When Lazarus, the notorious North Korean hacker group, needs help, it knows where to turn. Whether it wants to find a place to station hackers, hire money launderers to funnel stolen money from cyber attacks, or even link up to the internet within North Korea, the cybercriminal group looks to its trusty accomplice: China.

Lazarus is not alone. China has emerged in recent decades as a critical enabler of North Korea’s cyber operations, which include hacks of Japan’s Sony Entertainment in 2014 and the Bangladesh central bank in 2016, as well as the WannaCry 2.0 attack, which crippled global computer systems in 2017. Even though this assistance is not all explicitly state-sanctioned, experts say the Chinese authorities have displayed little willingness to crack down on North Korea’s activities.

For the U.S. government, China’s role in these attacks is a concern. “North Korea’s malicious activity, including the theft of millions of dollars, is outlier activity for a nation state,” says Adam Hickey, deputy assistant attorney general for the Department of Justice’s National Security Division. “By permitting it to occur, and not cracking down on it, China endangers not only the U.S., but the world.” 

As North Korea’s closest ally and biggest trading partner, China often plays the role of benefactor for its smaller neighbor, frequently evading international sanctions in the process. “North Korea, ranging from its economic performance to their hacking operations, would be significantly impacted if China stopped helping them,” says Jason Bartlett, a researcher at the Center for a New American Security who recently published a report on North Korean hacking. “One of the reasons why North Korea can continue to exist is China.” And while other countries, such as Russia, also assist North Korea’s hacks, Bartlett says China remains its most important facilitator. 

China’s assistance starts at the most basic level, with linking North Korea to the internet. In 2010, China Unicom, a state-owned telecommunications company, built the first fiber-optic cable into the country, allowing North Koreans — including hackers — to connect to the web more easily. In 2017, a Russian company built a supplementary cable, but the Unicom cable remains vital to North Korea’s telecoms infrastructure.

China also provides a useful venue for North Korean hackers to be stationed. Three North Korean hackers charged by the Justice Department with participating in both the WannaCry 2.0 and Sony hacks had allegedly operated out of China at various points, according to a federal indictment. One of the indicted men, Park Jin Hyok, reportedly worked for a few years in Dalian — a Chinese city near the border with North Korea. His employer at the time he was in China, Chosun Expo Joint Venture, was a North Korean company affiliated with the country’s military intelligence, according to another Justice Department indictment. There have also been reports that North Korean hackers have worked out of hotels in Shenyang, another Chinese city across the border. 

“Operating from China would give them [the hackers] resources that they don’t have access to in North Korea, either because of the power grid, or better linkage to the external internet,” says Ken Gause, a North Korea expert and the adversary analytics program director at CNA, a federally funded research organization. Plus, it adds another layer of obfuscation, making it harder for researchers and governments to trace the hack back to North Korea.

In response to allegations of Chinese involvement in such cases, a spokesperson for the Chinese embassy in Washington, D.C., quoted in a recent Reuters report, said he was unaware of the situation, and that the “Chinese government is a staunch defender of cyber security and firmly opposes and fights all forms of cyber attacks and crimes in accordance with law.”

North Korean students also study abroad at top Chinese universities. In 2016, the last year China provided data on this, over 1,800 North Korean students were enrolled at Chinese universities. Many of the experts interviewed for this story raised the risk that at least some of those students could be receiving advanced technological training in China, although the scale of such activity isn’t known for sure.

Many North Korean cyber operations are financially motivated, and involve the theft of money from banks or cryptocurrency exchanges. Once hacks are completed, the next step is to launder the extracted funds back into North Korea. Jesse Spiro, chief government affairs officer for Chainalysis, which investigates cryptocurrency related crime, says, “North Korea is cut off from the global financial system so they have to launder in other jurisdictions to gain access to liquidity.” 

Chinese nationals often assist in this task as well, using the Chinese financial system. Last March, for example, two Chinese nationals were charged by the Justice Department with allegedly laundering $100 million from a North Korean cryptocurrency exchange hack through nine Chinese banks. 

Given the Chinese government’s tight control over its domestic internet, the Justice Department’s Hickey says that it cannot credibly claim it doesn’t know about North Korea’s illicit activity. “With the Great Firewall, China has a lot of visibility of what is going on in the internet,” says Hickey. “If they wanted to shut it down, they could, certainly better than the U.S. could.”

One of the reasons why North Korea can continue to exist is China.

Jason Bartlett, a researcher at the Center for a New American Security

China has little incentive to do so, however, partly because it doesn’t suffer directly from North Korean hacking, and also because of its broader aim to maintain the stability of the regime in Pyongyang. “What would the Chinese get by clamping down?” asks James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, the Washington, D.C.-based think tank. “They would get to be good global citizens? They don’t care. If North Korea started hacking Chinese businesses, maybe then they would stop them.”

China doesn’t always approve of North Korean hacking operations, Lewis adds. “I have talked to Chinese officials about this,” he says. “North Korea is like a pet, where you never know whether they will turn around and bite you. It is an uncomfortable relationship. But it is not in their interests to stop them.” 

Many analysts fear that without a fundamental shift in the North Korea-China relationship, China isn’t likely to stop enabling their cyber agenda. And the U.S. doesn’t have many levers to pull to make China change course, especially given the long laundry list of other pressing issues in the U.S.-China relationship.

“We are not in a great position to push them to crack down bilaterally,” says Priscilla Moriuchi, a fellow at Harvard’s Belfer Center for Science and International Affairs who researches the North Korean cyber threat. But in the absence of a broader solution, Moriuchi says the U.S. should be drawing more attention to China’s role in North Korea’s cybercrime. 

“Largely, China has been able to get away with benign neglect, because they haven’t been held responsible,” says Moriuchi. “As long as we are exempting them, we shouldn’t expect them to crack down on this.” 

---