Skip to main content

North Korea Cyber Attacks: A New Asymmetrical Military Strategy

June 28, 2016


Donghui Park

Feature Series

Cybersecurity Initiative Highlights

Since the late 2000s, Pyongyang has tested nuclear weapons and launched missiles as a powerful bargaining chip. In response, the international community has increasingly imposed tougher economic sanctions against North Korea—a decision grounded in a consensus between South Korea and the United States. The use of these weapons and the international response means that the development of nuclear weapons is a double-edged sword for North Korea. First, North Korea has succeeded in attracting the international community’s attention by developing nuclear weapons and intercontinental ballistic missiles as a bargaining chip. At the same time, North Korea has suffered from the economic sanctions due to the nuclear issue. However, Pyongyang has developed a better method for achieving its strategic goals–by using cyber attacks, Pyongyang elite remove the risk of potential sanctions on North Korea and achieve North Korea’s strategic goals, such as its regime survival.

The number of North Korean cyber attacks on South Korean critical infrastructure have increased very quickly over the past ten years. In this tense security context, cyber attacks have become a good way for North Korea to express dissatisfaction with the international community while continuing to avoid direct confrontation with the U.S. and South Korea due to the anonymity and plausible deniability of such attacks. North Korean cyber attacks have not been limited to South Korea. The attacks have also targeted U.S. critical infrastructure and US society. For instance, the Sony Pictures hack alerted the US, as well as people in the world, to the cyber capabilities of North Korea.

Focusing on North Korea’s traditional asymmetric strategy, I analyze the meaning of North Korean cyber attacks on democratic states, including South Korea and the U.S. Moreover, I discuss how North Korea has developed and exerted its cyber capabilities without a mature domestic cyber infrastructure. Finally, I emphasize the importance of global cooperation to end North Korean illegal activities in the virtual worlds as well as the real world.

North Korean Cyber Attacks & Traditional Asymmetric Strategy

It is impossible to understand North Korean cyber attacks without considering the country’s asymmetric military strategy. Since the end of the Korean War, North Korea has developed an asymmetric military strategy, weapons, and strength because its conventional military power is far weaker than that of the U.S. and South Korea. Thus, North Korea has developed three military strategic pillars: surprise attack; quick decisive war; mixed tactics. First, its surprise attack strategy refers to attacking the enemy at an unexpected time and place. Second, its quick decisive war strategy is to defeat the South Korean military before the U.S. military or international community could intervene. Lastly, its mixed tactics strategy is to use multiple tactics at the same time to achieve its strategic goal. The strategies are derived from the military principles of China and Russia (previously, the Soviet Union).

North Korea has emphasized asymmetric and irregular operations to counter the conventional military strength of the U.S. and South Korea. In peacetime, North Korea launches low-intensity unconventional operations to disrupt the peaceful status quo without escalating the situation to a level Pyongyang cannot control or win. For example, North Korean commandos tried to assassinate the South Korean President, Park Chung-hee on January 21, 1968. The unsuccessful attempt is called the Blue House raid. Also, a South Korean navy warship, the ROKS Cheonan, was sunk by a torpedo launched by a North Korean submarine on March 26, 2010. In wartime, it would theoretically launch extensive irregular operations that would exploit U.S. and South Korean vulnerabilities and support its regular military operations. In the past, North Korea’s strategy has focused on nuclear, chemical, and biological weapons as well as special operation forces in order to potentially achieve its strategic ends.

However, recent North Korean cyber attacks show that only understanding North Korea in light of its conventional military confrontations with democratic countries is outdated. The characteristics of cyberspace and cyber warfare have allowed North Korea to pay more attention to developing and exerting its cyber capabilities. In other words, North Korea benefits from the low cost of entry, anonymity, and the plausible deniability that cyberspace offers. At the same time, the international community has not monitored the development of North Korea cyber capability and it has not imposed any sanctions against North Korea for its cyber activities. This is largely due to the difficulty attributing attacks to North Korea. North Korea’s successful cyber strategy indicates that it can achieve its strategy pillars without a threat of increased economic sanctions through developing its cyber capabilities, instead of solely focusing on the conventional weapons.

