The World in Which We Live

MediaPunch Inc/Alamy Stock Photo HXTJ75

On 30 March 2017, Kevin Mandia, Chief Executive Officer of FireEye, makes his opening statement as he testifies before the US Senate Select Committee on Intelligence that was conducting an open hearing entitled “Disinformation: A Primer in Russian Active Measures and Influence Campaign”.

The Big Four and Cyber Espionage: How China, Russia, Iran and North Korea Spy Online

by Patrick Diotte

Print PDF

For more information on accessing this file, please visit our help page.

Captain Patrick Diotte is an intelligence officer currently serving as the G2 Plans at 2 Canadian Mechanized Brigade Group Headquarters. He is also completing a Master’s degree in War Studies through the Royal Military College of Canada.

Countries behave online the same way they do in the rest of their policies – they deploy similar tactics and pursue similar interests. They all spy, and they all have unique flavours.1
- John P. Carlin, former US assistant Attorney General for National Security in Dawn of the Code War.


Malicious cyber activity is a growing threat that has permeated through all levels of society – it is arguably the most significant threat facing the West today. Annually, the US Director of National Intelligence (DNI) presents a worldwide threat assessment to Congress that lists threats in order of concern. The 2007 report, as presented by then-DNI John D. Negroponte, identified terrorism as the number one threat facing the US, and precluded any mention of cyber.2 Within three years, the report acknowledged the “far-reaching impact of the cyber threat” as the top threat.3 In fact, since 2010, cyber has remained at the top of the DNI’s list. On cyber, the 2019 report highlights that “ …US adversaries and strategic competitors will increasingly use cyber capabilities – including cyber espionage, attack and influence – to seek political economic and military advantage over the United States and its allies and partners.”4 The document further identifies China, Russia, Iran, and North Korea as “…increasingly [using] cyber operations to threaten both minds and machines in an expanding number of ways – to steal information, to influence our citizens, or to disrupt critical infrastructure.”5 This article will focus upon cyber espionage and its use as an intelligence collection tool by state entities, specifically by the Big Four threat actors – China, Russia, Iran and North Korea.

The article asserts that the use of cyber espionage by the Big Four is congruent to each country’s individual geopolitical interests and historical approaches to intelligence and warfare. Specifically, China has become a pre-eminent actor in cyberspace, and its actions have reflected its primary strategic goals: economic hegemony and security. Russia has taken a different approach, and considers its cyber espionage capability as a key element within its broader information warfare (INFOWAR) objectives targeting its near abroad and beyond. Similar to its use of proxies, Iran has used cyber espionage to project regional power, for state control, and as a retaliatory tool. Last, North Korea views cyber-based spying as a means to enable regime survival and to disrupt regional foes, particularly the US and South Korea.

First, this article will offer a definition for cyber espionage, and then briefly explore its history. Next, it will examine each of the Big Four threat actors individually, and analyze the use and targets of cyber espionage as a tool for intelligence collection. The bulk of up-to-date and relevant literature on the topic is classified. As such, the scope of this article is confined by the limited literature available through open source means. It is further limited by word count - as such, it is not an exhaustive study of cyber espionage, but rather, a broader look at its use for intelligence collection and as a tool of state power.

What is Cyber Espionage?

MI5, the British Security Intelligence Service, defines espionage as “the process of obtaining information that is not normally publicly available, using human sources (agents) or technical means (like hacking into computer systems). It may also involve seeking to influence decision-makers and opinion-formers to benefit the interests of a foreign power.”6 As a form of spying, cyber espionage is the use of computer operations “for intelligence and data collection from target or adversary computer systems.”7 In his book on cyber conflict, Dr. Michael Warner, the Historian for US Cyber Command, draws clear parallels between broader cyberspace operations and traditional human espionage. For instance, Warner points out that “an implant can sit in a computer for weeks, months or years, collecting secrets great and small,” and like catching a spy, the finding of such implant “evokes mingled satisfaction and fear.”8 Further, in discussing the far-reaching impacts of cyber-espionage, Warner notes that espionage has made “the jump from the proverbial dark alleys to cyberspace virtually intact,” and that the main difference is “the scale that can be exploited in the latter.”9

Cyber espionage can be carried out through various means, and targets can range anywhere from a multinational food corporation to one of the largest and most influential political parties in the world. These types of malicious activities fall under the broader umbrella of computer network operations (CNO). CNOs have been defined by the US Joint Chiefs of Staff as being used to “attack, deceive, degrade, disrupt, deny, exploit, and defend electronic information and infrastructure.”10 There are three main mechanisms for CNOs, and in turn, cyber-espionage: malicious software, unauthorized remote intrusions and Denial-of-Service (DoS) attacks.11

In his paper on cyber espionage and electronic surveillance, William C. Banks, Director of the Institute for National Security and Counterterrorism at Syracuse University, highlights economic espionage as a pertinent subset of cyber spying. Economic espionage, that is, when “…a state attempts to acquire secrets held by foreign companies,” has dominated recent discussions regarding the topic, particularly with the ongoing case involving the Chinese telecommunications giant Huawei.12 Conversely, cyber espionage can also be used as a tool for mass disruption, as was the case when the Russians obtained and released a discrediting phone conversation between then-US ambassador to Ukraine Geoffrey Pyatt and State Department spokesperson Victoria Nuland in 2014. The leak had lasting implications with respect to the Ukraine crisis. As will be examined in the following paragraphs, in the past years, the Big Four have developed robust cyber espionage capabilities that continue to pose a significant threat to the West.

Sean Pavone/Alamy Stock Photo E469AR

Beijing, China at the Imperial City North Gate.


China has used cyber espionage to advance one of its preeminent strategic goals: economic hegemony and security. This section will examine China’s use of cyber spying to obtain information aimed at providing both the government and private industry an economic advantage. Further, it will briefly explore measures adopted by China in an attempt to maintain deniability in cyber space.

Nigel Inkster, Director of Transnational Threats and Political Risks at the International Institute for Strategic Studies, outlines in his book that intelligence has played a central role in Chinese policy and strategy since the era of the Warring States (circa 475-221 BCE).13 However, China’s historic espionage activities were largely aimed at managing relations with bordering nomadic tribes, and due to this tendency to look inward, the practice of foreign-intelligence collection was not a major feature of its culture of intelligence until recently.14 The first significant case of Chinese cyber espionage occurred in 2003 when US defence networks were targeted for national security information – the event became known as Titan Rain. The Titan Rain attacks were ground-breaking – completed in 20 minutes and in a single day, they successfully attacked high-profile targets, including NASA, US Army Information Systems Engineering Command, the Defense Information Systems Agency, the Naval Ocean Systems Center and the US Army Space and Strategic Defense Installation.15

The US first publicly confronted China with allegations of cyber espionage and theft on 8 June 2013, and they alleged that Chinese efforts were aimed at collecting intelligence on US diplomatic, economic and defence sectors.16 Two days earlier, on 6 June, The Washington Post and The Guardian reported on the US National Security Agency (NSA) and Britain’s Government Communication Headquarter’s (GCHQ) highly classified program known as PRISM. Through this program, the NSA was collecting telephone records of millions of American citizens under the auspices of national security. When President Barrack Obama brought up Chinese cyber theft at the summit, President Xi Jinping took out a copy of The Guardian and rebutted any claims of wrongdoings and reinforced the double-standard.17 Nevertheless, as headlines have shown in recent years, China continues to pursue a highly aggressive cyber espionage agenda largely aimed at the financial sector and private industry, but also one fixed upon obtaining data from government and other sectors.

Frans Sello Waga Machate/Alamy Stock Photo D6CJR8

Chinese President Xi Jinping.

In pursuit of innovation and economic security, Beijing has employed a full array of cyber capabilities, particularly cyber and industrial espionage. Today, accounts of Chinese cyber espionage are reoccurring more than ever – Inkster notes that a key driver has been China’s desire to catch up with the developed world in transformative science and technology.18 As noted in Zack Cooper’s report for the Foundation for Defence of Democracies, “the drive for indigenous innovation has motivated Beijing since the onset of market-oriented reforms in the late 1970s.”19 Despite significant growth and advances in manufacturing, the Chinese Communist Party (CCP) has issued a number of initiatives that many claim are blueprints for technology theft – such as the 2010 National Medium and Long Term Plan for Development of Science and Technology (MLP), and the Made in China 2025 enterprises.20 In 2017, the Pentagon stated that China has conducted “an intensive campaign to obtain foreign technology through imports, foreign direct investments, industrial and cyberespionage and establishment of foreign R&D centers.”21 Five years earlier, in a study of cyber intrusion, conducted in cooperation with other private and government organizations, Verizon analyzed 47,000 security incidents that resulted in 621 confirmed data disclosures, and at least 44 million compromised records – 96% of cases were attributable to threat actors in Beijing.22

China is estimated to be responsible for 50 to 80 percent of cross border intellectual property theft worldwide and over 90 percent of cyber-enabled economic espionage in the US.23 A 2018 White House report highlights that the cost of trade secret theft from China alone ranges between $180 billion and $540 billion annually for the US.24 General Keith Alexander, former head of NSA and US Cyber Command, famously noted that China’s cyber espionage activities accounted for “the greatest transfer of wealth in history.”25 A comparative examination reveals that targets of high-end attacks align with the priorities of the CCP’s successive Five Year Plan. That said, as was the case in China’s intelligence collection efforts prior to the Internet Age, parts of the country’s cyber espionage efforts are being undertaken by outside entities – a fact that has enabled China’s top leadership to deny accusations of commercial cyber espionage and intellectual property theft.26 Further, China’s intelligence laws provide the capability to compel private companies, such as Huawei, to assist with state intelligence efforts. In fact, Article 7 of China’s 2017 Intelligence Law obliges organizations and citizens to “support, assist and cooperate with intelligence work.”27

Despite the 2015 US-China Cyber Agreement, claims of Chinese hacking continue.28 According to the US-China Economic and Security Review Commission 2016 Annual Report to Congress:

“Although the number of incidents of Chinese cyber espionage detected by FireEye [a US cybersecurity firm] has declined, this likely reflects a shift within China away from prolific amateur attacks toward more centralized, professionalized, and sophisticated attacks by a smaller number of actors, rather than a trend toward the cessation of Chinese cyber espionage.”

To sum up, it is evident that China’s use of cyber espionage is consistent with one of its primary strategic objectives: economic hegemony and security. Although tools of state power are undoubtedly utilized, China continues to utilize foreign entities and private corporations as a means to collect intelligence through cyber espionage. This approach has given Beijing greater flexibility, and has provided the CPC with plausible deniability – an assertion that has come under increasing scrutiny over past years.

Sergey Dzyuba/Alamy Stock Photo H2HDD0

Saint Basil Cathedral at sunrise in Moscow, Russia.


The first known cyber espionage operation engineered by Moscow against the US dates back to 1986. A hacker called ‘Hunter’ was caught trying to break into computer systems at the Anniston Army Depot in Alabama to extract information from the US Army Redstone Rocket test site on US missile tests related to President Reagan’s Strategic Defense Initiative, nicknamed ‘Star Wars.’29 Since then, the Russians have developed significant capabilities in the information domain, and cyber espionage has played an important role in acquiring information to feed Moscow’s strategic priorities across the globe. Russia considers cyber espionage as a subcomponent of its broader INFOWAR objectives and geopolitical goals in its near-abroad and beyond.

Except when referring to Western interpretations, the Russians generally do not use the terms cyber or cyberwarfare. Rather, they tend to conceptualize it within the broader rubric of INFOWAR by referring to it as informatsionnaya voyna, or informatization. The holistic concept of informatization, as employed by Russian military theorists, includes computer network operations (CNE), electronic warfare (EW), psychological operations (PSYOPS) and information operations (INFO OPS).30 On Russia’s hybrid warfare strategy, Chief of the General Staff of the Russian Federation Armed Forces Valery Gerasimov noted:

“In [the] twenty-first century we have seen a tendency toward blurring the lines between the states of war and peace. Wars no longer declared and, having begun, proceed according to an unfamiliar template.”31

The use of proxy groups to collect intelligence through cyber espionage has been a signature element of Russian President Vladimir Putin’s modus operandi in recent years. A 2014 FireEye report on the cyber espionage group Advanced Persistent Threat (APT) 28, a suspected Russian-backed entity, concludes that, unlike Chinese groups, it does not “appear to conduct widespread intelligence property theft for economic gain.”32 In fact, the cyber security firm claims that APT 28 is likely comprised of a skilled team of developers and operators “…collecting intelligence on defence and geopolitical issues – intelligence that would only be useful to a government.”33 The report further notes that the group’s targets align with the interests of the Russian government – the Caucasus, Eastern European governments and militaries and specific security organizations. For instance, APT28 collected intelligence about Georgia’s security and political dynamics by targeting officials working for the Ministry of Internal Affairs and the Ministry of Defence during the 2008 war.34

