Image credit: Shutterstock
by Julie Kim
December 2024
Table of Contents
- Introduction
- North Korea’s Cyber Program
- South Korea’s response to North Korean cyber operations
- Pathways to Canada-South Korea cyber security cooperation
- Recommendations
- End Notes
- About the Author
- Canadian Global Affairs Institute
Introduction
North Korea’s cyber program and capabilities remain largely unknown to the world. However, its inappropriate use of cyber operations has a significant impact on the global economy and international security. Numerous reports and expert analyses suggest that the North Korean government has invested significant resources to develop its cyber capabilities and has been employing increasingly sophisticated tactics to target its adversaries. As one cyber security expert pointed out, for North Korea, “cyber warfare levels the global playing field in a way nuclear weapons can’t” and “the risk-return calculation for hacking versus nukes is exponentially different.”1 Thus, North Korea has been able to achieve bigger returns with fewer resources and risks through cyber operations.
North Korea conducts cyber operations for various reasons, including espionage, intelligence gathering, retaliation, coercion, and financial gain. According to a briefing from the South Korean National Intelligence Service in 2013, North Korean leader Kim Jong Un stated that “cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.”2 As the primary target of North Korean cyber operations, South Korea must collaborate closely with its allies to counter these threats. Canada, which has identified cyber security cooperation as a key component of its Indo-Pacific Strategy, shares mutual interests in enhancing regional cyber security and countering malicious activities. Given the longstanding partnership, there is significant potential to deepen cyber security cooperation between Canada and South Korea.3
North Korea’s Cyber Program
Brief history of North Korea’s cyber operations
Over the past decade, North Korea expanded its cyber operations significantly and cyber operations became one of its primary sources of foreign income. Advanced persistent threats (APTs) such as the Lazarus Group and Kimsuky, which are believed to be operating on behalf of the North Korean regime, have launched attacks against digital infrastructure across South Korea and globally. Their targets extend beyond government agencies, but also include national infrastructure, the defence and aerospace industries, IT companies, and financial services.
Cyber operations appeal to North Korea due to several reasons. First, they are more difficult to attribute to a specific party, giving the regime an opportunity to act with a certain level of impunity and deny any involvement.4 Second, cyber operations can be readily employed during both peacetime and wartime, achieving effects that traditional military weapons cannot.5 Finally, cyber operations are relatively inexpensive to execute and do not necessarily depend on procurement of specialized military equipment, unlike missiles and nuclear weapons, making them more appealing to the regime.6
North Korea emerged as a prominent cyber actor on the international stage when it was linked to the cyber attack on Sony Pictures Entertainment in November 2014. This incident caused Sony significant damage by disabling its information technology systems, destroying data, and leaking internal emails and documents to the public. Although there is no concrete proof, it appeared to be North Korea’s retaliation to the release of the movie The Interview, a movie depicting the fictional assassination of its leader Kim Jong Un, to which North Korea’s Foreign Ministry described as “the most blatant act of terrorism and war” and threatened “a merciless countermeasure” if the U.S. administration allowed the showing of the movie.7 North Korea denied involvement in the attack, but praised the hackers for having done “a righteous deed.”8
Recently, North Korea’s cyber operations appear to be increasingly driven by financial motives. In May 2017, ransomware referred to as WannaCry infected hundreds of thousands of computers in more than 150 countries, restricting users’ access to their systems until a ransom was paid to unlock it.9 This attack caused serious disruption to hospitals, schools, banks, and businesses around the world. Among the worst affected was the National Health Service (NHS) in the United Kingdom, where appointments were cancelled, surgeries were delayed, and some hospitals even had to divert ambulances to other facilities.10 It is commonly believed that North Korea was behind the WannaCry attack.
The lack of regulation for cryptocurrency also constitutes an opportunity for North Korea. As then-U.S. Assistant Attorney General for National Security, John C. Demers, aptly described in February 2021, “North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers.”11 North Korea’s largest crypto theft to date was in 2022, when the Lazarus Group tricked an employee of the blockchain gaming company Sky Mavis with a fake job offer. This allowed them to break into internal systems and extracted $625 million from the popular Axie Infinity game and the Ronin Network.12 Beyond this specific attack, the Lazarus Group reportedly stole almost $900 million between July 2022 and July 2023.13 These stolen funds allow Pyongyang to continue financing the development of its nuclear and weapons of mass destruction programs, which is particularly concerning for the international community.14
Organization and scope of North Korea’s cyber program
Due to limited accessibility and information, it is difficult to know the exact organizational structure of North Korea’s cyber program. However, most sources identify the military intelligence agency, the Reconnaissance General Bureau (RGB), and particularly Bureau 121 as the main actor.15 There also seems to be a division of labour within the RGB. For example, Bureau 325 was reportedly established to steal information related to COVID-19 and vaccine development technology from South Korean and international pharmaceutical companies, research institutions, and government organizations.16
The size of North Korea’s cyber force is estimated to be about 7,000 active hackers.17 The government identifies talented students and trains them at a young age in specialized high schools and universities. In some cases, they are sent abroad to China and Russia to receive further training before returning to join North Korea’s cyber units.18 With internet access severely restricted for the general public, the regime is able to conduct comprehensive surveillance of its network and direct its intelligence efforts toward external targets.19
South Korea’s response to North Korean cyber operations
2024 National Cybersecurity Strategy
For decades, South Korea has been the primary victim of suspected North Korean cyber operations. According to South Korea’s National Intelligence Service, North Korea accounted for 80% of intrusion attempts against South Korean systems in 2023, which was up 36% from the previous year.20 North Korean hackers frequently target key South Korean government institutions, such as the Ministry of National Defense and the Joint Chiefs of Staff, as well as media outlets to disrupt services and gather intelligence.21 In 2016, they stole over 40,000 defence-related documents from South Korean contractors, including classified files on F-16 fighters and drones.22More recently, in August 2023, a North Korean APT known as Kimsuky attempted to hack South Korean contractors’ emails to disrupt a joint US-South Korea military exercise.23 In 2024, Kimsuky also set up phishing servers at South Korean universities and think tanks to conduct espionage and steal personal information from professors and researchers.24
Despite its advanced cyber capabilities, South Korea has historically adopted a defensive posture and used its capabilities passively.25 However, in order to address the growing cyber threats from North Korea, the South Korean government has recently adopted a more aggressive stance. Accordingly, in February 2024, South Korea released its revised National Cybersecurity Strategy to adapt to the evolving cyber landscape and expand its strategic scope. The strategy includes five main tasks: 1) strengthening offensive cyber defence activities, 2) establishing a global cyber cooperation framework, 3) enhancing cyber resilience of critical infrastructure, 4) securing a competitive edge in critical and emerging technologies, and 5) strengthening the operational foundation.26 One significant change from the previous 2019 National Cybersecurity Strategy is the recognition of international and state-sponsored hacking organizations as primary national security threats. It identifies serious threats, such as the theft of advanced technologies and crypto assets, dissemination of fake news, election interference, incapacitation of critical infrastructure, and ransomware attacks. Another important feature of the new strategy is that it explicitly names North Korea as the most significant threat to South Korea’s cyber security.
Strengthening cyber security cooperation with allies
South Korea is actively expanding international cooperation on cyber security. In May 2022, it became the first Asian country to join the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), an international cyber defence organization established in May 2008 in Tallinn, Estonia. The CCDCOE fosters cooperation among like-minded nations through research, training, and exercises in the field of cyber defence. In November 2023, South Korea signed a “Strategic Cyber Partnership” with the United Kingdom to enhance collaboration in the cyber domain. This partnership includes information sharing, the joint development of cyber technologies, and industry partnerships.27 Additionally, South Korea, the United States, and Japan agreed to strengthen cyber cooperation against North Korea and announced the establishment of a high-level cyber consultation group.28
In particular, bilateral cyber cooperation between South Korea and the United States has made significant progress. In August 2022, South Korea’s Cyber Operations Command signed a Memorandum of Understanding (MoU) with the U.S. Cyber Command. South Korea also participated for the first time in “CYBER FLAG,” the U.S. Cyber Command’s annual military exercise aimed at enhancing readiness and interoperability with allies, in October 2022.29 During the ROK-U.S. Summit in April 2023, the two countries established the “ROK-U.S. Strategic Cybersecurity Cooperation Framework,” extending the ROK-U.S. alliance into cyberspace. Additionally, South Korea and the United States regularly hold Working Group meetings to counter North Korea’s attempts to secure funds for its nuclear and missile development programs through cyber operations and cryptocurrency theft. Most recently, in September 2024, the two countries convened seventh Working Group in Seoul led by Deputy Special Representative for the DPRK Seth Bailey and ROK Ministry of Foreign Affairs Director General for Korean Peninsula Policy Lee Jun-il.30
Pathways to Canada-South Korea cyber security cooperation
North Korea’s cyber operations do not pose a direct threat to Canada on the same level as those from countries like China and Russia. However, as outlined in the National Cyber Threat Assessment 2025-2026, the North Korean regime’s activities “almost certainly presents a persistent and well-resourced cybercrime threat” to organizations and individuals in Canada.31 For example, in January 2018, the Ontario transportation agency Metrolinx reported that its computers were attacked by a North Korean virus routed through Russia.32 Additionally, a report by the U.S. security firm Cisco Talos revealed that the Lazarus Group attacked energy providers in Canada, the United States, and Japan between February and July 2022.33
As part of its Indo-Pacific Strategy, Canada announced the Cybersecurity and Digital Technology Diplomacy project, which allocates $47.4 million over five years (2022-2027) to enhance partner countries’ cyber capabilities and foster regional cooperation through the deployment of cyber attachés.34 For example, in December 2024, the Canadian company OpenText opened its first global innovation centre in the Philippines, which has the capability to monitor and assess over 300 billion global cyber threats per month.35 Furthermore, in September 2024, the Canadian Armed Forces established Cyber Command (CAFCYBERCOM), which will be responsible for enhancing cyber operations and strengthening cyber cooperation with allies.36 These efforts have led to increased partnerships between Canada and Indo-Pacific countries.
Recently, Canada and South Korea have also strengthened their defence cooperation and the Indo-Pacific Strategy highlights cyber security as a key area of collaboration with South Korea.37 During his official visit to South Korea in September 2024, Canada’s Minister of National Defence, Bill Blair, reaffirmed Canada’s commitment to maintaining security on the Korean Peninsula and across the Indo-Pacific.38 This commitment was reinforced in November 2024, when the inaugural Canada-ROK Foreign and Defence (2+2) Ministerial Meeting took place in Ottawa. At this meeting, both nations acknowledged the growing challenges posed by hybrid and digital threats and pledged to expand joint efforts to combat them. They also agreed to hold Canada-Korea Cyber Policy Consultations.39 Building on this foundation, cyber security partnership between Canada and South Korea is expected to grow further.
Recommendations
North Korea’s cyber operations pose a significant threat to the international community and remain an evolving concern. Countries in the Indo-Pacific region increasingly recognize the importance of strengthening cyber security cooperation to counter North Korea’s cyber operations. This issue was also one of the key topics discussed at the 2024 Korean Peninsula Symposium, co-hosted by Global Affairs Canada, the Embassy of the Republic of Korea, the Embassy of the United States of America, and the Embassy of Japan on October 23, 2024. During the symposium, all parties acknowledged the growing cyber threats posed by North Korea and committed to deepening cooperation to address these challenges.
