The United Kingdom (UK) and South Korea (Republic of Korea or ROK) are preparing for the next iteration of their bilateral Cyber Dialogue, to be held in the first half of 2026. The meeting will seek to reaffirm their commitment to the UK-ROK Strategic Cyber Partnership and enhance cooperation between the two countries on cyber security issues.
One decisive question, however, remains: what does impactful collaboration look like when partners confront different adversaries? Can cooperation be effective if partners do not prioritise the same threat actor?
Evidence of growing alignment between North Korea and Russia in cyberspace sharpens this dilemma. As Pyongyang and Moscow deepen coordination, threat landscapes that once appeared regionally distinct are becoming increasingly intertwined. In this context, London and Seoul should expand joint efforts to identify, analyse and mitigate shared risks. If adversaries are converging in the cyber domain, allied responses must be equally integrated, structured and forward-leaning.
Who are the UK and South Korea’s Main Threats in cyberspace?
North Korea is the primary threat to South Korea’s national security. The Kim regime threatens the South with its nuclear arsenal and conducts diverse hybrid threat activity against its neighbour.
This holds too for cyberspace. South Korea’s National Intelligence Service found in 2023 that 80 percent of cyberattacks against public sector networks are linked to North Korea, approximately 1.3 million a day. Moreover, North Korea linked actors conduct regular cyberattacks against critical infrastructure in the South, such as the Incheon Airport, South Korea’s largest commercial airport, as part of wider disruption activities.
More widely, North Korean actors conduct cybercriminal activities to raise revenue, much of which is channelled into ballistic missile and nuclear programs. In 2024, North Korean cyber criminals were estimated to have stolen USD $1.34 billion through cryptocurrency hacks; conducting sophisticated operations against high-value targets, such as the Japanese crypto exchange DMM Bitcoin.
North Korean cyber threat actors have been so successful that US officials have described them as “the world’s leading bank robbers.” These revenues directly fund efforts to threaten the South and are therefore priority concerns.
Any cyber security collaboration with South Korea must acknowledge a threat landscape where North Korea looms large.
In the UK, however, the cyber threat environment looks very different. The UK Strategic Defence Review 2025 confirmed a clear emphasis on Russia and NATO, prioritizing European security and reducing focus on the Indo-Pacific compared with previous UK strategies.
In cyberspace, China and Russia are viewed as the UK’s priority adversaries. China is seen as a longer-term strategic threat, illustrated by recent revelations about Salt and Volt Typhoon operations. Meanwhile, Russia presents imminent cyber threats, particularly from state-linked ransomware targeting UK businesses. Russia’s threat is “acute and globally pervasive” and exacerbated by its hybrid warfare strategy targeting the UK and NATO allies.
Though Russia and China take centre stage, Iran and North Korea are also part of the UK’s ‘big four.’ North Korea is regularly named, but is often bundled with other threat actors. One exception is the 2023 UK-South Korea joint technical advisory that identified North Korean state-linked actors targeting software supply chains. Nevertheless, this is an exception, not the rule.
Research by the Royal United Service’s Institute (RUSI) on the UK-ROK Cyber Partnership finds that while each country has different drivers and motivations for cooperation, these are not all threat actor specific. Common interests and a desire to enhance collaboration exist across threat intelligence sharing, active cyber defence and AI as well as other emerging technologies.
Counteracting Adversary Cooperation is Key for the UK and South Korea
Increasing coordination by Russia and North Korea reinforces a view that the UK and South Korea should not limit their focus to their own back yards. Adversaries’ activities are converging and presenting amplified threats.
In June 2024, Kim Jong Un and Vladimir Putin signed a comprehensive strategic partnership treaty aimed at enhancing bilateral ties, including across technology and defence. The impact has already been seen with North Korean troops and shells provided to the Russian military in Ukraine. Additional support has included sending workers to Russian arms manufacturers and giving access to weapons stockpiles. In exchange, Russia has supplied North Korea with food and fuel as well as supporting military modernisation efforts across fighter jets, reconnaissance satellites, and ballistic missiles—highly sensitive capabilities.
