North Korea’s hackers already stand accused of disrupting South Korean power plants, trashing Sony Pictures’ computers and stealing $81 million from Bangladesh’s central bank. But if they also caused this past week’s global cyber meltdown, the reclusive regime’s cyber operatives may have finally gone too far.
That’s because the spreading malware crisis’ hardest-hit victims include China — the country that some cybersecurity experts say has enabled North Korea’s hacking operations by providing network bandwidth and even physical space for thousands of Pyongyang digital warriors to launch attacks on government and corporate computer systems around the world.
And that has security advocates hoping that Beijing will finally slap down its aggressive neighbor, something the U.S. has been seeking in vain for years.
The North Koreans “generally don’t pick on their benefactor,” said John Bambenek, manager of threat systems at the cybersecurity company Fidelis, which uncovered suspected digital links between North Korea and the malware blanketing the world.
But the wave of so-called ransomware attacks that began Friday have struck China hard, locking up computer networks at government agencies and universities and demanding ransom payments to release them. If North Korea is responsible, even unintentionally, it would be the first known attempt by Pyongyang to digitally pilfer China’s coffers at such a scale.
The digital strikes came as Beijing and Pyongyang were already at odds over North Korea’s erratic military aggression, including a series of ballistic missile tests.
“This is creating a situation where China is forced to respond,” said Carl Wright, executive vice president at TrapX, a cyber firm that studies malware around the globe. “These type of situations, when you combine the physical and cyber together, can definitely be a tipping point.”
And if China doesn’t punish North Korea, some lawmakers and security experts want the Trump administration or an international body to step in — even if that means imposing sanctions on Chinese entities and people that aid Pyongyang’s hacking operations.
Republican South Dakota Sen. Mike Rounds, the chairman of a cyber-focused Armed Services subcommittee, told POLITICO on Tuesday that conclusive proof of North Korean involvement in the ransomware campaign would “certainly strengthen those interests” in imposing fresh penalties on North Korea or China over its digital assistance to Kim Jong Un’s regime.
Sen. Cory Gardner (R-Colo.), who chairs a Senate subcommittee overseeing East Asia and international cybersecurity, sent a letter on Tuesday to the U.N. Security Council urging it to slap North Korea with fresh sanctions over both the recent missile launches and its “malicious cyber behavior.”
Asian experts think China may be amenable to cooperating — to an extent — if the worldwide consensus is that North Korea orchestrated the ransomware ambush.
“I think in this case they would be open to it,” said Adam Segal, a China cyber specialist with the Council on Foreign Relations, adding that Beijing might respond to the threat of U.S. sanctions targeting its banking system.
But that cooperation would only go so far, Segal and others cautioned. China’s primary goal, they said, is to maintain stability in North Korea and to eradicate the nuclear uncertainty that is quickly pervading the region.
China “might take some steps,” said Joel Wit, an Asian expert with the U.S.-Korea Institute at the Johns Hopkins School of Advanced International Studies who oversaw a nuclear deal between the U.S. and North Korea in the 1990s. But “they’re going to be finely tuned.”
“At the end of the day, they’re always very careful not to go too far,” he added.
A Chinese rebuke could involve expelling North Korean hackers or axing Pyongyang’s access to China’s robust internet, steps that some believe would severely derail the boxed-in country’s ability to conduct its digital rampages. Bambenek estimated China could set back Pyongyang’s cyber program six to 12 months.
Without China as a staging ground, North Korea would have to find another willing partner, scour the black market for tools, or develop its own technology. Each option would put Pyongyang’s hackers at greater risk of getting caught, several cyber experts said.
But Jenny Jun, co-author of a Center for Strategic and International Studies report on North Korea’s digital programs, said Pyongyang may have left behind its digital reliance on China in recent years as the once tech-averse country’s hacking skills matured.
Much of the evidence of Chinese digital aid to North Korea — tacitly allowing North Korean hackers to work from a Chinese hotel, or letting Chinese-based companies operate as fronts for the development of digital intrusion tools — is based on years-old research. And the tools behind the country’s more recent digital ambushes, such as the Sony Pictures strike from late 2014, were developed in-house, Jun said.
“It is entirely possible they have moved their base to other Southeast Asian countries, with their [internet addresses] just routed or spoofed across different countries,” Jun said.
Given the lack of concrete information on North Korea, the reality is difficult to ascertain, researchers agreed.
Thus far in China, though, the state-controlled media has kept the focus elsewhere — on the general scourge of cybercrime, or the U.S. spy community’s role in the outbreak, according to Segal. The hackers behind the digital extortion campaign used a flaw in Microsoft Windows that the National Security Agency had apparently exploited for years — until someone leaked the NSA’s hacking tools online and allowed cyber criminals to copy them.
The Chinese government itself has stayed mostly silent, Segal added.
It could take months before other governments are willing to officially point the finger at North Korea, upping the pressure on China. Assigning blame for cyberattacks is notoriously difficult, and the digital evidence so far — some overlapping code between malware that powered the global attacks and tools used by a North Korean-linked hacking group — is far from conclusive.
Even if China decides to act in concert with international partners to stymie North Korea’s digital ambitions, the public may never know. Beijing is doggedly committed to retaining its relationship with Pyongyang, regional experts said.
The two countries operate “within a narrow band of good relations good relations,” Wit said.
But, he added, “It’s always relations.”
Martin Matishak contributed to this report.