“We have too many people right now in the public and the private sector that are focusing on who done it when really Kim Jong Un, he’s trying to confuse you,” Michael Barnhart, Mandiant’s lead on DPRK cyber collection, analysis, reporting, and tracking, tells CSO. “He’s moving people around. He doesn’t care that we have a hard time tracking him. It’s not in his best interest to do that. Attribution matters, but we might have to go about it a different way because it’s very clear that they’re muddling everything.”
This muddling has accelerated since the COVID-19 pandemic, when “the regime was forced to modify their operations in 2020 as the pandemic hardened borders around the world; most notably within the Korean Peninsula and China,” Mandiant concluded.
“So, whenever they got blocked and couldn’t return to the country, they had to get crafty,” Barnhart says. “And you can see that [the various DPRK hacking groups] are talking more, and they’re collaborating more, and that’s going to be problems for us.”
Nimble cyber workforce punches above its weight
Unlike the offensive and defensive teams in other countries with well-established cyber units, North Korea’s hacking unit is comparably small. It is also stocked with skilled, all-purpose workers capable of shifting from mission to mission. “They can do it all, and it’s unreal,” Barnhart says.
Mandiant highlights Park Jin Hyok, currently on the FBI’s most-wanted list, as an example of DPRK hackers’ “ability to conduct activities at high levels of sophistication and execution, then immediately pivot to separate tasks and maintain that same level of execution” from blockchain and cryptocurrency hacking to supply chain attacks to espionage and more.
“This guy was involved in the Sony hack [in 2014]. That’s the first big indictment,” Barnhart says. Park is also connected to the 2016 theft of $81 million from Bangladesh Bank, the development of WannaCry, and the infiltration of US defense contractors in 2016 and 2017, among other campaigns. “These guys are absolutely skilled at the very, very top levels. And they can pivot on those levels, too,” according to Barnhart.