Compared with kinetic capabilities, open-source evidence documenting Russia-North Korea cooperation on cyber is patchier. Despite this, many observers have argued it is increasingly likely given provisions within their strategic partnership focused on technologies, information communication technology (ICT) and information security.
One example, observed by Microsoft, is Moonstone Sleet, a North Korean state-linked hacking group, becoming an affiliate of Russian Ransomware-as-a-Service group Qilin. Bitdefender links this partnership to a massive increase in ransomware attacks on South Korea at the end of 2025, with the country becoming the second most targeted based on their monitoring—typically it does not rank among the top five.
Another example, identified by Gen Digital, reports early insights that Russian and North Korean groups may be operating on shared infrastructure. On July 24, 2025, Gen Digital identified an IP address associated with command-and-control infrastructure of Gamaredon, an alleged Russian-aligned threat actor linked by Security Service of Ukraine to Russia’s Federal Security Bureau (FSB). Four days later, the same server was observed hosting an obfuscated version of malware attributed to the Lazarus Group, a North Korean state-sponsored actor. While this is not categorical evidence of operational coordination between the groups, it suggests the potential reuse or sharing of infrastructure.
Neither of these examples offer incontrovertible evidence of large-scale Russia-North Korea operational cooperation. Nonetheless, they justify attention on the matter and reiterate the need for the UK and South Korea to have a more coordinated approach to counteract adversary cooperation. The UK-ROK Strategic Cyber Partnership provides a suitable mechanism to interrogate these connections.
Combatting Common Threats Can Drive Cooperation
Better understanding of Russian and North Korean strategic cyber and technology engagement offers a compelling narrative and powerful driver for UK-South Korea cooperation on threat. The UK and South Korea are uniquely well situated to monitor, gather, and analyse data on this issue and, if necessary, can effectively build understanding among allies and the public of this trend.
Examining Russian-North Korean cooperation in cyberspace must therefore be one of the priority areas for the new round of the Cyber Dialogue between the UK and South Korea if this is not already the case behind closed doors.
Reorienting the UK-ROK Strategic Cyber Partnership to Counteract Adversary Cooperation
Three areas of work would particularly benefit from a greater understanding of Russia-North Korea collaboration in cyberspace. Firstly, the UK and South Korea are committed to collaborating on deterrence, including through attributions. This is a key driver, particularly for the UK that highly values public attributions of cyber operations. However, South Korea so far has been more reluctant to conduct public attributions. A better understanding of where threat actors converge may impact how valuable a tool for deterrence attributions are to the UK and South Korea. If they are attributing joint activities of Russia and the DPRK, the political appetite to conduct an attribution may increase.
Secondly, South Korea and the UK each see one another as capable cyber powers with significant cyber threat intelligence capabilities. However, we understand from relevant officials that threat intelligence sharing between UK and South Korean stakeholders experiences obstacles, for example the lack of a General Security Agreement setting out the protection of classified information. Assuming efforts to mitigate these issues are already ongoing, they should nevertheless be redoubled—effective information sharing is critical to maintain understandings of adversary activity and plan effective countermeasures.
Thirdly, a better understanding of joint adversaries would further open the conversation to what a coordinated responsible offensive cyber power should look like in response to these threats. The UK has already publicly stated it conducts offensive cyber operations and has committed to doing so in a responsible way, including in line with domestic and international law but also additional principles it has set out in its Responsible Cyber Power in Practice document. South Korea’s 2024 cyber strategy clearly emphasises a shift towards proactive cyber defence and a more offensive posture for deterrence. RUSI’s research shows that there is appetite for further collaboration on offensive cyber operations, including on doctrinal questions that examine how these can be conducted in a responsible fashion.
The next iteration of the cyber dialogue between the UK and South Korea should assess these areas of cooperation and determine where joint activities can be expanded while appreciating each countries’ respective motivations. Acting early, while Russia-North Korea cooperation on cyber seems more a prospect than a reality, would be wise. If efforts are not already underway by intelligence agencies, they should get into gear.
Pia Hüsch and Joseph Jarnecki are the authors of a research paper by the Royal United Services Institute entitled Strengthening UK–South Korea Cyber Security Cooperation.