How Are Cyberattacks Fueling North Korea’s Nuclear Ambitions

Critical Questions by Doreen Horschig

Published July 31, 2024

After a two-year investigation, Google's cybersecurity firm Mandiant accused North Korean hacker group Advanced Persistent Threat 45 (APT45, or Andariel) of engaging in a global cyber espionage campaign since 2009. The group attacked a variety of sectors (e.g., banks, defense firms, and hospitals) and targeted nation-states such as India, South Korea, and the United States on the orders of the North Korean government's Reconnaissance General Bureau-a military intelligence agency. The attacks against government entities and the private sector are in line with North Korean leader Kim Jong Un's vision to build a military force that contains "the constant threat of the enemies with overwhelming force."

The collective response highlights the importance of government-private sector partnerships, robust network defense, and information sharing among the United States and its allies to combat cyber threats that are used to collect nuclear weapons-related information.

Q1: What nuclear information was stolen?

A1: Since 2017, APT45 has increasingly focused on the defense industry and government agencies such as U.S. Air Force bases and NASA's Office of Inspector General, along with operations against nuclear entities such as the Kudankulam Nuclear Power Plant in India. A large amount of the stolen and classified information was used to support North Korea's nuclear weapons program. Michael Barnhart, a principal analyst who leads Mandiant's North Korea operations, reported that the group stole a range of sensitive plans relevant to its nuclear program, including on (1) uranium processing and enrichment, (2) government nuclear facilities and research institutes, (3) satellites, satellite communications, and nanosatellite technology, (4) submarines, torpedoes, unmanned underwater vehicles, and autonomous underwater vehicles, and (5) nuclear power plants.

In addition, North Korea stole blueprints of missile designs and missile defense systems that are in direct support of its nuclear program. The country launched more than 100 missiles since 2022, including the Hwasong-18 solid-fueled intercontinental ballistic missile and the Pulhwasal-3-31 cruise missile. This is part of a growing and advancing nuclear arsenal, estimated to have 50 warheads as of January 2024 and the capacity to produce more. It is currently developing submarine-launched ballistic missiles, and the hacks are possibly directly benefiting from this development. The regime uses its nuclear program as a deterrent, threatening to use it against potential aggressors while also pursuing diplomatic leverage. As reported in North Korean state media, the regime "would not hesitate to launch a nuclear attack if an enemy provokes it with nuclear weapons."

Q2: Why are these hacking activities problematic?

A2: APT45 is incredibly complex. The group has a library of malware tools at its disposal. Along with stealing blueprints and other nuclear-related information, the Kim regime is also leveraging these hacking activities to finance and expand its military programs. Thus, the group is not only using the hacks to develop an initial military weapon design but also to increase the quantity of its armed forces.

The nuclear operations are supported by APT45-attributed ransomware. These developed programs essentially lock or corrupt data on computers so that threat actors like APT45 can request money in exchange for the data being returned to its original state. These attacks are often irreversible, leading victims to pay the ransom in the hope of regaining access, only to discover later that their data remains inaccessible.

Ransomware, coupled with other illegal financial activities, such as the recent defrauding of over 300 U.S. companies, is essentially an effective way for the regime to ensure the financing of its weapons programs, usually in direct violation of U.S. and UN sanctions.

Q3: Is this part of a larger pattern by nuclear or aspiring nuclear states?

A3: North Korea is well known for using state-sponsored cyberattacks to support its various governmental and specifically nuclear operations. In 2014, the country was able to obtain designs and manuals for nuclear reactors from South Korea's Hydro & Nuclear Power. Similarly, in 2021, another North Korean cyber group, Kimsuky (APT43), breached the Korea Atomic Energy Research Institute. However, North Korea is not the only actor using cyber tools to gain advantages for its nuclear program.

For example, in 2022, Russian hacking team Cold River targeted several U.S. nuclear research laboratories, including Argonne, Brookhaven, and Livermore. In 2014, China targeted Japan's Monju plant with a malware-based attack, gaining access to the reactor room and sending phishing emails to employees. Other attacks, such as the 2023 hack of the Idaho National Laboratory, have yet to be assigned.

As geopolitical tensions rise and the salience of nuclear weapons increases again, there is a heightened risk that other actors may seek similar means to acquire nuclear knowledge. While not all may go to the same extremes as Pyongyang in pursuing a nuclear program, the North Korean case certainly sets a concerning precedent.

Q4: How is the United States responding?

A4: The good news is that the United States and other allied government agencies such as the United Kingdom's National Cyber Security Centre (NCSC) are working together to hold malign actors responsible. For example, a federal arrest warrant with a $10 million reward has been issued for Rim Jong Hyok, a member of APT45. Although it is unlikely that he will be indicted because he likely resides in North Korea, it sends an important signal: the United States is working jointly with private firms to meticulously address North Korea's malicious activities.

In addition, the U.S. National Security Agency, the U.S. Federal Bureau of Investigation (FBI), South Korea's National Intelligence Service, the NCSC, and others released a joint cybersecurity advisory to publicize North Korean activities and encourage critical infrastructure organizations to strengthen their cyber defenses by providing detection methods and mitigation measures. The United Nations has also been monitoring North Korea's cyberattacks closely. Earlier this year it released a report that had investigated "58 suspected [North Korean] cyber-attacks on cryptocurrency-related companies between 2017 and 2023, valued at approximately $3 billion," which reportedly have helped fund North Korea's development of nuclear weapons.

Q5: What is the relationship between private companies such as Mandiant and U.S. efforts to counter North Korea's cyberattacks?

A5: The recent revelations emphasize the advantages of partnerships between the government and private sector. Mandiant worked alongside the FBI Kansas City and other domestic and foreign government agencies to track APT45 attacks. Private companies and the U.S. government collaborate closely to combat cyberattacks against the defense and military industries, often involving shared threat intelligence, resources, and expertise to enhance cybersecurity defenses. In 2021, Microsoft worked with the government to address vulnerabilities in its Exchange Server software that had been exploited by state-sponsored hackers. Patches were developed and released quickly. Similarly, the 2020 SolarWinds cyberattack, discovered by the private cybersecurity firm FireEye, prompted a coordinated response between the sectors to address a significant breach affecting multiple government agencies and private companies. Public and paid intel sources, such as Mandiant's collection on APT45, are increasingly important to sharing information, tactics, and indicators of compromise for hacker groups widely in order to proactively defend against hacking activities.

These instances highlight how important strong collaboration and collective network defense is in this area, especially when rogue nuclear actors like North Korea are trying to advance their nuclear weapons programs. Measures and resources must be allocated to prevent malicious activities from North Korea and other adversaries.

Doreen Horschig is an associate fellow with the Project on Nuclear Issues at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects