India is one of the few countries that maintain diplomatic relations with North Korea. And now cybersecurity experts have identified the rising Asian economic power as a country from which the isolated rogue nation's hackers may be launching cyberattacks across the world.
Some security experts also believe that an elite branch of Pyongyang's hackers may be working from several other foreign nations as well, primarily in Asia, one of which may be India. This may indicate Pyongyang's reach in its ability to ensconce its agents within the borders of its adversaries.
Earlier this year, security researchers at Recorded Future, a US-based cybersecurity firm that has been studying North Korea's activities in cyberspace, said in a report, that they had identified activities "to and from" India that indicated a possible "virtual and physical presence" of Pyongyang's hackers.
While it may be considered unusual for a country to allow its hackers to operate outside of its borders, in this particular scenario, Pyongyang may be the exception.
Experts suggest that the North Korean hackers who may be working out of India, could be focused on making money instead of espionage. However, the Indian government has made no comments about detecting any such cyber activities.
IBTimes UK has reached out to the Indian Ministry of Electronics and Information Technology as well as the recently established National Cyber Safety and Security Standards (NCSSS) to determine the extent of the Indian government's knowledge on potential North Korean cyber activities coming from within the nation's borders.
Are there any advantages for North Korean hackers working out of India?
Indian foreign minister Sushma Swaraj recently told Rex Tillerson that India would continue to maintain its "small" diplomatic presence in Pyongyang, as it could work as a diplomatic channel to reduce tension between the rogue nation and the West. This diplomatic openness may also likely be abused by Pyongyang to further its illegal activities in cyberspace.
Why would North Korea send out its hackers to other nations to conduct attacks? Unlike other nations with extensive cyberespionage operations, North Korea is believed to have limited internet access. Priscilla Moriuchi, director of strategic threat development at Recorded Future told IBTimes UK, "North Korea has limited internet access and much of its IP space, internet access points, and activity are known to outside researchers and government. Operating outside of North Korea could give these actors access to better and faster internet connections."
Moriuchi said it is "very likely" Pyongyang's hackers may be operating out of India and the move may have multiple advantages for the Kim Jong-un-led regime. Given that the attacks conducted by North Korean hackers from foreign nations may be much more difficult to attribute, this in turn could provide "the Kim regime plausible deniability".
"Actors operating from abroad are absorbed in their local environment and are likely to pick up new tactics or techniques that could help advance and obfuscate North Korean cyber operations," Moriuchi added.
Over the past few years, North Korea's boastful insistence on having a powerful army of cyber warriors has escalated from mere words to highly destructive actions. This year alone, several high-profile cyberattacks such as the global WannaCry ransomware epidemic, international bank hacks and more came to light — all of which are believed to have been perpetrated by North Korean hackers.
Pyongyang's hackers stationed abroad likely elite agents who won't defect
The dictatorial regime's extensively pervasive ideology is designed to ensure loyalty. Experts believe that any agents chosen by the regime to go abroad would likely be those who are considered to be immersed in the North Korean propaganda — so much so that the danger of possible defection is limited or even nullified.
"Just like the Soviets had KGB minders for any mission into the West, the DPRK has ideological minders for all their overseas missions whose primary job is to ensure that everyone operating from the office maintains the cult of personality and doesn't defect," Cybereason senior director of intelligence services Ross Rustici told IBTimes UK. "This is especially true of those with specialised talent or access to information about the regime's illicit dealings. Given this foundation, DPRK hacking activity appears to follow the maturity of these overseas missions."
According to Rustici, in the event that North Korean hackers are operating out of India, their likely focus would be on generating money rather than espionage-related activities. He backed his argument saying that some of North Korea's oldest cyber activities involved making money for the impoverished regime. He added that these hackers appear to be the "most geographically dispersed".
"Given the trade that has historically existed between India and the DPRK, it would be trivial to get the currency earned from cybercrime back to the DPRK without raising much of a suspicion and they have a large enough presence in the country to make setting up an operation like this feasible," Rustici told us. "The other main selling point for India as a staging ground for cybercrime is the fact that the country is already rife with similar activities.
"India has a very large indigenous cybercrime community, and from a detection and enforcement perspective, the Indian police historically have had a low success rate in dealing with the activity. This allows the North Koreans to blend in with the noise, have relative security, and as long as they operate a modicum of operational security avoid any attribution, assuming that they only conduct their illicit money generating activity."