – is another key element of the Russian-language underground’s appeal.

Dealing with foreign cybercriminals enhances North Korea’s capabilities and enables it to allocate resources more efficiently. One form of engagement involves purchasing access to networks others have already compromised, which allows threat actors to focus on exploiting the target system once inside. While public and semi-private forums offer plenty of accesses of varying quality, North Korean actors seem to prefer to deal directly with elite Russian-speaking groups either on closed platforms or through private channels. In other cases, North Korean hackers appear to have purchased malware from CIS-based vendors. A third type of collaboration involves the purchase of monetization services, such as money laundering and online hosting for stolen-data sales. To be sure, North Korean actors boast advanced malware-development capabilities and a record of pioneering their own accesses to lucrative targets through novel means. Nonetheless, dealing with foreign cybercriminals, particularly CIS-based Russian speakers, offers access to valuable products and services. The benefits of collaboration are not irreplaceable, but North Korean actors would be worse off without them.

This report explores North Korean financially motivated actors’ convergence of interests and tradecraft with cybercriminals, focusing on their dealings with the Russian-language underground. It relies primarily on open source material, threat-intelligence reporting, and expert interviews, as well as on U.S. court filings and sanctions designations. The report begins with detailed consideration of North Korea’s approach to computerized illicit-revenue generation. It then examines the layered collaboration between North Korean actors and clusters of Russian-speaking cybercriminals, proposing explanations for why collaboration is appealing and why the Russian-language underground ecosystem has flourished. It concludes by discussing the implications of those linkages and flagging important areas for further research.