North Korean hackers

Understanding cyber operations in the hermit kingdom

Gabriel Currie
7 min readDec 16, 2018

The vast majority of North Korean hacking, or offensive computer network operations (CNO), comes directly under the control of the North Korean military.

Formally known as the Korean People’s Army, or KPA, North Korea’s military is formed of five branches: the Ground Force, the Navy, the Air Force, the Strategic Rocket Forces, and the Special Operation Force. Command and control is executed through the General Staff Department (GSD), which provides administrative, logistical and operational direction and support to other branches.

As well as being responsible for conventional and nuclear military operations, the KPA controls almost all foreign intelligence activity through its Reconnaissance General Bureau (RGB). The RGB performs a range of intelligence collection and clandestine operations, including CNO.

Simplified North Korean military structure (data sourced from ROK Ministry of Defense)

In the North Korean intelligence and security community the RGB operates alongside the State Security Department (SSD), a non-military agency responsible for counter-intelligence and internal security, and protection of the ruling Kim family. The RGB and SSD are also supported by the United Front Department (UFD) and the 225th Bureau, two separate agencies focused on targeting South Korea (also known as the Republic of Korea or ROK) with a range of clandestine operations and active measures.

North Korean offensive cyber units

(Key sources for this section include CSIS’s “North Korea’s Cyber Operations: Strategy and Responses” and Captain Duri Lee’s NPS Paper “How to Improve the ROK and US Military Alliance Against North Korea’s Threats to Cyberspace: Lessons from NATO’s Defense Cooperation”.)

As with much of the hermit kingdom, little is known of North Korea’s offensive cyber units. However, in open source, a number of specific units can be identified within both the RGB and the GSD. The division of responsibility for cyber operations between the RGB and GSD is likely to mirror their overarching remits, with the RGB responsible for CNO conducted as a part of intelligence gathering or active measures, and the GSD responsible for CNO and electronic warfare (EW) conducted during military operations.

North Korean CNO units under the command of the RGB and GSD

There are also a number of other organisations that likely conduct offensive cyber operations on behalf of the North Korean regime and which fall outside the direct command structure of the military (for example, the Korea Computer Center); these are not covered.

RGB CNO units

Bureau 121 is the primary CNO unit within the RGB, reportedly formed in 1998 and now manned by over 6,000 staff at bases around the world (including until recently the Chilbosan Hotel in Shenyang, China). Service in Bureau 121 (and likely also other RGB cyber units) is seen as highly prestigious, with soldiers and their families well housed and provided for by the regime. Candidates for membership are selected from top North Korean technical universities, notably the University of Automation, and provided additional training, likely with support from Russian or Chinese tutors. Bureau 121 is also referred to as the Cyber Warfare Guidance Bureau.

The Computer Technology Research Lab is an RGB unit with responsibility for supporting Bureau 121’s operations through vulnerability detection and exploit development.

128 and 413 Liaison Offices are two RGB units whose primary missions are intelligence gathering, and who likely conduct CNO as a part of this (to a large degree because of the lower cost and risk of CNO compared to running human agents).

A number of sources also refer to Lab Number 110; this may be a distinct unit subsumed by Bureau 121, or another name for the Computer Technology Research Lab.

GSD CNO units

The Operations Bureau is the GSD function most directly involved in CNO, with responsibility (amongst others) for strategic decision making around the employment of CNO in military conflict.

The Command Automation Bureau has a number of units within it that have a CNO role, primarily focused around technical research of development in support of offensive cyber operations. These units have previously been reported to be involved in specific CNO missions. These units include:

  • Unit 31, responsible for malware development
  • Unit 32, responsible for military software development
  • Unit 56, responsible for command and control software development

Unit 204 within the Enemy Collapse Sabotage Bureau is an information warfare and psychological operations unit; while this does not directly involve CNO, the unit may conduct limited CNO in support of its mission.

Another unit not directly involved in CNO, but relevant, is the Electronic Warfare Bureau; their mission, and effects on enemy forces, are similar to CNO units, and examples of previous operations include radar and GPS jamming.

North Korean threat actors in cyberspace

A broad range of threat actors are attributed to North Korea in cyberspace, by a wide range of names. As naming conventions vary between organisations, these can often be difficult to reconcile; the best currently available resource for doing so is Florian Roth’s APT tracker.

The following North Korean threat actors are referred to in public sources:

  • The US government refers to North Korean cyber activity collectively as HIDDEN COBRA.
  • The wider cyber security community refers to a large part of North Korean cyber activity as Lazarus Group.
  • Cyber security firm FireEye publicly tracks three distinct North Korean threat actors: APT37, APT38, and TEMP.Hermit.
  • Cyber security firm Crowdstrike publicly tracks four North Korean threat actors: Stardust Chollima, Silent Chollima, Ricochet Chollima, and Labyrinth Chollima.
  • Cyber security firm Kaspersky publicly tracks two active Korean-language actors: Dark Hotel and Kimusky.

