Escalation of Cyberattacks from North Korea

Escalation of Cyberattacks from North Korea 

by Jon Heimer

How many times in the past year have you heard language about cyberwar and whether or not it has a place in physical war?

Do we have an answer? Not a firm one, but at the very least we have a sense of it.

In the scheme of things, North Korea is not considered a world power in the arena of cyberattacks. According to data Solutionary has observed in our ActiveGuard® service platform, countries like the United States, China and Russia generate millions of “touches” a month against Solutionary Managed Security Services clients. (Let’s say a “touch” is a known reconnaissance, an overt external attack or the attempted exfiltration of data.) In a normal month, North Korea has historically generated 34-200 touches per month against Solutionary clients. That is, until February of 2013, when they jumped all the way up to 12,473 touches.


What is special about February of 2013? Only the latest escalation of events with North Korea. On February 12, North Korea announced that it had conducted an underground nuclear test. While there is some debate over whether or not the detonation was nuclear, an underground explosion consistent with a nuclear warhead has been confirmed by several other nations. The test generated widespread condemnation and once again raised potential sanctions against North Korea. North Korea has responded with additional aggressive words, and another threat to test one of their missiles that they say is capable of delivering a nuclear warhead.

Is the escalation coincidence? Is this just a war of words? Outside of the fact that I do not really believe in coincidences, three things tell us the answer to that is “no”.

First, the sheer size of the escalation in events. The number of touches in February was an 8445% increase over the average number of touches in the previous 12 months. So, while in comparison to other countries North Korea’s cyberpresence is relatively low, the size of the escalation is undeniable. Second, the persistency of the escalation in events. While not as significant as February’s numbers, March still represented an increase of 1913% over the average of the January 2012 to January of 2013 timeframe. Third, the repeat of the escalation. What repeat? In November of 2012, the number of touches produced by North Korea sites against Solutionary clients more than doubled. Again, not particularly significant numbers when compared to the heavy hitters, but, it doubled. Did that have anything to do with North Korea’s political environment? We can make no guarantees, but it does seem coincidental that it was in late November when North Korea replaced their defense minister with a more aggressive, hard-line military commander. It was also late November when North Korea started talking about missile testing prior to the December elections in South Korea, ending with the actual launch of that missile on December 12.  (It may be worth noting that while the number of touches fell in December, the last month of the year still showed the second highest number of events in the entire year.)

Just as interesting is the profile of the targets of the network-based touches. According to Solutionary data, North Korean related events pretty evenly spanned target organizations across 13 industries, but showed a clear favoritism for targeting organizations in the financial community. For the period January 2012 through January 2013, 49.1% of all North Korean sourced cyberactivity seen by Solutionary was directed at financial companies. February of 2013, however, saw a marked jump in the number of touches on organizations in the financial industry. In February of 2013, over 99% of all touches were directed against members of the financial industry. This profile continued into March of 2013, across the same timeframe that North Korea waged denial of service attacks against South Korean banks and broadcasting companies.


Keep in mind that alleged hacktivists escalated attacks against banks based in the United States, starting in September of 2012, and attacks continued in waves throughout the fall – spanning much of the same time period as North Korea’s escalated language and cyberattacks. This does not necessarily mean they are related, but at the very least may have served as encouragement for North Korea’s escalated financial activity.

Now, there is no evidence that any of this is supported or even encouraged by the North Korean government. But, there do appear to be several parallels between escalated verbal rhetoric and escalated cyberattacks. It is evident that, whether government influenced or not, that the dual-path of aggression is a new way of facing the world, at least from North Korea. Given the more hard-line government in North Korea, we expect escalations like this to continue, and to become even more evident in other conflicts around the globe.