How North Korea Has Developed & Exerts Its Cyber Capabilities

It is true that North Korea has not invested much on developing its Internet and network infrastructures for its citizens and Internet access within North Korea is limited to its elite and strictly monitored. However, since the 1990s, North Korea has invested in training cyber experts and warriors to hack, attack, exploit, destroy, or delay both private and public critical infrastructures in other countries–mainly South Korea and the US. There have been domestic and international efforts to strengthen its cyber capability. Domestically, Pyongyang has developed universities–especially Kim-Il-Sung University, Kim Chaek University of Technology, and the Command Automation University–as the center of increasing cyber capabilities and training personnel for cyber attacks.

Internationally, North Korea has allegedly cooperated with China, Russia, Iran, and other few friendly countries in improving its cyber capabilities by sending its best students to them for additional training. For example, China has provided educational programs as well as hardware, such as servers and routers, for North Korean cyber warriors. Additionally, Russia has sent several professors who graduated from Frunze Military Academy to North Korea to train professional hackers. Specifically, according to Nigel Inkster, North Korea accepted the concepts of Russian information warfare which allows North Korean cyber warriors to disrupt or destroy enemy computer networks in order to paralyze their command and control systems. Also, Russia reportedly sold Pyongyang GPS jamming equipment, which is used to interfere with the navigation systems of South Korean ships. Finally, Pyongyang and Teheran signed a scientific and technological cooperation agreement in 2012 that includes student exchanges and joint laboratories for information technology.

North Korea efforts and help from China, Russia, and Iran have led to the development of its cyber offensive capabilities. A 2014 Defense White Paper from the Ministry of National Defense in South Korea states that, “North Korea currently operates about 6,000 cyber warfare troops and conducts cyber warfare, including the interruption of military operations and attacks against major national infrastructure, to cause psychological and physical paralysis in the South.” Compared to the US Cyber Command’s estimated 4,900 cyber warfare troops in January 2013, it is obvious that North Korea has sizable force of cyber warriors.

North Korean asymmetric operations, especially cyber attacks, have been controlled by the Reconnaissance General Bureau (RGB) that has been responsible for clandestine operations. Although it is subordinate to the Ministry of People’s Armed Forces, it reports directly to the National Defense Commission (NDC) that is the highest guiding organ of the military in North Korea–a country where the military dominates. This means that Kim Jong-un, the leader of North Korea, as well as the chairman of the NDC, controls the RGB by himself. Specifically, the RGB formed “Office 91” as the headquarters of North Korea’s hacking operations.

Office 91 has four subordinate organizations. First, Unit 110, also known as Technology Reconnaissance Team, was suspected of carrying out the July 2009 DDoS attacks against South Korea and the US Second, Unit 35, the Central Party’s Investigations Department, is the smallest group, but is a highly capable cyber unit with both internal security functions and external offensive cyber capabilities. Third, the North Korean People’s Army Joint Chiefs Cyber Warfare Unit 121 has over 600 hackers specializing in disabling South Korea’s military command, control, and communication networks in case of armed conflict. Finally, the Enemy Secret Department Cyber Psychological Warfare Unit 204 has about 100 hackers and specializes in cyber elements of information warfare. The two units, Unit 121 and Unit 110, have their members stationed in Shenyang and Dandong, China because the Internet connections in North Korea are so few. It is estimated that from 600 to 1,000 cyber warfare agents are acting in a variety of cells in China.


North Korea has focused on an asymmetric military strategy because of its lack of conventional power and resources. However, its traditional asymmetric weapons and strength have been monitored by Western countries, therefore, heavily sanctioned. For North Korea, developing and exerting its cyber capabilities is the best way to avoid sanctions while achieving its strategic goals. Cyber tactics are effective because of the characteristics of cyberspace or cyber warfare–the low cost of entry, anonymity, and plausible deniability.

However, the North Korean cyber threat is not only a problem for the democratic countries that are the government’s focus, such as South Korea and the US. The entire world, including North Korean partners, China, Russia, and Iran, is vulnerable to uncontrollable North Korean cyber attacks. For example, the well-known US created Stuxnet attack on Iranian centrifuges impacted other networks in the rest of the world. Therefore, China, Russia, and Iran should to end their support for the development of North Korean cyber capabilities and cooperate with democratic countries to remove North Korea’s illegal activities in cyberspace. More broadly, they need to reach the consensus with the rest of the world for international cybersecurity norms to make cyberspace as a domain of social, political, and economic opportunities.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.