Cybersecurity best practice for North Korea watchers
North Korea watchers are targeted by foreign actors and their own governments. In this space, cybersecurity is a practice not a singular technique.
Cybersecurity for the North Korea watcher is about adopting a disciplined, practice-based mindset. The threats faced by researchers in the field are persistent and highly tailored. Having a Yubikey and password manager alone will not save you! You need to change the way you behave when using computers and phones. With the use of AI, phishing emails are becoming considerably more sophisticated and much more regular.
The North Korea watcher community is relatively small and diverse but is a high profile target for threat actors. There are plenty of sites with information to stay informed about the most recent threats but methods and tools used against the North Korea watcher community only initiate reports once they are used against larger targets. As a North Korea watcher, threat actor methods and tools will often be used on you before they are widely reported in the cybersecurity community.
In this environment, good cybersecurity is a matter of daily habits—of caution, compartmentalization, and conscious behavior. It’s about how you manage your identity, how you communicate, and how you think about trust online. Tools are only as effective as the practices behind them.
This post is hardly a thrilling, gripping or exciting read. It’s informative, and will be for some people out there, insightful. It was created in the interest of helping the community to phase in practices that will improve their cybersecurity. That being said, if you’re reading this on the subway or on the bus make sure you set an alarm because you will fall asleep and miss your stop!
Detailed below are practices to help maintain a secure research and communication workplace. This includes (1) maintaining a dedicated work environment; (2) maintaining password security; (3) using Virtual Machines; (4) maintaining email security; and (5) using Virtual Private Networks (VPNs). These practices are followed by the most important advice—keep up to date!
1. Maintaining dedicated work environment
You’ve seen on TV those service personnel working in remote missile silos? Secluded, specialized, and absolutely unforgiving of mistakes. Just as no one would dream of bringing their personal phone or banking passbook into a nuclear command center, those who work on North Korea should not let their personal lives enter the space. Mixing personal and professional devices, logins, or browser sessions introduces unnecessary risk. Your analysis, contacts, and research deserve their own secure space—walled off from the casual vulnerabilities of daily digital life. You need a dedicated work environment.
Improving cybersecurity for North Korea watchers requires not just better tools, but structured discipline in how digital environments are separated and maintained. A “dedicated work environment” can be understood in three increasingly rigorous levels, each offering stronger isolation between professional and personal spheres to defend against phishing, malware, and surveillance.
Separate devices. At the most basic—but still highly effective—level, this approach involves maintaining a physically separate computer used exclusively for North Korea-related activity. On this machine, use a distinct email address (not your institutional or personal Gmail), a different social media account if needed for public commentary, and avoid mixing it with casual browsing, streaming, or unrelated communication. This makes it much harder for an attacker who gains access to, say, your personal inbox or Twitter DMs to pivot into your research files or contact network. Even something as simple as avoiding overlap in saved logins and autofill data can prevent inadvertent leaks or social engineering openings.
Qubes OS. For those who are more technically inclined or handling highly sensitive materials, a stronger option is to use a secure machine running Qubes OS—a security-focused, open-source operating system designed around isolation. Qubes treats every application and workflow as a separate virtual machine (called a “qube”), meaning that even if malware infiltrates one environment—say, a PDF viewer—it cannot access your browser, files, or communications in other qubes. You can create isolated workspaces for different tasks, such as viewing suspicious documents in a disposable VM, storing classified or embargoed research in an offline vault qube, and running your internet-connected email client in a separate container. Qubes offers a powerful way to compartmentalize threats, but it comes with a learning curve and requires a dedicated device. Qubes can be downloaded at https://www.qubes-os.org.
Virtual Machines. For users who can’t fully commit to Qubes OS but still want strong separation, a more flexible middle ground is the disciplined use of Virtual Machines (VMs) on a standard operating system. One VM could be reserved exclusively for North Korea work—email, document editing, and communications—all isolated from your main system. Another VM might be used for research and browsing, while a third could handle social media or media production. A fourth VM can be dedicated to personal use—shopping, banking, entertainment. This approach limits cross-contamination between environments and makes it much harder for phishing payloads or spyware to leap across your digital life. It also allows for regular backups and snapshot restoration in case of compromise.
Each of these levels provides progressively stronger insulation between your roles, contacts, and vulnerabilities. The key principle is the same: don’t let one breach expose everything. Whether through a second laptop, a hardened OS, or intelligently segmented virtual machines, a dedicated work environment isn't just about convenience—it’s about survival in an increasingly targeted digital battlefield. Compartmentalization is based on the idea that sooner or later, a threat actor will get through—you’re just limiting what they get.
The first two levels are probably overkill for many people. It is really hard to separate our digital personal and public lives. I mean, you built up your credibility with your name, and now you’re told to separate your work from that name? It’s pretty tough.
2. Maintaining password security
Use a reputable password manager to generate and store strong, unique passwords for every account. This eliminates the need to remember multiple complex passwords and drastically reduces the risk of reused or weak passwords being compromised.
