Even before a US government investigation confirmed suspicions that North Korea was behind the massive cyberattack on Sony Pictures, everybody has seemed to be asking the same question about even the possibility of North Korean responsibility. Can one of the poorest countries in the world, a country that has isolated itself into technological backwardness, where personal computers are banned and the Internet does not officially exist, possibly be that good at hacking?
The answer is that, yes, North Korea really is that good at hacking, and the country has a substantial record of sophisticated cyberattacks. The answer as to how North Korea is so good at hacking is more complex, but gets at some of the most important — and most misunderstood — elements of how the Hermit Kingdom really works.
North Korea is far better at hacking than you think
North Korean government hackers have launched a number of successful, high-profile attacks, and who knows how many lower-profile ones. The attacks have grown in scale and sophistication in the last few years, apparently as North Korea ratchets up the largely offensive and military-run program.
In July 2009, for example, US and South Korean government web sites were hit by what US officials called a "massive" and "powerful" wave of cyber attacks eventually traced back to North Korea. While the attacks did little more than symbolic damage, they were bad enough that US officials cited it as a moment when they realized the urgency of preparing to defend against state-based hackers generally.
Most of the attacks have focused on South Korea, in some cases doing real-world damage. A wave of 2011 attacks against South Korean banks shut down a number of their systems, disrupting the heavily wired South Korean economy. In 2013, North Korean state-sponsored hackers shut down even more South Korean banking systems, as well as computer systems at South Korean TV broadcasters.
In one stunning series of 2014 attacks, North Korea designed a free-to-use mobile phone game, not unlike Angry Birds, which it seeded into the South Korean game market. The game spread organically until it was on tens of thousands of South Korean phones. Months later, North Korean hackers remotely activated a piece of malware installed within the game, gaining them access to at least 20,000 South Korean cell phones.
The real reason North Korea launches cyber attacks
Those earlier attacks are, tellingly, in line with the more recent Sony Pictures attack: meant both to cause real-world damage to North Korea's targets, whether it was the South Korean economy or Sony, as well as to be a flamboyant and intimidating show of strength. The South Korean TV station attacks, like the very public takedown of Sony, is meant to humiliate the target and draw attention to North Korea's power.
That latter goal, a show of strength, is especially important for understanding the Sony hack: North Korea is too rational to expend precious resources taking down a massive corporation just because it offended Kim Jong Un. These attacks, like so much of North Korea's bluster, and like its acts of physical aggression, are really done out of insecurity and fear. They are deterrents meant to scare away the much stronger US and South Korea from doing anything to harm North Korea.
The North Korean government routinely kicks up international incidents for exactly this reason. Conflict is a deterrent; it also brings the international attention that Pyongyang craves for domestic propaganda purposes, as well as occasional diplomatic concessions.
How North Korea runs its cyberwar program
North Korea's offensive hacking program is surprisingly well documented by defector accounts and by efforts to trace back previous hacks to their source. By all accounts, despite the fact that the vast majority of North Koreans are kept offline and unaware of the internet for their entire lives, the military still maintains a large and highly professionalized cyberwarfare division.
This is how it works, according to defector accounts: promising young talent is recruited out of school. They study at a special school in Pyongyang for five years and are then sent to train in China or Russia, both of which run sophisticated state run cyberwar divisions. These assignments are considered some of the most prestigious in the country and are rewarded with special privileges, housing, and higher status. This is an earnest reflection of how seriously North Korea takes cyberwar, but it's also meant to reduce the risk that their internet access, which gives them knowledge of the outside world, will tempt them into defecting.
Some reports contradict as to whether the hacking divisions are based out of China, tacitly tolerated by the Chinese government, where they would have reliable internet access, or whether they work from North Korea, out of the secretive Bureau 121. Rumors have circulated in recent years of a clandestine, subterranean T1 line connecting Pyongyang with Chinese internet infrastructure.
The program has been such a success, according to defector accounts, that it has grown from 500 to 3,000 members in recent years. Defectors who spoke to Al Jazeera for a 2011 story on the program listed five reasons why North Korea is investing so heavily in cyberwarfare. Here are those points, paraphrased. With the exception of the second, they are quite astute and strategically correct:
- Training hackers is more cost-effective than building tanks or fighter jets.
- North Korea sees its citizens as racially superior at math (the country's attitudes toward race are, shall we say, complex) and other hacking-related skills.
- North Korea can't use its conventional forces without risking war, but it can launch cyberattacks more safely.
- Cyberwar is "asymmetrically advantageous" for the militarily weak North Korea.
- The internet allows North Korea a way to launch external attacks without actually crossing the border.
This tells you something crucial about how North Korea works
Like so much of North Korea's behavior, its cyberwarfare program is another sign that, despite its popular portrayal (including in The Interview) as a wingnut state run by delusional madmen, the country is coldly rational and brutally strategic in its actions.
North Korea's decision to hack Sony is being widely misconstrued as an expression of either the country's insanity or of its outrage over The Interview. But that sort of cartoonish mischaracterization is exactly how Americans came to believe that North Korea was a bunch of buffoons who probably couldn't dial up to the internet, much less launch one of the most successful cyber attacks against the US in history.
In fact, this hack, like many of North Korea's international cyberattacks, is consistent with the country's long-held military strategy, in which North Korea has launched seemingly random acts of military hostility, for example by sinking a South Korean submarine in 2010 and shelling a South Korean island in 2011. This is belligerence meant to deter the much stronger South Korea and US, and to draw international attention that North Korea can use to bolster domestic propaganda portraying Kim Jong Un as a fearless leader showing up the evil foreign imperialists. It is meant to foment the isolation and tension that has allowed the Kim family to hold onto rule, impossibly, for decades.
And it is remarkably effective at securing North Korea's strategic goals. But it is also quite dangerous. By design, the risk of escalation is high, so as to make the situation just dangerous enough that foreign leaders will want to deescalate. And it puts pressure on American, South Korean, and Japanese leaders to decide how to respond — knowing that any punishment will only serve to bolster North Korean propaganda and encourage further belligerence. In this sense, the attacks are calibrated to be just severe enough to demand our attention, but not so bad as to lead to all-out war.
People will often say that North Korea launches these attacks because they're crazy or irrational. If only it were that simple, the Kim Jong Un regime would have driven itself into extinction decades ago.