Geopolitics part 2: North-Korea & China

The age of Cyber-Warfare

Blog by Eward Driehuis, Chief Research Officer

In part 1 you have read about geopolitical threats in the cyber landscape attributed to the Russian state sponsored hacker groups, such as DDOS-attacks and the Olympic Destroyer malware. Further we discussed other activities of APT28, such as LoJax and the Internet of Things-botnet.

In part 2 we will talk about the threats from North-Korea and China.

Attribution is difficult

One of the most difficult processes in threat intelligence is attribution. The identification of the source of a threat is a delicate matter. Sometimes it takes years to identify the source and attribution may still be mistaken. The Olympic Destroyer’s attack on the South Korea Winter Olympics was brimming with references to North Korea when researched. However, these are now widely believed to have been false flags, deliberately pointing away from the actual perpetrator. Current opinions now point to Russia as responsible for the attack. It is therefore wise to remain open-minded when considering such claims.

North Korea-related activity

In 2018, North Korean and US leaders met in Singapore, expressing public appreciation for each other. A flurry of friendly diplomatic meetings has since taken place with the leaders of sworn enemies North and South Korea having met and shaken hands. This diplomatic progress also correlates with North Korea taking the world stage on a cyber level.


North Korea entered the world stage with a bang in 2016. At that time the Lazarus group was loosely tied to the regime and became notorious in February 2016, stealing $80 million from the Bank of Bangladesh, using stolen SWIFT network credentials. A narrative emerged that the Lazarus group focused on stealing money for the North Korean regime. This attribution remained weak, and the narrative was doubted. Prior to 2016, North Korea was suspected of the Sony hack (in retaliation to the movie “The Interview”, poking fun at Kim Jong-Un) along with numerous other attacks on South Korean banks.


In 2017 the Wannacry attack tools displayed similarities with earlier Lazarus tools, and so was again vaguely attributed to the Lazarus Group.

Also in 2017, numerous cryptocurrency exchange attacks occurred which some attributed to North Korea. With the rise of cryptojacking, North Korea was again suspected, and a narrative developed that the regime was attempting to obtain as much foreign money as possible. North Korea being a very poor dictatorship, the narrative appears plausible.


In October 2018 North Korea received its second APT designation next to APT37. FireEye Inc. released a report claiming that a separate group (APT38) was responsible for stealing money on behalf of the North Korean regime. Targeting the SWIFT inter-banking network is the group’s modus operandi. This implied that the group should also be experts in money laundering. APT38 has links with Lazarus, but they are not one and the same with the Lazarus Group continuing to remain elusive.

In October 2018 a report was published describing how North Korea, through APT38, Lazarus, or a combination, had stolenover half a billion dollars from bitcoin exchanges and the funds were likely used for North Korean government financing.

Geopolitics part 1: Russia

In 2018 the geopolitical tensions increased and some of the biggest disruptions were due to the bad nations. Read the article here.

China-related activity

As we saw in the APT list, China has the highest number of APT groups. It also has the world’s second largest economy, maintaining nuclear weapons and the world’s second largest defense budget. One might say it is catching up with the USA.

In 2018, the USA imposed trade sanctions starting a trade war with China, Mexico, Canada and many other economic zones including the European Union. In numerous statements, the US president has pointed to China as the biggest aggressor in cyber security. Some cyber security agencies support this statement, and SecureLink Cyber Defense Centers have also observed increased activity generated from China.

China allegedly has a long history of industrial espionage. In the cyber domain, half of the named APTs are attributed to China. APT1, 2, 3, 10, 12, 16, 17, 18, 19, 27 and 30 are all believed to be synonymous with China. Focusing on numerous different industries and geographical regions, these groups specialize in differing types of espionage.

Apart from trade wars, China is involved in various other conflicts, with attacks on Taiwan increasing in 2018.

In an unprecedented event in October 2018, China abducted and arrested Meng Hongwei, the Chinese president of Europol, charging him with bribery. Although Europol is a politically neutral institution the Chinese consider the matter to be between China and France, where Meng resides.


As nation states increase their presence in cyberspace, incidents of espionage, sabotage and largescale theft are increasing. Many organizations feel a false sense of security considering themselves to be of no interest to nation states and therefore low risk. While this instinctively feels true, organizations are discovering that being in the supply chain of a target increases risk. Many organizations also get caught in the crossfire, suffering collateral damage.GEOPOLITICS

Of course not every organization will become a victim of nation state cybercrime however there are certainly new risks to consider. In previous years commoditized cybercrime was the only cyber threat to a business. Today, while a business will certainly be targeted, the impact will be low.

Veteran cyber criminals may also attack and if successful the organisation will suffer a medium impact. Whilst nation states probably won’t target a business, they will attack someone within a business’s network, and the impact will be high. This new paradigm needs to be considered.

Also interesting for you…

Do you want to read everything about 2018? Download here the Annual Security Report 2018.


The threats from Russia and the activities of the APT28.


Read more blogs.