Cybercrime in North Korea: What you need to know

An isolated and heavily restricted totalitarian state, North Korea engages in a range of cyber activities that violate international law, including conducting illegal cyber operations around the world. Ongoing international sanctions against North Korea prohibit a broad range of economic activities and are estimated to cost the country up to $1 billion in trade annually, however, North Korea cybercrime operations have become sophisticated and effective, and are thought to have generated over $2 billion to date, offsetting the economic damage of sanctions significantly.

As sanctions continue to add pressure, North Korea’s leadership is increasingly deploying cyberattacks to provide economic relief. Given the potential for sanctions compliance penalties, it is vital that firms understand the North Korea cybercrime risks, and how to implement a compliance solution capable of detecting and preventing threats.

Understanding North Korea cybercrime

Although it has a relatively weak diplomatic and military presence on the world stage, North Korea cybercrime capabilities are well developed and are in line with the country’s military strategy and national goals. 

North Korea cybercrime activities reflect the strategies that it uses to mitigate the effect of its strict sanctions environment, including the illegal trafficking of weapons, precious metals, and counterfeit currency. From the North Korean perspective, cyber crimes are effective because they are less visible to regulators, hard to trace, and take advantage of the international community’s focus on its nuclear capabilities. Cybercrimes are also relatively low cost and easy to perpetrate with potentially significant rewards if executed successfully. A 2019 UN report stated that financial proceeds from North Korea cybercrime activities are generally directed towards the North Korean military and nuclear weapons programs.

Examples of North Korea cybercrime

North Korea has been responsible for numerous cyberattacks against foreign countries, including South Korea, the United States, and the EU. Examples of significant North Korean cyber attacks include:

• The Sony Pictures film studio hack in 2014 that resulted in the leak of unreleased films and thousands of private documents.
• The theft of $1 billion from the Central Bank of Bangladesh in 2016 via a hack of the SWIFT banking system.
• The WannaCry ransomware attack in 2017 that infected over 200,000 computers in 150 countries and resulted in up to $4 billion in damage. 
• The hack of two cryptocurrency exchanges in 2018 that resulted in the theft of over $250 million in crypto tokens. 
• A hack of pharmaceutical company Pfizer in 2021 in what was assumed to be an attempt to steal information on the Covid-1
• Cyberattacks on entertainment firms such as film studios
• Cyberattacks on banks
• Ransomware attacks enabling extortion
• Attacks on cryptocurrency service providers 
• Deployment of malicious cryptocurrency applications
• Spear phishing activities

Preventing North Korean cyberattacks

North Korea’s cybercrime arsenal is expansive, but firms may mitigate risk and better protect themselves by understanding the criminal methodologies behind the threat. In practice, this means becoming familiar with a range of red flag cybersecurity weaknesses, including:

• Account sharing: When employees share account logins for ease of access to a software platform or workstation, hackers may be able to exploit a lack of accountability for the protection of confidential data. 
• Outdated cybersecurity: Firms that do not update their cybersecurity protections regularly risk missing emerging cyber threats or vulnerabilities in their existing solutions.
• Data management: Firms that exercise poor control of sensitive data put themselves at greater risk of cyberattack. Information sent over email, for example, should be encrypted to protect it from interception by third parties. 
• Weak back-ups: Ransomware attacks restrict access to crucial systems and data, often as an extortion strategy. Firms that do not maintain effective back-ups increase the potential damage of a ransomware attack. 
• Password integrity: Employees that use simple or generic passwords are an attractive target for hackers who may be able to guess or infer login information to gain access to protected systems. 
• Firewall configuration: Firms that implement generic firewall protection may be vulnerable to more sophisticated hacking and phishing attacks. Firewalls should be configured to reflect the specific risks of a firm’s environment. 

It is important to remember that not all North Korea cybercrimes are intended to generate financial profit. Many attacks target government networks and infrastructure in order to access protected information.

North Korea cybersecurity compliance

In order to prevent North Korea cybercrime, financial institutions must be aware of the risks they face and deploy appropriate cybersecurity measures. Similarly, financial institutions must ensure they do not inadvertently aid illegal North Korean activities by facilitating transactions on the behalf of cyberattack perpetrators or by moving funds that have been derived from cyberattacks. To this end, many governments, including the UK, the EU, and the US, have implemented dedicated sanctions regimes targeted at North Korea. 

Sanctions penalties: Breaches of North Korean sanctions can result in significant financial and criminal penalties, including prison sentences for individuals that are found to have acted unlawfully. In the United States, for example, North Korea sanctions breaches may result in fines of up to $1,000,000 and prison sentences of up to 20 years.

Achieving compliance: With penalties in mind, regulators require firms to implement robust sanctions screening measures, as part of a wider anti-money laundering (AML) program, in order to detect customers and transactions that are linked to North Korea cybercrime and that may (knowingly or inadvertently) breach sanctions regulations. 

An effective North Korea sanctions screening solution should include checks of all relevant international sanctions and watch lists, including the OFAC sanctions list, the UK sanctions list, the EU sanctions list, and the UNSC consolidated list. Sanctions screening should reflect the level of risk each customer presents and take into account unique North Korean naming conventions, use of aliases or nicknames, and the use of non-Latinate characters in spellings. 

Beyond creating an effective sanctions screening solution, firms should focus on the Know Your Customer (KYC) process in order to understand who their customers are, and what level of compliance risk they present. The KYC process is a foundation of effective AML and entails the following measures and controls:

• Customer due diligence: Firms must verify the identities of their customers (or beneficial ownership of customer entities) in order to ensure they are not doing business with persons subject to North Korea sanctions or involved in cyberattacks.  
• Transaction monitoring: Firms need to adopt transaction monitoring systems to ensure that their customers are not linked to North Korean cyberattacks and are not indicative of attempts to avoid sanctions screening measures. 
• PEP screening: Politically exposed persons (PEP) may be leveraged by North Korean persons to commit cyber crimes on their behalf.
• Adverse media screening: Negative news media stories often indicate that customers are involved in criminal activities, including cyber crimes, that are linked to North Korean persons.