Further, cyber espionage has been central to Putin’s strategy in Ukraine. As noted by FireEye’s Jen Weedon, Russia’s broader computer network operations are “tools to be integrated into broader efforts to maintain political and military dominance in a given theatre and, more broadly, in the domestic and global courts of public opinion.”35 Among a myriad of other entities collecting intelligence through cyber directly and indirectly for Moscow, APT 29 is reportedly one of the more sophisticated and highly capable groups. It is known to target entities to steal intelligence closely linked to Russian geopolitical interests and priorities.36 Recent targets have included western governments, international security and legal institutions, think tanks and educational institutions. APT 29 uses different methods, such as obtaining commands via images containing hidden and encrypted data, against high-value networks, not only to steal information, but also to maintain persistent access to the victim’s environment.37

Sueddeutsche Zeitung Photo/Alamy Stock Photo DYW266

Russian President Vladimir Putin.

Russia’s cyber espionage activities go beyond targeting former Soviet bloc states. To cite a few examples, Norway, Denmark, the Netherlands and Italy have accused Russia of advanced cyber espionage. German intelligence officials have also accused the Russians of hacking into government computer networks, as well as those of national energy firms. As noted in a study on Russian cyber strategies written for the European Union Institute for Security Studies, “the most serious risk that emanates from these activities is not so much the theft or loss of digital information but rather the fact that it can be manipulated.” Moreover, “manipulation of such data compromises its integrity – the validity of the information can no longer be trusted.”38 Further to this point, the data obtained through Russian cyber espionage often feeds the compromised material released ahead of important political or sporting events. For instance, in the midst of an investigation into its own athletes in 2016, Russian hackers released the medical records of Western athletes stolen from the World Anti-Doping Agency.39 The Kremlin is unique in this sense – no other major cyber player seeks to integrate, to such a great extent, information stolen through cyber espionage into targeted INFOWAR campaigns to influence, disrupt or discredit high profile entities – no case study illustrates this better than Russia’s attacks on the 2016 US Presidential election.

A declassified version of a highly classified DNI assessments states in plain terms that “Russia’s intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties.”40 The report further describes that Russian intelligence services “collected against the US primary campaigns, think tanks, and lobbying groups they viewed as likely to shape future US policies.”41 First hacked in 2015, the Russians maintained access to DNC networks until at least 2016. In fact, the General Staff Main Intelligence Directorate (GRU), Moscow’s military intelligence organization, likely had access to personal e-mail accounts of Democratic Party officials and political figures, which they used to extract large volumes of data from the DNC.42 Russian interference in the 2016 election is a case in point that demonstrates the intent to use cyber espionage as a tool within the broader context of Putin’s ongoing INFOWAR campaign against the West.

To sum up, the ways in which Moscow has used APTs and other means to conduct targeted cyber espionage efforts against its near abroad and beyond demonstrates its tendency to consider cyber and cyber enabled spying as a tool within its broader and more focused INFOWAR toolbox.

Arthur Greenberg/Alamy Stock Photo FYCMW9

Tehran, Iran skyline with snowcapped Alborz mountains beyond.


As a central tool of its statecraft, Tehran has used cyberespionage similar to its use of proxies to project regional power, for state control, and as a retaliatory tool, particularly against the US, Israel and Saudi Arabia. Industrial computer security firm MalCrawler conducted an experiment in 2016 where it created an elaborate network to observe the actions and assess the intentions of malicious cyber entities – it concluded that hackers from different countries exhibited different behaviours. Russians penetrated systems, “mapping them and implanting hard-to-find backdoor access for potential future use.” Chinese-based hackers maintained a database of “anything that looked like novel technical information.” In contrast, Iranian hackers sought to do “as much damage as possible.”43

A Carnegie report on Iranian cyber capabilities highlights that “perhaps more than any government in the world, the Islamic Republic of Iran has been the target of uniquely destructive cyber attacks by the United States and its allies.”44 Among attacks against Iran, Stuxnet stands out as the most publicized and the most destructive. Stuxnet, a sophisticated computer worm developed through the alleged US-Israeli Olympic Games project and first discovered in 2010, infected the control system of Iran’s nuclear enrichment plant at Natanz and temporarily disabled 1,000 of the 5,000 centrifuges there, effectively stalling the Islamic Republic’s nuclear program by one year.45 In response, Iran accelerated its pursuit of offensive cyber capabilities, including intelligence collection through cyber espionage.46 In fact, shortly after Stuxnet was revealed, Iran launched a series of cyber attacks against Saudi Arabia and the US with “…the aim of destroying data and manipulating machinery such as oil pipelines.”47 Iran’s primary target was Saudi Aramco, a Saudi-based hydrocarbon giant, and the attack spread to 30,000 workstations. Despite the attack being contained because of the closed network, in 2012, US Secretary of Defense Leon Panetta would go on to declare it to be “…the most destructive cyber assault the private sector has seen to date.”48 In recent years, Tehran has demonstrated significant capabilities as a threat actor in cyber space but little attention has been paid to its growing cyber espionage efforts. In a paper written on Iranian cyber espionage, American cybersecurity authority Jason Spataro highlights that Tehran’s “…notoriety for destructive cyberattacks has overshadowed its vast cyber espionage campaigns, the likes of which currently spans nearly every industry sector and extends well beyond regional conflicts in the Middle East.”49