Finally, this slide from South Korean researcher Cha Minseok also shows some clarity on the multitude of North Korean hacking groups in cyberspace.

North Korean hacking groups and their names (Source: Cha Minseok)

North Korean cyber operations

Collectively, North Korean threat actors have been responsible for a huge number of targeted and untargeted cyber attacks. These usually have one of three objectives: information operations, espionage and intelligence gathering, and financial gain. Cyber attacks form one of the primary methods that North Korea has to target its enemies, and provide the isolate and cash-poor country with a cheap and effective weapon.

Some of the first known North Korean cyber attacks were information operations targeting traditional North Korean adversaries such as the US and South Korea. In the early years these were crude attacks using techniques such as distributed denial of service (DDOS) and website defacement, however, more sophisticated examples have also been seen, for example, the hacking of and subsequent data leak from Sony Pictures Entertainment in 2014.

As North Korean abilities evolved, the regime’s forces likely broadened the scope of their operations to include more traditional espionage and intelligence gathering (albeit conducted via digital means). Due to the nature of these attacks there is significantly less in open source on this topic, however, known incidents include the targeting of Seoul ADEX expo attendees in 2015, and of the South Korean Defense Integrated Data Center the following year.

Finally, attacks for financial gain likely began around 2016; these have typically targeted financial institutions and cryptocurrencies, for example, the Bank of Bangladesh and bitcoin exchanges. Their purpose is likely to be obtaining foreign currency (including cryptocurrency) for RGB, the North Korean military, and the North Korean regime.

Timeline of selected North Korean cyber operations

  • Hacking of the South Korean Military Agency in 2008 (Source)
  • DDOS attacks targeting South Korean and American government websites in July 2009 (Source)
  • DDOS attacks targeting South Korean government and private-sector websites in July 2010 (Source)
  • DDOS attacks targeting South Korean and US Forces Korea websites in March 2011 (Source)
  • Hacking of Nonghyup Bank’s IT systems, and email accounts at Korea University, in March 2011 (Source)
  • Hacking of South Korean paper Joongang Ilbo in June 2012 (Source)
  • Hacking of South Korean banks (including Shinhan, NongHyup and Jeju Banks) and media organisations (including KBS, MBC and YTN), under the monikers “NewRomanic Cyber Army Team” and “WhoIs Team”, in March 2013, possibly as a response to the passing of UN Security Council Resolution 2087 (Source)
  • DDOS attacks targeting South Korean government and private-sector websites, specifically targeting DNS servers, in July 2010 (Source)
  • Hacking of Sony Pictures Entertainment, and subsequently public release of confidential data, under the moniker “Guardians of Peace” in November 2014 (Source)
  • Extortion and hacking of Korea Hydro and Nuclear Power using an MBR wiper in December 2014 (Source)
  • Hacking of attendees to the Seoul ADEX defence and security expo in 2015 (Source)
  • Hack of Ecuadorian Banco del Austro, and subsequent theft of $12.2 million USD via SWIFT payment fraud, in 2016
North Korean RGB operative Park Jin Hyok, wanted by the FBI in relation to cyber operations targeting the Bank of Bangladesh and Sony Pictures Entertainment, and the 2017 WannaCry ransomware outbreak (Source)
  • Hacking of South Korean firm Daewoo Shipbuilding, and subsequent theft of 40,000 documents including warship schematics, in 2016
  • Hacking of the Central Bank of Bangladesh, and subsequent theft of $81 million USD via SWIFT payment fraud, in 2016 (Source)
  • Hacking of South Korean government officials’ mobile phones in March 2016 (Source)
  • Hacking of the South Korean Defense Integrated Data Center, and subsequent theft of 235 gigabytes (GB) of data, in September 2016 (Source)
  • Hacking of South Korean cryptocurrency exchanges (including Youbit, Bithumb and Coinis), and subsequent theft of millions of dollars in cryptocurrency, in 2017 (Source 1, Source 2)
  • Hacking of various unnamed companies in order to mine cryptocurrency on compromised assets from 2018 onwards (Source)
  • Hacking of banks worldwide to facilitate fraudulent ATM withdrawals, from 2017 onwards (Source)
  • Hacking an unnamed Middle Eastern company (potentially Orascom OTMT.CA) which pulled out of a joint venture with the North Korean government in 2017 (Source 1, Source 2)
  • Launching a global ransomware attack now known as WannaCry in 2017

--

--

Gabriel Currie
Gabriel Currie

Written by Gabriel Currie

Head of Cyber Security and Deputy CISO at the UK Government’s @Cabinet_Office, previously incident response at PwC UK