The global nature of cyber operations means that countries need to strengthen cooperation by establishing formal frameworks for information sharing, conducting joint cyber exercises, and coordinating responses to enhance cyber resilience. For example, in December 2024, the Australian Cyber Security Centre collaborated with five key partners, including the United States’ Cybersecurity and Infrastructure Security Agency, the Canadian Centre for Cyber Security, United Kingdom’s National Cyber Security Centre, New Zealand’s National Cyber Security Centre, and South Korea’s National Cyber Security Centre, to release executive guidance on choosing secure and verifiable technologies.40
Finally, as the main target of North Korean cyber operations, South Korea should actively seek cooperation with key allies to enhance its cyber resilience. Building on its working group meetings with the United States, South Korea can expand this framework to include like-minded partners in the Indo-Pacific, such as Canada, Japan, and Australia, to foster broader regional cooperation. This type of multilateral approach would not only strengthen regional cyber security, but also establish a unified front against malicious cyber activities, ensuring greater stability and deterrence. Furthermore, South Korea’s shared language and cultural similarities with North Korea provide a unique advantage in tracking North Korea’s cyber espionage and deceptive tactics. Therefore, South Korea can serve as an information sharing hub for international cooperation to counter North Korean cyber operations.
End Notes
1 Morgan Wright, “North Korea’s nuclear threat is nothing compared to its cyber warfare capabilities,” The Hill, June 5, 2018. https://thehill.com/opinion/cybersecurity/390601-north-koreas-nuclear-threat-is-nothing-compared-to-its-cyber-warfare/.
2 Ji Young Kong, Jong In Lim, and Kyoung Gon Kim, “The All-Purpose Sword: North Korea’s Cyber Operations and Strategies,” in 2019 11th International Conference on Cyber Conflict (CyCon), 1.
3 I am grateful to Alexander Rudolph for providing constructive comments on this paper.
4 The World Economic Forum, The Global Risks Report 2024, 19th edition, 75. https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf.
5 Tae-Eun Song, “Inside Pyongyang’s Mind: An Overview of the Kim Regime’s Persistence in Masterminding Illicit Cyber Activities and ROK’s Responses,” IFANS Perspectives, May 3, 2023, 1.
6 Daniel Russel, “North Korea’s Next Weapon of Choice: Cyber,” Asia Society, April 30, 2019. https://asiasociety.org/magazine/article/north-koreas-next-weapon-choice-cyber.
7 BBC, “North Korea threatens war on US over Kim Jong-un movie,” June 26, 2014. https://www.bbc.com/news/world-asia-28014069.
8 Gregory Wallace, “North Korea calls Sony hack ‘a righteous deed’,” CNN Money, December 7, 2014. https://money.cnn.com/2014/12/07/technology/security/sony-north-korea/index.html.
9 Cybersecurity and Infrastructure Security Agency (CISA), “Guidance on the North Korean Cyber Threat,” June 23, 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a.
10 Roger Collier, “NHS ransomware attack spreads worldwide,” Canadian Medical Association Journal (CMAJ), June 5, 2017. https://doi.org/10.1503/cmaj.1095434.
11 U.S. Department of Justice, “Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe,” February 17, 2021. https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and.
12 Alex O’Neill, “Countering North Korean Cybercrime and Its Enablers,” Lawfare, May 2, 2024. https://www.lawfaremedia.org/article/countering-north-korean-cybercrime-and-its-enablers.
13 Ravie Lakshmanan, “North Korea’s Lazarus Group Launders $900 Million in Cryptocurrency,” The Hacker News, Oct 6, 2023. https://thehackernews.com/2023/10/north-koreas-lazarus-group-launders-900.html.
14 Alejandro N. Mayorkas, “Threats to the Homeland: Testimony before the U.S. Committee Homeland Security and Governmental Affairs,” November 17, 2022. https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Testimony-Mayorkas-2022-11-17.pdf.
15 Kong, Lim, and Kim, “The All-Purpose Sword”; Song, “Inside Pyongyang’s Mind”.
16 Seulkee Jang, “North Korea begins human testing of its own COVID-19 vaccine,” Daily NK, January 22, 2021. https://www.dailynk.com/english/north-korea-begins-human-own-covid-19-vaccine/.
