Justin Park,
Executive Summary
The greatest cyber threat the United States currently faces is a North Korean attack on American energy infrastructure enabled by Chinese and Russian digital infrastructure and training as a proxy. North Korean units such as Lazarus, Kimsuky, and Bureau 121 have already operated from Chinese and Russian IP addresses to infiltrate financial systems and defense contractors, demonstrating both capability and intent. DPRK’s unique position means traditional deterrence by punishment offers the United States few meaningful levers while carrying significant escalation risk if U.S. responses are poorly calibrated. To address this threat, the United States should adopt a declaratory policy that any cyber infrastructure which repeatedly hosts operations threatening U.S. infrastructure will be treated as a hostile asset and subject to U.S. cyber countermeasures, and should deepen interagency cooperation to freeze DPRK-linked financial accounts while mandating Zero Trust Architecture across critical infrastructure sectors.
Rationale Summary
This proposal emerged from observing an emerging pattern of deepened cooperation between DPRK, PRC, and the Russian Federation. The 2014 Korea Hydro & Nuclear Power hack, conducted via Chinese IP addresses using techniques linked to Kimsuky, and Russia’s provision of internet access and IP space to Pyongyang since 2017 (not to mention DPRK’s involvement in Ukraine) illustrate a rising threat of cooperation between the three countries.. Recognizing the unique danger of their cooperation, the paper discusses how likely North Korean cyber operations are, why DPRK is unusually difficult to deter, and how its behavior raises escalation risk to explain why this combination makes DPRK the greatest near-term cyber threat. The policy recommendations directly follow from that logic, aiming to constrain both North Korea and its allies that enable its cyber operations.
Threat Assessment
The greatest cyber threat the United States currently faces is a North Korean attack on American energy infrastructure enabled by advanced Chinese and Russian digital infrastructure and training as a proxy. PRC and the Russian Federation maintain sophisticated cyberattack capabilities, and North Korea serves as an ideal proxy for testing attacks with plausible deniability. Recent CISA and UN investigations show DPRK units such as Lazarus and Kimsuky operated from Chinese IP addresses in Chinese-hosted servers to intrude in U.S. financial systems and defense contractors (CSIS, 2025). CSIS analysis of North Korea’s hidden enablers finds that Pyongyang leverages Russian and Chinese networks to compensate for its limited domestic infrastructure. The North Korean hacker group Bureau 121 used Shenyang as a hub for its operations. The 2014 Korea (ROK) Hydro & Nuclear Power hack was orchestrated via Chinese IP addresses. Meanwhile, Russia has provided internet access to North Korea since 2017, essentially granting it a means to attempt cryptocurrency theft (Reuters, 2025). At the same time, DPRK cyber units have consistently demonstrated malicious intent and capability against the United States (CISA, 2024). CISA reports multiple espionage programs and $3 billion in cryptocurrency thefts over recent years, directly funding their nuclear programs. North Korean cyberattacks have become an integral part of North Korea’s survival strategy. North Korea is currently attacking the U.S. and its allies, is currently embedded in Western networks, and is currently being trained and further enabled within Russian and Chinese cyber infrastructure. North Korea has already demonstrated its willingness to target hydro and nuclear infrastructure directly. In December 2014, hackers stole employee data and confidential reactor blueprints from Korea Hydro & Nuclear Power (KHNP), the operator of South Korea’s 23 nuclear reactors. They demanded the shutdown of three reactors while threatening “destruction” on Twitter (Reuters, 2015). Subsequent CSIS analysis found that IP addresses used in the 2014 KHNP hack were in northeastern China, but the techniques used were identical to those the North Korean group Kimsuky had used in its previous attacks. Given that Russia now also provides North Korea with internet connectivity and IP space, Pyongyang could repeat a KHNP-style operation through Chinese and Russian networks, allowing Kim Jong Un to gloat domestically about striking allied energy facilities while putting the difficult burden of attribution and punishment on the U.S. and its allies. The United States has limited deterrence options against the DPRK for three reasons. Firstly, DPRK’s economy adapted to evade U.S. and its allies’ sanctions through Russian and Chinese financial networks (RAND, 2025). Secondly, theDPRK lacks domestic cyber targets. The regime has a minimal domestic online presence, making it challenging to impose reciprocal cyber costs. Even successful U.S. operations against DPRK servers will affect infrastructure hosted in China and Russia, complicating diplomatic consequences. Thirdly, North Korea’s cyber behavior is unpredictable, as proven by its attack on Sony Entertainment in 2014. Cyber operations are part of the DPRK's strategy not only to inflict harm on its adversaries but also for symbolism.
Recommendations
The combination of weak restraints and the regime’s tendency to respond to U.S. and its Allies’ pressure with new provocations means that U.S. counter-cyber operations could quickly be escalatory, especially if Kim views it as a threat to the regime’s survival. In response, the United States should: 1. Declare: The United States should explicitly declare in its policy that any cyber infrastructure, regardless of location, that knowingly or repeatedly hosts operations posing a significant threat to U.S. critical infrastructure will be treated as a hostile asset and subject to U.S. cyber countermeasures. This declaratory policy would not automatically trigger retaliation for every intrusion, but it would incentivize states like Russia and China to reconsider providing a haven for DPRK operators. 2. Deny: Deepen coordination among DOJ, Treasury, CISA, and other financial authorities to track and freeze DPRK-linked financial accounts. Following the precedent set in June of 2025, when the DOJ seized hundreds of financial accounts, the U.S. should deny any profitability to cyber operations (Politico, 2025). On top, the U.S. should mandate Zero Trust Architecture across critical infrastructure sectors so that even successful intrusions yield less usable access. ________________ Works Cited Bae, Sunha. “Hidden Enablers: Third Countries in North Korea’s Cyber Playbook.” Center for Strategic and International Studies (CSIS), 25 July 2025, www.csis.org/analysis/hidden-enablers-third-countries-north-koreas-cyber-playbook. Vicens, A.J., Anton Zverev, and James Pearson. “North Korean Cyber Spies Created U.S. Firms to Dupe Crypto Developers.” Reuters, 24 Apr. 2025, www.reuters.com/sustainability/boards-policy-regulation/north-korean-cyber-spies-created-us-firms-dupe-crypto-developers-2025-04-24/. U.S. Cybersecurity and Infrastructure Security Agency. “North Korea — Publications.” CISA.gov, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/north-korea/publications. Accessed 18 Nov. 2025. Park, Ju-Min, and Meeyoung Cho. “South Korea Blames North Korea for December Hack on Nuclear Operator.” Reuters, 17 Mar. 2015, www.reuters.com/article/world/south-korea-blames-north-korea-for-december-hack-on-nuclear-operator-idUSKBN0MD0GR/. King, Mallory, Jesse Geneson, Alvin Moon, Nicolas M. Robles, James Syme, and Weian Andrew Xie. North Korea’s Black Knights and Dark Networks: Toward the Disruption and Typology of DPRK Sanctions-Evasion Networks. RAND Corporation, 2025. www.rand.org/content/dam/rand/pubs/research_reports/RRA3400/RRA3413-1/RAND_RRA3413-1.pdf. “Hundreds of Laptops, Bank Accounts Linked to North Korean Fake IT Workers Scheme Seized in Major Crackdown.” Politico, 30 June 2025, www.politico.com/news/2025/06/30/justice-department-north-korea-it-workers-00433744.