In 2015, before the House Permanent Select Committee on Intelligence, then-DNI James Clapper testified on Iran, and stated that the Islamic Republic “views its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes.”50 Offensive cyber operations, including web-based espionage, have become core tools of Iranian statecraft – they provide Tehran “less risky opportunities to gather information and retaliate against perceive enemies at home and abroad.”51 For instance, at the direction of the Iranian Republic Guard Corps (IRGC), between 2013 and 2017, Iranian hackers infiltrated hundreds of universities, companies and government agencies in the US and around the world. In total, it is estimated that they stole more than 30 terabytes of academic data and intellectual property.52 However, successful cases of Iranian intrusions into US and European governmental infrastructure are rare – government department networks are typically hardened beyond the capabilities of Iranian threat actors. Through spear phishing attempts at personal emails and social media accounts of US government employees, Tehran has sought softer US targets that often contain useful and highly private materials.53 For instance, Iranians attempted to compromise the personal emails of members of the American delegation during the nuclear negotiations. They further focused their efforts on Obama’s former staff, Republican members of Congress, supporters of Donald Trump’s campaign, and conservative media organizations following the 2016 US presidential election.54

Tehran has also used cyber espionage to gather intelligence about its often politically unstable neighbors. Among targets of Iranian cyber spying efforts have been Afghanistan’s National Radio, Ministry of Education and government networks, and fake social media profiles and spearfishing campaigns have targeted Iraqi engineers within telecommunications networks and political elites.55 Many of Iran’s current regional engagements via proxy forces have been linked to cyber espionage efforts. For instance, in 2015, the Israeli cybersecurity firm ClearSky found that 11 percent of targets of one Iranian credential theft campaign, named Rocket Kitten, were connected to Yemen – in fact, recent Tehran-linked attempts are known to have targeted prominent critics of the Houthis.56

Kremlin Pool/Alamy Stock Photo F73A07

Iranian President Hassan Rouhani during a joint press conference.

Among the series of suspected cyber espionage groups linked to Iran, the Ajax Security Team has attracted much attention since it has evolved into a more sophisticated and stealthier malware-based espionage entity following the discovery of Stuxnet. Operation Saffron Rose was the name given to the team’s targeted campaigns against companies in the defence industrial base (DIB) within the US, as well as local Iranian users of anti-censorship technologies that bypass Iran’s internet filtering system.57 The Ajax Security Team is known to employ a variety of methods to collect intelligence on its targets, including spear phishing and credential phishing. A 2013 FireEye report highlights that although the direct relationship between groups like the Ajax Security Team and the Iranian government are unconfirmed, “their activities appear to alight with Iranian government political objective.”58 Tehran is also known to use cyber spying as a tool for state control. In fact, the largest concentration of Saffron Rose victims is in Iran. FireEye assesses that attackers “disguised malware as anti-censorship tools in order to target the users of such tools inside Iran as well as Iranian dissidents outside the country.”59

In conclusion, Iran continues to use cyber espionage as a tool largely congruent to its approach to internal and external affairs. Suppression of internal dissent, regional asymmetric war through proxies and retaliatory measures short-of-war are themes reflected both in Tehran’s use of cyber spying and its broader strategic and geopolitical approach to the world.

jackie ellis/Alamy Stock Photo PRDEX2

Aerial view of Pyongyang, North Korea.

North Korea

North Korea’s approach to cyber can be summed up in Kim Jong Un’s alleged words: “Cyber warfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”60 In April 2014, then-Commander of the United Nations Command and the Republic of Korea Combined Forces General Curtis M. Scaparrotti, offered the following assessment:

“North Korea employs computer hackers capable of conducting open-source intelligence collection, cyber-espionage, and disruptive cyber-attacks. Several attacks on South Korea’s banking institutions over the past few years have been attributed to North Korea. Cyber warfare is an important asymmetric dimension of conflict that North Korea will probably continue to emphasize—in part because of its deniability and low relative costs.”61

This part of the article will examine the Democratic People’s Republic of Korea’s (DPRK) use of cyber espionage, and will demonstrate how it reflects its broader focus on regime survival and upon disrupting regional foes, particularly the US and South Korea.

ITAR-TASS News/Alamy Stock Photo T5GH6R

North Korean leader Kim Jong Un.

The DPRK has one of the smallest internet presences in the world, with the bulk of its limited access being routed through China.62 Internet usage is heavily monitored by the regime, and is largely limited to government and military officials. Despite such restrictions, North Korea’s hacking competence has become as dreaded as its nuclear arsenal.63 The Hermit Kingdom’s cyber capabilities began proliferating in the late-2000s, when it started conducting cyber espionage against South Korea. The US Department of Defense highlights cyber as a primary means of North Korean intelligence collection efforts, with a focus upon three primary targets: South Korea, the US and Japan.64

The Republic of Korea (South Korea) has been contending with cyber threats from the DPRK for years. The best known and most destructive was the April 2013 attack known as Dark Seoul, and now known as Operation Troy. In his technical paper detailing the incident, David M. Martin explains that “…while the attack was initially believed to be the work of hacktivists, malware researchers discovered it was actually the outgrowth of a multi-year cyber-espionage campaign waged by the North Korean government.”65 The malware rendered tens of thousands of computers in the South Korean media and financial services sectors inoperable.66 A white paper produced by the internet security giant McAfee concludes that both the Dark Seoul and other government attacks are connected to a secret, long term campaign to spy and disrupt South Korea’s military and government activities.67 In fact, the Dark Seoul attacks occurred at a time when American and South Korean military forces were conducting a major exercise. South Korean officials claim that the DPRK has conducted more than 6,000 cyberattacks between 2010 and 2017, costing nearly $650 billion in repairs and economic losses.68 Operation Troy demonstrates North Korea’s prolonged commitment to utilizing cyber to spy upon its main regional adversary, South Korea, in order to gain a military and economic advantage.

A little over a year after the world witnessed Dark Seoul, an emboldened Pyongyang used similar destructive capabilities against a well-known US-based company. On the morning of 24 November 2014, a gang of hackers calling themselves “Guardians of Peace” hacked Sony Pictures’ networks, effectively destroying three thousand computers and eight hundred servers. They also carted off more than one hundred terabytes of data – much of which was sent to tabloids and eventually to the mainstream press. This information included executive salaries, emails, digital copies of unreleased films, and the Social Security numbers of 47,000 actors, contractors and employees.69 All of this, allegedly, was in response to Sony’s planned release of an upcoming film, “The Interview,” a comedy depicting a plot to assassinate Kim Jong Un. The FBI attributed the attacks to Pyongyang following technical analysis that revealed links to other malware attributed to the Hermit Kingdom’s government. The Sony hack is a clear case, and it points to North Korea’s use of cyber to collect sensitive information, which would later be disclosed as a retaliatory measure, in order to strike back in the face of a threat to the regime’s credibility.

To sum up, as demonstrated in the Dark Seoul case study, cyber espionage has and continues to provide Pyongyang with critical intelligence on its adversaries. There is no doubt that one of Kim’s primary geopolitical goals is the survival and the maintenance of the credibility of his regime. The Sony hacks clearly demonstrate the lengths to which the DPRK was willing to go, using cyber spying and attacks, in an attempt to maintain Kim’s image. Similar to other Big Four actors, North Korea views its cyber espionage capabilities as a retaliatory tool, and one needed to ensure regime survival.


The evolution of the cyber domain has ushered in significant changes to every facet of society. The development of new capabilities in cyberspace has further changed the landscape of intelligence and the way in which it is conducted. Cyber has provided a medium for countries, particularly those discussed in this article, to collect information and conduct attacks without fear of significant repercussions – an unplanned immunity that is quickly disappearing. Arguably, it has altered the face of warfare entirely – countries are now in a perpetual state of direct competition through cyberspace. As John Carlin notes in his book, at the beginning of the Obama administration the US government never publicly accused a foreign nation of cyber intrusions. Within eight years, the US publicly pointed fingers at what they considered the country’s four major foreign threats online: Chinese hackers for industrial espionage, Iranian hackers for disruptive attacks, North Korea for hacking Sony and Russia for interfering with the 2016 Presidential election.70 This article has identified clear parallels between the use of cyber espionage and the geopolitical interests and historical approaches to intelligence and warfare of the Big Four. Whether cyber spying is used as tool for intellectual property theft or as a means to collect intelligence on a foreign nuclear weapons program, one thing is certain: as the world becomes increasingly connected, the threat will continue to grow. Therefore, the onus is upon governments, industries, and individuals alike to work together to establish order and norms regulating the ‘digital wild west’ that is the cyber domain.

B Christopher/Alamy Stock Photo F7FYKB

Assistant Attorney General for National Security John Carlin speaking on the Security and Cyber Threat Landscape.


  1. John P. Carlin, Dawn of the Code War: America’s Battle against Russia, China, and the Rising Global Cyber Trend (New York: Public Affairs, 2019), p. 51.
  2. David E. Sanger, The Perfect Weapon: War, Sabotage and Fear in the Cyber Age (New York: Broadway Books, 2019), p. 18.
  3. Office of the Director of National Intelligence, Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, 2 Feb 2010, p. 2.
  4. Office of the Director of National Intelligence, Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, 12 Feb 2009, p.5.
  5. Ibid.
  6. Security Service MI5, at:, (accessed 23 July 2019).
  7. David Weissbrodt, “Cyber-Conflict, Cyber-Crime, and Cyber Espionage,” University of Minnesota Law School Scholarship Repository, No. 347 (2013), p. 354.
  8. Michael Warner, “Intelligence in Cyber - and Cyber in Intelligence,” in Understanding Cyber Conflict: Fourteen Analogies, George Perkovich and Ariel E. Levite (eds.), (Washington DC: Georgetown University Press, November 2017), p. 18.
  9. Warner, “Intelligence in Cyber - and Cyber in Intelligence,” p. 20.
  10. Weissbrodt, “Cyber-Conflict, Cyber-Crime, and Cyber Espionage,” p. 354.
  11. Malicious software (malware) infects computers through infected emails (phishing) or websites modifying programs to carry out functions that were not originally intended. Unauthorized remote intrusions occur when the attacker is able to access a computer through account names and/or passwords, and is then able to disrupt the computer and data within. DoS attacks overwhelm the targeted computer system with requests and information until it ceases to function, thereby denying access to legitimate users. Weissbrodt, “Cyber-Conflict, Cyber-Crime, and Cyber Espionage,” p. 355.
  12. William C. Banks, “Cyber Espionage and Electronic Surveillance: Beyond the Media Coverage,” Emory Law Journal 66, No. 3 (2017), p. 513.
  13. Nigel Inkster, “Cyber Espionage,” Adelphi Series 55, No. 456 (2015), p. 51.
  14. Inkster, “Cyber Espionage,” 51.
  15. Jack Deoliveira, “Chinese Cyber Espionage and Information Warfare,” in Small Wars Journal, (accessed 23 July 2019).
  16. Jonathan Marcus, “US accuses China Government and military of cyber-spying,” BBC News, 7 May 2013 (accessed 23 July 2019).
  17. Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon&Schuster, 2016), p. 228.
  18. Inkster, “Cyber Espionage,” p. 51.
  19. Zack Cooper, Understanding the Chinese Communist Party’s Approach to Cyber-Enabled Economic Warfare (Washington DC: FDD Press, 2018), p. 8.
  20. Cooper, Understanding the Chinese Communist Party’s Approach to Cyber-Enabled Economic Warfare, p. 7.
  21. Department of Defense, Assessment on US Defence Implications of China’s Expanding Global Access, December 2018, p. 15.
  22. White House Office of Trade and Manufacturing Policy, How China’s Economic Aggression Threatens the Technologies and Intellectual Prope1rty of the United States and the World, June 2018, p. 3.
  23. Cooper, Understanding the Chinese Communist Party’s Approach to Cyber-Enabled Economic Warfare, p. 6.
  24. White House Office of Trade and Manufacturing Policy, How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World, June 2018, p. 3.
  25. Deoliveira, “Chinese Cyber Espionage and Information Warfare.”
  26. Inkster, “Cyber Espionage,” p. 67.
  27. Michael Shoebridge, Commentary: Chinese Cyber Espionage and the National Security Risks Huawei Poses to 5G Networks (Ottawa: Macdonald-Laurier Institute, November 2018), 2. Cyber commentary, p. 2
