U.S. intelligence agencies find themselves sorely limited in how to respond to North Korean hacking operations because of the authoritarian nation’s uniquely isolated position in the world, amid reports that Pyongyang is now employing a hacker army of as many as 6,000 cyberwarriors.
The claim that North Korea’s “cyberarmy” has swelled to twice the previous estimate was made by South Korea’s Defense Ministry Tuesday, just weeks after Pyongyang-backed hackers were alleged to have penetrated the hack of Hollywood studio Sony and engaged in a cyberattack on South Korea’s main nuclear power company.
The Obama administration response leveled a slate of sanctions against North Korea last week, but any attempt by Washington to go farther, such as by launching counterhacking operations against North Korea, faces a vexing set of challenges.
The reason, say analysts, is that almost none of North Korea’s citizens — let alone its government institutions and economy — are connected to the Internet used by the rest of the world.
“North Korea’s cybercapability has grown year by year and will continue to grow, but they also have one of the best cyberdefenses in the world because they’re not online the way pretty much every other economy in the world is,” said Peter W. Singer, a senior fellow at the New America Foundation in Washington.
North Korea is “just not as vulnerable in cyber as we are, so cyberactions we might take to press the buttons of another nation won’t have the same impact on them,” he said.
North Korea’s military and intelligence community — including its growing hacker army — operate within an internally controlled “intranet” that is essentially impenetrable from outside, said Patrick M. Cronin, an Asia specialist at the Center for New American Security.
“There’s only about 1,000 people in North Korea who are online on the actual Internet as we know it, and the U.S. intelligence community follows them,” said Mr. Cronin, who explained that the nation’s government also secretly operates “on this intranet created with software that is indigenous, with homegrown systems so they can’t be hacked into.”
The hackers referenced Tuesday by South Korea, he said, work “almost entirely” for something known as “Bureau 121,” an elite unit of the North Korean General Bureau of Reconnaissance.
“If you wanted to really send a signal to North Korea, to shake them at their core, you would find a way to hack into their intranet, and you can be sure there are people working on that,” Mr. Cronin added.
Little evidence of success
There is little evidence to suggest that U.S., South Korean or allied intelligence operatives have ever succeeded in penetrating the network.
Both Mr. Singer and Mr. Cronin pushed back against speculation that U.S. government-backed hackers were responsible for the virtual crash of North Korea’s limited external Internet late last month.
Mr. Singer said he believed the brief outage was actually brought about by independent “hactivists.” But regardless of who was responsible, he said, the impact felt by Pyongyang was small given that so few of the nation’s citizens actually are on the Internet.
South Korea’s concerns about cyberwarfare from the North predate the Sony hack. Seoul in 2013 blamed Pyongyang for a crippling series of cyberattacks that froze the computer systems of banking and media companies for days in the South.
More recently, there were allegations that a top South Korean nuclear plant operator had been hacked, raising concerns about safeguards around nuclear facilities in a country that remains technically at war with the North.
According to a report by Reuters, the Korea Hydro & Nuclear Power Company and the South Korean government said only “noncritical” data was stolen by the hackers in late December, and that there was no real risk to nuclear installations, including the South’s 23 atomic reactors.
North Korea has denied involvement in the attacks on the South. It has also claimed to have had nothing to do with hacking Sony, an attack that U.S. officials claim was driven by Pyongyang’s anger over the impending release of “The Interview,” a Sony Pictures fictional movie depicting the assassination of North Korean leader Kim Jong-un.
On Friday the Obama administration leveled sanctions against 10 North Korean government officials and three organizations, including Pyongyang’s primary intelligence agency and state-run arms dealer — a move the White House described as just an initial response to the Sony attack.
It was the first time the U.S. has imposed sanctions on another nation in direct retaliation for hacking an American company, according to The Associated Press, which noted that President Obama has also warned that the U.S. is considering putting North Korea back on its list of state sponsors of terrorism.
But analysts say the opaqueness of the North’s regime makes it difficult to calculate the true scope of Pyongyang’s hacking capabilities.
“It’s incredibly difficult to do what you might describe as a power index or threat assessment when it comes to cybercapability,” said Mr. Singer. “It’s not like the Cold War, where you could just count the number of tanks and then try to make some kind of assessment based on that.”
He also cited reports that Pyongyang-backed hackers are not all based in North Korea, but that they also operate clandestinely from locations in Russia, China and Japan.