Avoid using personal information or predictable patterns, and never store passwords in plain text or unsecured documents.
Enable multi-factor authentication (MFA) wherever possible for an added layer of security. Importantly - if you’re in South Korea, or anywhere where large breaches of telecommunications providers have occurred, it is better to use an MFA App rather than SMS authentification due to the risk of SIM swapping.
Regularly review and update passwords, especially after a data breach or suspicious activity, and ensure your master password is both strong and memorable, as it safeguards access to your entire password vault.
3. Using Virtual Machines (VMs)
The most basic approach is to use VMs on your current OS. So let’s go into what a VM actually is and how to set one up.
A VM is like a computer inside your computer. It runs as a separate window or program, but inside that window is a whole other operating system—like having a second desktop that’s completely cut off from your main one. You can use it to open files, browse the internet, or check email, but if something goes wrong—like a virus or phishing link—it stays trapped inside the VM and doesn’t affect your main system. It’s a way to safely test or do risky things without putting your real computer in danger.
It is VERY difficult for malware to escape a VM. They provide strong protection by isolating risky activity—like opening suspicious emails or files—from your main system, making it difficult for malware to cause lasting damage. Most malware is trapped inside the VM and can't access the rest of your computer.
In rare cases, especially with advanced malware used by state-sponsored actors (including threat actors targeting North Korea watchers) can exploit vulnerabilities in the VM software itself to break out and infect the host system—this is known as a VM escape. These attacks are complex and uncommon, but they’re possible if the VM software is outdated or misconfigured. To reduce risk, always keep VM software updated, do not enable shared folders between VM and host OS, do not allow USB access, and don’t move files between the VM and host.
To reduce exposure to phishing, malware, and surveillance, it’s important not just to use a virtual machine (VM), but to use multiple VMs for different tasks. This guide walks you through creating a secure template VM, which you will then clone into separate, isolated environments—one for email, one for social media, one for research, one for analytical writing, and so on. This creates digital firewalls between your tasks.
Note - The following instructions were adapted from a ChatGPT query.
Step 1: Install VirtualBox
Visit the VirtualBox website and download the version for your operating system (Windows, macOS, or Linux).
Install VirtualBox by running the downloaded file and following the prompts at Virtual Box https://www.virtualbox.org/
Step 2: Download a Linux Operating System (Ubuntu)
Go to Ubuntu’s official site.
Download the latest Ubuntu Desktop ISO file (this is the virtual installation disc) at Ubuntu https://ubuntu.com/download/desktop
Step 3: Create a secure Template VM
Open VirtualBox and click “New”.
Name this VM something like "VM_Template".
Set the type to Linux, and version to Ubuntu (64-bit).
Allocate at least 2 GB of RAM (4096 MB is ideal if available).
Create a new virtual hard disk (20 GB or more), using VDI, dynamically allocated.
Once created, start the VM. When prompted, select the Ubuntu ISO you downloaded.
Step 4: Install Ubuntu inside Template VM
Follow the Ubuntu installer prompts:
Choose language, keyboard layout.
Choose Install Ubuntu.
Select Erase disk and install Ubuntu (this only affects the VM).
Create a strong password and username.
Once installation completes, restart the VM. Remove the ISO when prompted.
Update the system.
Install any tools you’ll want on all VMs (e.g., LibreOffice, browser extensions, document viewers), but avoid linking any personal accounts at this stage.
Shut down the VM. This is now your clean, configured template.
Step 5: Clone the Template into Task-Specific VMs
In VirtualBox, right-click on VM_Template and choose Clone.
Name your new VM based on task, e.g.:
"VM_Email" – for reading and sending email only.
"VM_Research" – for browsing, downloading academic PDFs, visiting think tank sites.
"VM_Analysis" – for drafting reports, policy memos, or papers.
"VM_SocialMedia" – for posting or monitoring Twitter, YouTube, etc.
"VM_Personal" – for shopping, banking, and daily non-research tasks.
“VM disposable” - for opening questionable attachments or visiting questionable sites.
Use Full Clone and check the box for Reinitialize MAC address.
Once cloned, start each VM and log in. You can now customize each:
Log into email only on VM_Email.
Use browser bookmarks and accounts only on VM_Research, and so on.
Step 6: Use VMs with discipline
Keep VMs isolated. Don’t move files or copy-paste across them unless absolutely necessary.
Do not use one VM for multiple tasks. That defeats the purpose of compartmentalization.
Use snapshots in VirtualBox to save the VM’s clean state before making risky changes.
Shut down VMs when not in use to reduce exposure.
Step 7: Create VM desktop shortcuts
Creating desktop shortcuts for each VM allows you to launch directly into the task-specific environment (e.g. “VM_Email” or “VM_Research”) with a single click.
There are different processes for creating desktop shortcuts, depending on whether your host OS is Windows, Mac or Linux. Regardless, it is of course easy to get the instructions by opening ChatGPT and asking about the process.
With shortcuts in place, switching between compartments is as easy as clicking an icon—just like you normally do to access the internet. This reinforces disciplined use and minimizes the temptation to mix tasks within a single VM.
4. Using email
North Korea watchers should never rely on a single email address because it creates a single point of failure that can compromise their entire digital footprint. If that address is phished, every contact, document, and account tied to it becomes vulnerable—research materials, social media, institutional affiliations, and even personal communication.
You will almost certainly receive emails from people claiming to be researchers, journalists, or conference organizers. Some may be real. Many are not. It is increasingly risky to rely upon verification through secondary means—such as checking with a known colleague or reaching out via institutional contact forms. If you are a high profile target, these will already be compromised. Skilful threat actors work their way towards a high profile target by compromising easier targets around the high profile and looking for weak links into the target’s environment.
It should not need to be said, but never open attachments from unknown sources. Threat actor phishing emails often embed malware in seemingly legitimate PDFs, DOCXs, or even fake Zoom invitations.If you do open an attachment, ensure it is in a disposable VM.
Threat actors often use spear-phishing tactics that exploit publicly available information, so using one email for everything makes their job easier. By separating email addresses by function—one for research, another for correspondence, and a third for media or public-facing activity—watchers compartmentalize risk and make it far more difficult for attackers to gain meaningful access.
In practice, you should avoid emails that use your name. For many people in GenX, this is a hard notion to accept. We grew up with our email accounts linked to our names and have grown attached to them. Businesses and universities across the globe reinforce this poor security practice, so that it’s fairly easy to know anyone at a specific government department is firstname.lastname@department.gov. It’s not easy to give up this practice!
Luckily, there are many services that make it easier. Most decent email providers provide the capacity to obfuscate your email address when signing up for newsletters, booking conference seats, or purchasing goods. If your email service doesn’t provide this, you can always use an online service, like Duck mail.
https://duckduckgo.com/email/settings/autofill
When using email, it should ALWAYS be secured with Multi-Factor Authentication (MFA) and/or Physical Security Keys. An MFA is non-negotiable. Use app-based codes at a minimum (Google Authenticator, Authy), but preferably physical security keys like YubiKey, which render credential theft useless without physical possession.
5. Using VPNs
North Korea watchers travel a lot and do a lot of work away from their home base. When accessing email, cloud services, or research archives from public Wi-Fi, travel locations, or insecure networks, a reputable VPN is essential. It encrypts your connection and masks your IP address, making it harder for adversaries to track your location or intercept login credentials.
In South Korea, it’s important to recognize that many public Wi-Fi networks should be considered compromised—including university and government Wi-Fi networks. Even when you’re in a place that you believe is secure, Wi-Fi network hacks are one of the easiest ways to secure access to an individual’s communications and install malware.
Choose a service with a strong no-logs policy and servers in jurisdictions not subject to pressure from authoritarian regimes. Avoid free VPNs—they’re often data collection traps themselves.
If you want to go the extra step, also ensure you have a secure router in your home and office and use a VPN at the router level. Using a VPN on your router provides automatic, always-on, and even dynamic protection for every device connected to your home network—laptops, phones, smart TVs, and even IoT devices—without needing to install the VPN separately on each one.
This setup ensures that all traffic is encrypted and routed through a secure server, masking your IP address and physical location, and protecting against tracking, surveillance, and metadata leakage. It also guarantees consistent privacy and anonymity, helps bypass censorship or geo-restrictions, and eliminates the risk of forgetting to activate your VPN manually. For high-risk users like North Korea watchers, a router-level VPN adds a crucial layer of security and operational discipline across all digital activity.
The last word
Lastly, cybersecurity is dynamic. New threats are a constant and there is a need to stay up to date on the latest means to address them. What practices, methods and tools are working today, may not work tomorrow. So, be sure to check the date on when this post was written before relying on these practices.
Useful sources to stay informed include:
Mandiant https://cloud.google.com/blog/topics/threat-intelligence
Recorded Future https://www.recordedfuture.com/vulnerability-database
For North Korea watchers, cybersecurity isn’t a checklist—it’s a daily discipline rooted in skepticism, compartmentalization, and operational awareness. The threats are targeted, the attackers are patient, and the tactics are often indistinguishable from ordinary professional correspondence.
This makes technical tools like VPNs, VMs, and MFA essential, but not sufficient on their own. What matters just as much is how you think: treating every unsolicited message as suspect, separating personal and professional identities, and maintaining hardened digital boundaries across your work. In a field where the observer is often the target, protecting yourself is not just prudent—it’s part of the job.
Interesting read that provides ideas for those who are not North Korea watchers, yet still need informed cybersecurity practices. Especially Qubes OS can be quite useful for us. Thanks!
I'm somewhat overwhelmed after reading this piece. I'm grateful for the info, though!