North Korea's Internet Use Surges, Thwarting Sanctions and Fueling Theft

David E. Sanger
President Donald Trump and Kim Jong Un, the North Korean leader, prepare to cross from the North Korean side of the Demilitarized Zone into South Korea at Panmunjom on June 30, 2019. (Erin Schaff/The New York Times)

WASHINGTON — North Korea has vastly expanded its use of the internet in ways that enable its leader, Kim Jong Un, to evade a “maximum pressure” U.S. sanctions campaign and turn to new forms of cybercrime to prop up his government, according to a new study.

The study concludes that since 2017 — the year President Donald Trump threatened “fire and fury like the world has never seen” against the country — the North’s use of the internet has surged about 300%. Nearly half that traffic now flows through a new connection in Russia, avoiding the North’s longtime dependency on a single digital pipeline through China.

The surge has a clear purpose, according to the report released Sunday by Recorded Future, a Cambridge, Massachusetts, group known for its deep examinations of how nations use digital weaponry: circumventing financial pressure and sanctions by the West. Over the past three years, the study concluded, North Korea has improved its ability to both steal and “mine” cryptocurrencies, hide its footprints in gaining technology for its nuclear program and cyberoperations, and use the internet for day-to-day control of its government.

“What this tells you is that our entire concept of how to control the North’s financial engagement with the world is based on an image of the North that is fixed in the past,” said Priscilla Moriuchi, a former National Security Agency analyst who directed the study and has long focused on North Korea and Iran. “They have succeeded at an easy-to-replicate model of how to move large amounts of money around the world, and do it in a way our sanctions do not touch.”

“Our sanctions system needs a radical update,” she concluded.

The report helps solve the mystery of why the country’s economy appears to have survived, and in some sectors actually grown, as the United States and its allies have talked about their success in choking off oil supplies and cracking down on North Korea’s skillful production of counterfeit U.S. currency.

It also further complicates the Trump administration’s paralysis in dealing with the North. Sanctions have remained in place, though Trump does not like to talk about them, even as his personal diplomacy with Kim sputters.

An expected resumption of intercontinental ballistic missile tests, which North Korea appeared to threaten at the end of 2019, has not materialized. But even if the situation remains in a quiet stalemate, the report suggests that Kim is poised to take advantage: Just as he is continuing to invest in his nuclear program, he is also pouring resources into a cyberprogram that is both a potent weapon and a revenue generator.

Moreover, the report, titled “How North Korea Revolutionized the Internet as a Tool for Rogue Regimes,” concludes that other nations are watching the North Korean model, and beginning to replicate it.

“Iran has begun to pursue cryptocurrencies as a method for facilitating international payments and circumventing U.S. financial controls,” it notes.

Moriuchi, who left the National Security Agency in 2017, began tracking the internet use of the North Korean elite 2 1/2 years ago, a period that encompassed Trump’s confrontational approach to the North, the country’s missile launches and then the stalled diplomacy that has followed the president’s three meetings with Kim.

In 2017, Moriuchi could easily see the content of the North Korean elite’s searches, most of which appeared to be for leisure: While ordinary North Koreans have access only to a restricted, in-country version of the internet, the country’s leaders and their families downloaded movies, shopped and browsed the web on nights and weekends.

But that has changed. Internet use has surged during office hours, suggesting the leadership is now using its internal networks the same way the West does: conducting daily government and private business. Now the country has developed its own version of a “virtual private network,” a technique to tunnel through the internet securely that has long been used by Western businesses to secure their transactions.

Meanwhile, the country’s efforts to encrypt data and hide its activities on the web have become far more sophisticated. And through a network of students, many in China and India, the North has learned how to exploit data that could improve its nuclear and missile programs.

The largely home-built effort to hide traffic, the report concluded, was being used to steal “data from the networks of unsuspecting targets, or as a means of circumventing government-imposed content controls.” Such methods have long been used by Chinese and Russian hackers, often working for intelligence agencies.

The North has managed to surprise the world before with its digital savvy: In November 2014, its devastating cyberattack on Sony Pictures Entertainment in an effort to kill “The Interview,” a comedy about two bumbling journalists sent by the CIA to kill Kim, exposed U.S. digital vulnerabilities. That was followed by a bold effort to steal nearly $1 billion from the Bangladesh central bank through the international financial settlement system called SWIFT. Other central bank attacks followed.

North Korea’s most famous cyberattack, using code called WannaCry, disabled the British health care system for days and created havoc elsewhere. It was based on vulnerabilities that had been stolen from the National Security Agency, and published by a group that called itself the Shadow Brokers. U.S. officials have never publicly acknowledged their inadvertent role in fueling the attacks.

But the report suggests the North has now moved on. It has figured out more effective ways to steal cryptocurrencies. And it has begun to produce, or “mine,” its own, chiefly through Monero, a lesser-known alternative cryptocurrency to Bitcoin that advertises that it “obfuscates sending and receiving addresses as well as transacted amounts.” In short, it is perfect for any nation — and its financial partners — seeking to avoid United Nations and U.S. sanctions.

It is impossible from the data available to Recorded Future to figure out how profitable the “mining” operations are, and some cyberexperts believe that more traditional methods — ranging from manipulating the SWIFT system to churning out ransomware attacks — are probably more fruitful.

“North Korea has for several generations pursued an all-of-the-above approach to gaining illicit funds, so it wouldn’t be a surprise if they indeed expanded their cryptocurrency mining efforts to complement their hacking ones,” said Ben Buchanan, the author of a new book, “The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics.”

But as Buchanan’s book notes, the country’s digital warriors have proved to be enormously fast learners, and “what the North Koreans lack in skill, at least as compared to their counterparts at the NSA, they partially make up for in aggressiveness and ambition.”

“They are quick to embrace new services or technologies when useful and cast them aside when not,” the Recorded Future report concludes. “The Kim regime has developed a model for using and exploiting the internet that is unique — it is a nation run like a criminal syndicate.”

This article originally appeared in The New York Times.

© 2020 The New York Times Company