17 Kong, Lim, and Kim, “The All-Purpose Sword,” 3; Russel, “North Korea’s Next Weapon of Choice: Cyber”.
18 Kong, Lim, and Kim, “The All-Purpose Sword,” 3.
19 The International Institute for Strategic Studies (IISS), “11. North Korea” in Cyber Capabilities and National Power: A Net Assessment, June 28, 2021, 127. https://www.iiss.org/globalassets/media-library---content--migration/files/research-papers/cyber-power-report/cyber-capabilities-and-national-power---a-net-assessment___.pdf.
20 Na-young Kim, “N. Korea attempts to use generative AI for hacking attacks: spy agency,” Yonhap News, January 24, 2024. https://en.yna.co.kr/view/AEN20240124003300320.
21 Anna J. Park, “Are Russia, North Korea behind DDos attack on South Korea’s defense ministry website?,” The Korea Times, November 6, 2024. https://www.koreatimes.co.kr/www/nation/2024/11/113_385809.html.
22 Russel, “North Korea’s Next Weapon of Choice: Cyber”.
23 Ju-min Park, “North Korean hackers target U.S.-South Korea military drills, police say,” Reuters, August 19, 2023. https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/#:~:text=The%20hackers%20were%20believed%20to,Agency%20said%20in%20a%20statement.
24 Resilience Threat Intelligence, “APT Group Kimsuky Targets University Researchers,” August 7, 2024. https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/.
25 Song, “Inside Pyongyang’s Mind,” 6.
26 Office of the President Republic of Korea, “National Cybersecurity Basic Plan Executive Summary,” September 1, 2024. https://eng.president.go.kr/briefing/TE0xsLB6.
27 Government of the United Kingdom, “Republic of Korea-UK strategic cyber partnership,” November 23, 2023. https://www.gov.uk/government/publications/uk-republic-of-korea-strategic-cyber-partnership/republic-of-korea-uk-strategic-cyber-partnership.
28 Haye-ah Lee, “S. Korea, U.S., Japan to launch high-level cyber consultation group,” Yonhap News Agency, November 6, 2023. https://en.yna.co.kr/view/AEN20231106003900315.
29 U.S. Cyber Command, “U.S. Cyber Command 2022 Year in Review,” December 30, 2022. https://www.cybercom.mil/Media/News/Article/3256645/us-cyber-command-2022-year-in-review/.
30 U.S. Department of State, “Seventh United States-Republic of Korea Working Group to Counter Cyber Threats Posed by the Democratic People’s Republic of Korea,” September 5, 2024. https://www.state.gov/seventh-united-states-republic-of-korea-working-group-to-counter-cyber-threats-posed-by-the-democratic-peoples-republic-of-korea/.
31 Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026. https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026.
32 CBC News, “Metrolinx claims computers hit by North Korean cyberattack,” January 23, 2018. https://www.cbc.ca/news/canada/toronto/north-korean-cyber-attack-metrolinx-1.4500918.
33 Asheer Malhotra, Vitor Ventura, and Jungsoo An, “Lazarus and the tale of three RATs,” Cisco Talos, September 8, 2022. https://blog.talosintelligence.com/lazarus-three-rats/.
34 Global Affairs Canada, Canada’s Indo-Pacific Strategy: New initiatives and resources. https://www.canada.ca/en/global-affairs/news/2022/11/canadas-indo-pacific-strategy-new-initiatives-and-resources.html.
35 Global Affairs Canada, Minister Ng announces significant support to help Canadian businesses succeed in the Philippines. https://www.canada.ca/en/global-affairs/news/2024/12/minister-ng-announces-significant-support-to-help-canadian-businesses-succeed-in-the-philippines.html.
