The North Korean government of the Cold War era expressed solidarity with Third World liberation movements and decolonization. From supporting African anti-colonial struggles to sending pilots to fight alongside the communists in the Vietnam War, the North Korean leadership saw itself as part of a global anti-imperialist front. However, North Korea retreated inwards after the fall of the communist bloc in the 1990s and became much more nationalistic in its foreign policy. Now, North Korean cyberattacks increasingly target countries in the developing world.
Pyongyang began to devote significant resources to its cyber capabilities in the 1990s. Cyber operations became a way for North Korea to aggressively assert itself in the international arena and inflict pain on its strategic foes, principally the United States and Republic of Korea. Nonetheless, in recent years, Pyongyang’s cyber operatives have stretched beyond North Korea’s traditional adversaries. They now increasingly target financial institutions in the developing world. In an effort to bolster the coffers of the political elite and also gather intelligence for military purposes, North Korean hackers see the developing world as a vulnerable target for increasingly sophisticated cyber attacks. In fact, the Democratic People’s Republic of Korea (DPRK) remains the only government in the world that brazenly uses cyber attacks for monetary gain.
The most well-known North Korean cyber attack in the developing world took place in 2016. North Korean hackers stole around $81 million from the Central Bank of Bangladesh (CBC). The CBC was targeted due to its relatively lax security standards and outdated systems. North Korean hackers manipulated the SWIFT system and tricked the U.S Federal Reserve into sending funds to their fraudulent bank accounts that appeared to be the CBC’s, but were in fact accounts set up by Pyongyang’s hackers. The North Korean cyber theft of the Bangladesh Central Bank shocked the international community.
After the CBC bank heist, North Korean hackers continued to target financial institutions in the developing world. In March 2018, a North Korean hacker unit, known as “Hidden Cobra,” targeted Turkish banks. Using a spear-phishing email campaign, the North Korean hackers lured targets with a fake cryptocurrency scheme and acquired sensitive information for potential future cyber attacks. In 2019, a UN report said that North Korean hackers attacked banks and cryptocurrency exchanges in India, Bangladesh, Chile, Costa Rica, Gambia, Guatemala, Kuwait, Liberia, Malaysia, Malta, Nigeria, South Africa, Tunisia, and Vietnam. Two years later, in April 2021, North Korean cyber agents attacked a South African logistics company and took control of their computers for purposes of intelligence gathering.
North Korean hackers now use developing countries as physical and virtual locations to obfuscate Pyongyang’s involvement in illicit cyber activity. In fact, the 2014 Sony Pictures hack came from a WiFi network in a five-star Thai hotel. North Korean hackers have also likely used India as a physical base for some of their cyber operations. In Africa, North Korean hackers have found “safe havens” in Kenya and Mozambique. Passing themselves off as workers at legitimate businesses, North Korean hackers utilize the cyber infrastructure of developing countries to attack financially lucrative targets on behalf of the Korean Workers’ Party. It seems that North Korean hackers use lax visa regimes and weak sanctions enforcement measures in developing countries as a way to disguise Pyongyang’s role in these cyber operations.
North Korean cyberattacks in the developing world are dual purpose. In addition to revenue generation for the Kim family regime, North Korean cyberattacks are meant to acquire sensitive information on weapons systems and critical infrastructure. The collection of this intelligence is vital for the heavily sanctioned regime that is cut off from global supply chains. During the Covid-19 pandemic, North Korean hackers have even targeted pharmaceutical companies, such as Pfizer, for information related to COVID vaccines. Under Kim Jong Un, the regime’s propaganda has emphasized a return to economic self-reliance and self-sufficiency. North Korea’s cyber operations can be seen as part of this broader internal effort to promote autarky.
It is clear now that North Korean hackers view the Global South as vulnerable cyber terrain. It is imperative that governments and banks in the developing world bolster their cyber defenses and indicate to their employees the importance of up-to-date cybersecurity measures in preventing cyber intrusions. Cybersecurity training is imperative in order to deter North Korea’s increasingly sophisticated and aggressive cyber attacks.
In addition, governments in the Global South need to reevaluate their visa agreements with the North Koreans. Pyongyang’s willingness to abuse visa regimes and diplomatic immunity should be cause for concern. North Korean diplomats and overseas agents are expected to send loyalty funds back to Pyongyang. This self-funding expectation makes the Kim family regime’s diplomatic presence abroad a potential source for future cyber espionage and criminal activity. North Korea is no longer a friend or an ally to the developing world. Pyongyang’s cyber agents exploit and abuse the security vulnerabilities of Latin America, Africa, and southern Asia. The days of North Korea’s Third World solidarity are long gone.
Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK.