Toward an Organizational Structure North Korea’s top intelligence agency, the Reconnaissance General Bureau (RGB), is believed to coordinate most offensive cyber activity. Reportedly formed in 2009 in order to better integrate North Korea’s burgeoning cyber capabilities into its broader security apparatus, the RGB is a central “hub of North Korean intelligence, commando and sabotage operations.”33 According to government and private-sector reporting, the primary financially motivated actor group within the RGB is the cluster FireEye tracks as APT38, which overlaps with the groups other firms call Bluenoroff or Stardust Chollima and the Cybersecurity and Infrastructure Security Agency (CISA) calls BeagleBoyz. Analysts note APT38’s “calculated approach” to financial operations, “which allows them to sharpen their tactics, techniques, and procedures while evading detection.”34 Since 2014, actors associated with APT38 have spearheaded North Korea’s theft operations targeting banks and other enterprises, including the Bank of Bangladesh robbery that yielded $81 million of an attempted $951 million in unauthorized wire transfers, as well as the distribution of malicious cryptocurrency applications and fraudulent digital tokens like Marine Chain.35 More recently, the group carried out a multi-national ATM cash-out scheme the U.S. government calls FASTCash. Other reported North Korean clusters include Andariel, which “focuses on attacking South Korean businesses and government agencies using methods tailored for the country”; APT37, which conducts intelligence-gathering operations across military, political, and industrial domains; and Kimsuky, which targets government entities and think tanks in the United States, Japan, and South Korea.36
8
33
Jun, LaFoy, and Sohn, North Korea’s Cyber Operations: Strategy and Responses, 35-36.”
34
“FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks,” Cybersecurity and Infrastructure Security Agency, August 26, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-239a.
35
Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite, Insikt Group, Recorded Future (October 25, 2018), 9, https://www.recordedfuture.com/north-korea-internet-usage/; United States of America v. Jon Chang Hyok, Kim Il, and Park Jin Hyok, No. CR2:20-CR-00614-DMG, 24-26 (Central District of California).
36
“Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups.”; APT38: Un-usual Suspects, 11; “North Korean Advanced Persistent Threat Focus: Kimsuky,” Cybersecurity and Infrastructure Security Agency, October 27, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-301a; Christine Kim, “North Korea Hacking Increasingly Focused on Making Money More than Espionage: South Korea Study,” Reuters, July 27, 2017, https://www.reuters.com/article/us-northkorea-cybercrime/north-korea-hacking-increasingly-focused-on-making-money-more-than-espionage-south-korea-study-idUSKBN1AD0BO.
Cybercriminal Statecraft