36 Department of National Defence, “Canadian Armed Forces establishes a new Cyber Command,” September 26, 2024. https://www.canada.ca/en/department-national-defence/news/2024/09/canadian-armed-forces-establishes-a-new-cyber-command.html.
37 Global Affairs Canada, Canada’s Indo-Pacific Strategy. https://www.international.gc.ca/transparency-transparence/indo-pacific-indo-pacifique/index.aspx?lang=eng.
38 Julie Kim, “Minister Blair’s Visit to the ROK: The Next Steps in Canada-Korea Defence Relations,” Canadian Global Affairs Institute, September 2024. https://www.cgai.ca/minister_blairs_visit_to_the_rok_the_next_steps_in_canada_korea_defence_relations.
39 Global Affairs Canada, “Canada-Republic of Korea Foreign and Defence (2+2) Ministerial Meeting joint statement,” November 1, 2024. https://www.canada.ca/en/global-affairs/news/2024/11/canada-republic-of-korea-foreign-and-defence-22-ministerial-meeting-joint-statement.html.
40 Canadian Centre for Cyber Security, Executive summary and updated joint guidance on choosing secure and verifiable technologies. https://www.cyber.gc.ca/en/news-events/executive-summary-and-updated-joint-guidance-choosing-secure-and-verifiable-technologies.
About the Author
Dr. Julie (Jung-eun) Kim is a Post-Doctoral Fellow leading the Korea Program at the Canadian Global Affairs Institute (CGAI) and a Country Expert on North Korea for the Bertelsmann Transformation Index (BTI). She received a PhD in Political Science from Heidelberg University as a German Academic Exchange Service (DAAD) scholar. Her dissertation explores the social control system and autocratic regime stability in North Korea. She has a Master of Arts in North Korean Studies and a Bachelor of Arts in German Language and Literature from Ewha Womans University.
Julie has previously worked as a Research Intern at the Stockholm International Peace Research Institute (SIPRI) and a Global Asia Fellow at the East Asia Foundation. She has published various articles and a book chapter, including in the Journal of East Asian Studies, BTI Country Report – North Korea, and Global Asia. Her research interests include authoritarian regimes, geopolitics with a regional focus on the Korean Peninsula, and Canada-Korea defence cooperation.
Canadian Global Affairs Institute
The Canadian Global Affairs Institute focuses on the entire range of Canada’s international relations in all its forms including trade investment and international capacity building. Successor to the Canadian Defence and Foreign Affairs Institute (CDFAI, which was established in 2001), the Institute works to inform Canadians about the importance of having a respected and influential voice in those parts of the globe where Canada has significant interests due to trade and investment, origins of Canada’s population, geographic security (and especially security of North America in conjunction with the United States), social development, or the peace and freedom of allied nations. The Institute aims to demonstrate to Canadians the importance of comprehensive foreign, defence and trade policies which both express our values and represent our interests.
The Institute was created to bridge the gap between what Canadians need to know about Canadian international activities and what they do know. Historically Canadians have tended to look abroad out of a search for markets because Canada depends heavily on foreign trade. In the modern post-Cold War world, however, global security and stability have become the bedrocks of global commerce and the free movement of people, goods and ideas across international boundaries. Canada has striven to open the world since the 1930s and was a driving factor behind the adoption of the main structures which underpin globalization such as the International Monetary Fund, the World Bank, the World Trade Organization and emerging free trade networks connecting dozens of international economies. The Canadian Global Affairs Institute recognizes Canada’s contribution to a globalized world and aims to inform Canadians about Canada’s role in that process and the connection between globalization and security.
In all its activities the Institute is a charitable, non-partisan, non-advocacy organization that provides a platform for a variety of viewpoints. It is supported financially by the contributions of individuals, foundations, and corporations. Conclusions or opinions expressed in Institute publications and programs are those of the author(s) and do not necessarily reflect the views of Institute staff, fellows, directors, advisors or any individuals or organizations that provide financial support to, or collaborate with, the Institute.
Showing 1 reaction
Sign in with