Ross Rustici
Ross Rustici

The Democratic People's Republic of Korea's (DPRK) cyber activity has often been talked about in terms of radical actions and Bond-style plots. However, their activity appears to be driven by three rational motives: spying, attacking, and racketeering. 

Spying: Traditional espionage takes place on a regular basis, although hardly ever talked about. Earlier this year, the group was caught sending remote access trojans to US defense contractors. This type of activity, while a constant hum is often overshadowed by North Korea's other cyber goals. 

Attacking: The most spectacular motive is their carrying out of destructive attacks for retaliation purposes. By charting the instances of North Korean destructive activity over time, it becomes apparent that the regime uses destructive cyberattacks to retaliate for perceived provocations. The motivation, popularly cited for the 2014 Sony attack, was the disrespect shown to Kim Jong-Un as a result of the motion picture The Interview. The 2013 DarkSeoul attack against South Korea that took place in 2013 crippling news stations, financial institutions, and government websites was in direct response to military exercises hosted by the US and South Korea earlier in the month. 

Racketeering and Money Generation: The final motivation for their cyber program is currency generation. While North Korean hackers have been conducting low level activity for over a decade to create hard currency for a regime constantly under economic sanctions, the most spectacular instance of this type of activity was the 2016 Bangladesh Central Bank attack. It was a partially successful attempt to steal over $900 million. While this Goldfinger-esque plot should be something relegated to the movies, the hackers employed by the North Korean regime are under significant pressure to create a steady stream of remittances back to the North Korean government. This makes North Korea the only country to knowingly sponsor and task hackers who conduct all three types of activity - spying, attacking, and racketeering. 

Given the current escalation cycle revolving around the testing of ICBMs and an exchange of threats between North Korea and the United States, the DPRK's cyber program is likely to spin into high gear, but not with destructive retaliatory strikes. 

The exchange of threats actually plays into North Korea's propaganda machine and is likely seen within the elite circles as a blessing. The overt threat of nuclear war will give the regime “bulletin board” material for several months. They'll use this to reinforce the narrative that North Korea is under constant threat from the US and all the ills facing the population are a direct result of these foreign powers.

However, what cannot be ignored is the new UN sanctions levied against North Korea as a result of the missile tests. If the sanctions take full effect AND are fully enforced, North Korea's  GDP could be reduced by one third, with potentially catastrophic consequences to a regime barely able to provide essential services for the country. This will almost certainly result in a large increase in illicit activity in an attempt to increase revenue to compensate for the enforcement of sanctions. 

While experts analyzing the situation in North Korea are correct to worry about North Korean hackers, the nature of that threat in the near-term is far more specific than expanse of the totality of their activity. 

The global financial industry is likely to see a large spike in activity. In addition, traditional scamming operations against online gaming communities will increase. It is also likely that the North Koreans will increase their attempts to hack cryptocurrency exchanges given the recent string of successful heists. The immediate need to bolster their finances will likely lead to a decrease in their operational capacity to conduct destructive attacks (Sony) or even traditional espionage. As the sanctions tighten North Korea's belt, the country will look to operate more like a Narco state-only, its income will be derived from the sale and execution of cyber intrusions rather than the sale of drugs.