Since 2015, DPRK computer network operations (CNO) have evolved into a self-sustaining, government-operated cyber ecosystem that supports espionage, destructive, and criminal elements – all while concurrently adapting to fluid strategic demands from national leadership. While the DPRK case itself may be unique, as a CNO framework it could serve as model and even driver for future state CNO programs in similar regime-driven countries seeking similar high-payoff objectives with limited resources.
This talk will first look at how CHOLLIMA adversaries as an operational enterprise shifted and evolved following milestones such as the SONY and KHNP public retribution and resulting economic sanctions in early 2015, as well as the major reorganization of the DPRK State Affairs Commission in 2016. This will include tracking the trajectories of five separate CHOLLIMA adversaries since 2015, including their respective mission objectives and tactics.
With these interrelated trajectories in mind, I will then address how this adversary set has been able to blend espionage, destructive, and criminal components into operations to support key regime goals (e.g., economic espionage, dissident and defector tracking, and currency generation) as well as self-sustainability. This section will highlight how this achievement is unique among state-sponsored CNO missions, illustrated via specific examples of how each relevant CHOLLIMA adversary has incorporated components of the above motivations into various operations.
While these tactics are reflective of the DPRK’s beliefs around cyber representing an “all-purpose sword”, effective allocations of limited resources, limited skillsets and government directives have facilitated this evolution. As the DPRK has continued to prove its ability in developing a robust CNO framework despite significant economic hardship and global condemnation, this framework could become an increasingly attractive model for state’s seeking to develop their own all-purpose swords.