  28. White House Office of Trade and Manufacturing Policy, How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World, June 2018, p. 4.
  29. Nicu Popescu and Stanislav Secriery, “Hacks, leaks and disruptions: Russian cyber strategies,” Chaillot Papers, No. 148 (October 2018), p. 9.
  30. Michael Connell and Sarah Vogler, Russia’s Approach to Cyber Warfare (Arlington, VA: Center for Naval Analysis, 2016), p. 2.
  31. Sanger, The Perfect Weapon, p. 152.
  32. FireEye, APT 28: A Window into Russia’s Cyber Espionage Operations? (Milpitas CA, FireEye: 2014), p. 3.
  33. Ibid.
  34. Ibid, p. 6.
  35. Jen Weedon, “Beyond Cyber War: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine” in Cyber War in Perspective: Russian Aggression against Ukraine, Kenneth Geers (NATO CCD COE Publications, Tallinn 2015), p. 68.
  36. Weedon, Beyond Cyber War, p. 68.
  37. Ibid, p. 71.
  38. Popescu, “Hacks, leaks and disruptions: Russian cyber strategies,” p. 69.
  39. Ibid, p. 117.
  40. Office of Director of National Intelligence, Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process of Cyber Incident Attribution, 6 January 2017, p. ii.
  41. Ibid, p. 2.
  42. Ibid.
  43. Annie Fixler and Frank Cilluffo, Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare (Washington DC: FDD Press, 2018), p. 6.
  44. Collin Anderson and Karim Sadjadpour, Iran’s Cyber Threat: Espionage, Sabotage and Revenge (Washington DC: Carnegie Endowment for International Peace, 2018), p. 5.
  45. Robert Axelrod and Rumen Iliev, “Timing of cyber conflict,” in Proceedings of the National Academy of Sciences of the United States of America 111, No. 4 (28 January 2014), p. 1300.
  46. Fixler, Evolving Menace, p. 6.
  47. Axelrod, “Timing of cyber conflict,” p. 1300.
  48. Ibid.
  49. Jason G. Spataro, “Iranian Cyber Espionage,” (Master of Science in Cyber Security Dissertation Submitted to the Faculty of Utica College, 2019), p. 2.
  50. James Clapper, “Statement for the Record: Worldwide Cyber Threats,” Hearing before the House Permanent Select Committee on Intelligence, 10 September 2015, p. 4.
  51. Anderson, Iran’s Cyber Threat, p. 1.
  52. Fixler, Evolving Menace, p. 25.
  53. Anderson, Iran’s Cyber Threat, p. 31.
  54. Ibid.
  55. Ibid, p. 36.
  56. Anderson, Iran’s Cyber Threat, p. 36.
  57. Nart Villeneuve, Ned Moran, Thoufique Haq and Mike Scott, Operation Saffron Rose (Milpitas CA: FireEye, 2014), p. 2.
  58. Villeneuve, Operation Saffron Rose, p. 19.
  59. Ibid, p. 15.
  60. Mathew Ha and David Maxwell, Kim Jong Un’s “All Purpose Sword”: North Korean Cyber Enabled Economic Warfare (Washington DC: FDD, 2018), p. 8.
  61. U.S. Congress, House Committee on Armed Services, Statement of General Curtis M. Scaparrotti, Commander, United Nations Command; Commander, United States -Republic of Korea Combined Forces Command, United States Forces Korea, 113th Congress, 2nd session, 2 April 2014, at:
  62. Emma Chanlett-Avery, Liana W. Rosen, John W. Rollins, Catherine A. Theohary, Congressional Research Service, North Korean Cyber Capabilities: In Brief, August 2017, p. 1.
  63. Dylan Stent, “The Great Cyber Game,” New Zealand International Review 43, No. 5 (Sept 2018), p. 1.
  64. Ibid.
  65. David M. Martin, “Tracing the Lineage of DarkSeoul,” Global Information Assurance Certification Paper (Accepted 11/20/15), p. 1.
  66. Ibid, p. 2.
  67. Ryan Sherstobitoff, Itai Liba and James Walter, Dissecting Operation Troy: Cyber espionage in South Korea (Santa Clara CA: McAfee, 2018), p. 26.
  68. Chanlett-Avery, Rosen, Rollins and Theohary, North Korean Cyber Capabilities: In Brief, August 2017, p. 8.
  69. Kaplan, Dark Territory, p. 268.
  70. Carlin, Dawn of the Code War, p. 66.