In July, we noted that the Islamic republic has been playing the numbers game in the world of cyberattacks, using relatively rudimentary tactics in a shotgun approach that targets thousands of individuals in the hopes that a small percentage become victims. Now, the recent release of a U.S. Department of Justice criminal complaint depicts a similar, yet very different, threat from North Korea over the past four years.

In addition to laying out in technical detail why North Korea was the mostly likely perpetrator of attacks on Sony Pictures in 2014, Bangladesh Bank in 2016, the WannaCry attacks in 2016 and 2017, and dozens of other lower-profile attacks in between, the complaint revealed many new insights into how the North Koreans allegedly crafted their operations to conduct those attacks. The operations that North Korea and Iran are suspected of shared much in terms of targeting and tactics, but one key difference provides insight into how the two countries approach their cyber campaigns. Whereas Iran tends to play the numbers game, North Korea plays the long game, preparing attacks months — or sometimes over a year — in advance. The differences in style between the two threats highlight the relevance of the cyberattack cycle and the important role preparation and surveillance play in such attacks. But even if the investigation has lifted the lid on some of the biggest state-sponsored hacks in recent years, it is unlikely to ever stop countries such as North Korea from refining their craft and homing in on other victims.