State-backed North Korean hackers have stolen an estimated $2 billion or more in funds from cryptocurrency organizations and banks in 30 cyberattacks over the past five years, primarily to help fund its weapons of mass destruction and ballistic missile programs. In 2023 alone, North Korean hackers have stolen $340 million in cryptocurrency assets, not including the estimated $150 million US government officials believe they stole from blockchain transaction firm Mixin in late September 2023.\n\nBut a timeline of recent cyber-related efforts shows that the North Korean regime has broader goals extending far beyond financial theft, illustrating how one of the world's top digital adversaries is a versatile threat actor capable of a range of malicious acts.\n\nExperts say that the cyber program run by North Korea, or the Democratic People's Republic of Korea (DPRK), is fluid and flexible, nimbly adapting to various activities, thanks partly to highly skilled, youthful hackers. Finally, some experts suggest that while North Korea has seemingly cooled its destructive actions since creating global havoc with the WannaCry worm in 2017, that's because of a change in Pyongyang's focus and not a diminution of capability.\n\nRecent North Korean cyber timeline\n\nOn top of the continuous financial threats, a steady stream of diverse verified and suspected North Korean malicious cyber activity has come to light over the past two years, including:\n\nEvolving, adaptable structure makes attribution difficult\n\nBased on these wide ranges of activities, it's clear that North Korea's cyber program is adaptable and complex. Researchers at Mandiant recently produced an updated assessment of North Korea's cyber structure, noting a "significant multiyear shift and blend in the country's cyber posture," with overlaps in targeting and tool sharing among the various arms of the DPRK cyber program, making attribution to any particular North Korean group challenging.\n\nMandiant concluded that "the DPRK cyber landscape has changed tremendously, and overlapping indicators, which would traditionally be tracked individually to these separate organizations, seemingly signal a growing adaptability and collaboration" among the various groups that collectively make up North Korea\u2019s cyber program.\n\n"We have too many people right now in the public and the private sector that are focusing on who done it when really Kim Jong Un, he's trying to confuse you," Michael Barnhart, Mandiant's lead on DPRK cyber collection, analysis, reporting, and tracking, tells CSO. "He's moving people around. He doesn't care that we have a hard time tracking him. It's not in his best interest to do that. Attribution matters, but we might have to go about it a different way because it's very clear that they're muddling everything."\n\nThis muddling has accelerated since the COVID-19 pandemic, when "the regime was forced to modify their operations in 2020 as the pandemic hardened borders around the world; most notably within the Korean Peninsula and China," Mandiant concluded.\n\n"So, whenever they got blocked and couldn't return to the country, they had to get crafty," Barnhart says. "And you can see that [the various DPRK hacking groups] are talking more, and they're collaborating more, and that's going to be problems for us."\n\nNimble cyber workforce punches above its weight\n\nUnlike the offensive and defensive teams in other countries with well-established cyber units, North Korea's hacking unit is comparably small. It is also stocked with skilled, all-purpose workers capable of shifting from mission to mission. "They can do it all, and it's unreal," Barnhart says.\n\nMandiant highlights Park Jin Hyok, currently on the FBI's most-wanted list, as an example of DPRK hackers' "ability to conduct activities at high levels of sophistication and execution, then immediately pivot to separate tasks and maintain that same level of execution" from blockchain and cryptocurrency hacking to supply chain attacks to espionage and more.\n\n"This guy was involved in the Sony hack [in 2014]. That's the first big indictment," Barnhart says. Park is also connected to the 2016 theft of $81 million from Bangladesh Bank, the development of WannaCry, and the infiltration of US defense contractors in 2016 and 2017, among other campaigns. "These guys are absolutely skilled at the very, very top levels. And they can pivot on those levels, too," according to Barnhart.\n\n"North Korea is one of those states that tends to punch above its weight in cyberspace," Dick O'Brien, Principal Intelligence Analyst at Symantec, tells CSO. "They have, relative to the country's size, quite a large cyber-espionage capability that is particularly active."\n\nNorth Korean cyber workers are \u2018very capable\u2019\n\nAlthough lacking the same kind of scale of capability and resources as, for example, Russia, North Korea is "quite an unusual power in cyberspace," O'Brien says. "A lot of nation-state sponsored activity is old-fashioned, old-school espionage intelligence gathering, whether for political purposes or the acquisition of intellectual property. North Korea does do that, but it does an awful lot more than that."\n\nO'Brien echoes Barnhart's estimation of the skill of DPRK cyber workers. "Some of the people they have working for them, I would consider to be very, very capable. There is one group that we call Stonefly, and every attack we've seen them involved in, they're quite selective. We don't see them that often, but it's usually been against some high-value intellectual property. They are very good at staging intrusions on fairly well-resourced organizations, organizations that prioritize their security, and that's not easy."\n\nGiven the closed and tightly controlled nature of North Korea, it's hard to gain clear visibility into the country's cyber workforce. Still, Tom Hegel, Principal Threat Researcher at Sentinel One, thinks a lot of innovation is coming from a creative, young, technically savvy group of hackers that probably "has no other option but to just do whatever they can to get the mission done just by pure force on their end."\n\n"They're doing things that you would never see like a professional state-backed operation doing, just throwing darts at the wall and seeing what sticks," Hegel says. "So, to me, it signifies a very creative operator-driven environment rather than a top-down orchestrated world that you'd see in China, the West, or anything like that." But, he adds, "I would say every leading nation right now has one division or another within their structure that is highly skilled, highly nimble, and is typically given free rein to do what they need."\n\nWill the DPRK return to destructive operations?\n\nWhile diverse and sophisticated, none of the recently revealed activity of North Korea's hacking efforts falls in the category of destructive activity on par with WannaCry or the Sony hack. But experts say that's cold comfort because the North Korean hacking apparatus can still launch destructive operations if given the mission to do so.\n\n"You need to take a step back and look at what they've done because then that'll tell you how far they're willing to push the envelope," Mandiant's Barnhart says. "Sony happened because they got upset because Kim Jong Un was made fun of in a movie. They shut down an entire multi-billion-dollar business and did a destructive attack there. So, we know that they will use destructive malware."\n\nSymantec's O'Brien says that North Korea these days mainly operates along the twin tracks of cybercrime and espionage, but "the destructive element has reared its head from time to time, particularly when it comes to targets who have somehow irked or annoyed the regime," he says.\n\nHowever, Sentinel One's Hegel suggests North Korea got spooked by the global focus on the publicity-shy country following WannaCry, particularly given how easy it was to attribute the attack. North Korea is now more "focused on the financial or the hardcore espionage that typically not a lot of people see just because of the limited scope and who they're targeting," he says.