By Anthony Eich on December 18, 2021

Executive Summary

The North Korean dictatorship, headed by Kim Jong-un, is behind some of the most nefarious cyberwarfare operations active on the global stage. Since the ending of the Korean War in 1953, the country has been under heavy sanctions, preventing financial solubility. With a focus on military power and a drive towards nuclear capabilities, the North Korean government has put a strong emphasis on financial gain through the use of malicious hacking activities. In recent years the North Koreans have been connected to many cyber attacks resulting in theft, disruption of services, and political propaganda. Since the country is largely cut off from the outside world, due in part to the sanctions, but also because of the maniacal controls the government exudes over the general population, little is known about the ongoings of the country. That limited flow of information works both ways though, as the North Koreans have limited knowledge of the rest of the outside world, and what knowledge is available is strictly controlled. However, since the Internet provides the most economical way for the country to reach out to the rest of the world, it is highly likely that they will continue to grow the cyber arms of their intelligence operations [1][3].


The Reconnaissance General Bureau is the North Korean intelligence agency that has oversight of cyberwarfare operations. There are many hacker groups attributed to the country such as Advanced Persistent Threat (APT) 37, APT 38, Hidden Cobra, Guardians of Peace, and many others. Since all of these groups, currently numbering in the dozens, have significant overlap they are often attributed to the umbrella moniker: Lazarus Group [2]. Several of these groups became active between 2009 and 2012, which North Korea significantly ramped up its cyber espionage activity. The country, which is cut off from the global economy and quite impoverished, has turned to the more economical battlefield of cyber space. Several notable cyberattacks and malwares have been transmitted by the North Korean groups which typically target financial institutions and aim to incite civil unrest through political propaganda [3].

Figure 1: North Korean Cyberspace Units


Electronic theft of funds has become a driving force of the North Korean hacker groups, but there is also a strong presence of attacks with a political agenda, with their primary targets being South Korea and The United States. The Lazarus Group and its derivatives have been behind some of the most prolific cyber attacks in the last decade. One of the most well-known of these attacks was in 2015 and has come to be known as the Sony Pictures attack, in which the afore mentioned movie studio was subject to an extensive data breach. The motivation for the attack appeared to be outrage by the North Koreans over a comedic movie depicting the assassination of the North Korean leader, Kim Jong-un [4]. Another attack was propagated by the WannaCry ransomware, which spread across Microsoft Windows systems in 2017. The attack encrypted user files and demanded a Bitcoin™ ransom. Some of the cyber attacks are not so subtle, such as the theft of $80 million from the Bank of Bangladesh, and other heists of financial institutions in the Philippines, Vietnam, and Poland [5]. Another goal of the Lazarus Group is intelligence collection. Because the country is isolated from the majority of the world, much of the information that they receive comes over the internet. There are not many Internet Protocol (IP) addresses set aside for the North Korean peninsula, which limits the amount of data that can be transmitted via standard means [1][2][3].


Due to the ongoing sanctions against North Korea, cyber attacks will continue to be the most economical means for the country to strike out against the world and gain financially. The government of this dictatorial regime has dedicated much of its limited resources to these hacking groups. It can be expected that more attacks of fraud, theft, and blackmail, are going to continue to grow in the coming years. Even online gambling is part of the income producing activities of these nation state backed organizations. Since there are no limits as to where and when these attacks may come, vigilance towards cyber security is the best means to remain protected from such attacks. Regular updates of software and virus definitions can provide protections against the North Korean hacking groups, but awareness of the regime’s activities is the primary weapon of defense for the world’s computer systems.


[1] Defense Intelligence Agency. (2021). 2021 North Korean Military Power. , Washington, DC: U.S. Government Publishing Office.

[2] Lazarus Group. (2021, October 14). Retrieved November 4, 2021, from ATT&CK:

[3] North Korea Cyber Threat Overview and Advisories. (2021, February 2017). Retrieved November 4, 2021, from Cybersecurity & Infrastructure Security Agency:

[4] The Sony Hack One Year Later: Just Who Are The Guardians Of Peace? (2015, November 24). Retrieved November 4, 2021, from Deadline:

[5] What is WannaCry ransomware? (2021). Retrieved November 4, 2021, from Kaspersky: