Office 91
Unit 110 + Bureau 121

In North Korea, hackers are part of the military forces. In 2013, leader Kim Jong-un said that cyber warfare, along with nuclear weapons and missiles, are an “all-purpose sword” that guarantees the military’s strike capabilities. Given its continuing political and socio-economic isolation, North Korea's military has shifted its focus towards forms of asymmetric negation, probing any vulnerability in the US-ROK alliance in order to counter its qualitatively superior technological advantages. In addition to nuclear and ballistic missile programs, North Korea has been developing cyber-related offensive military capabilities.

North Korean cyberwarfare agencies, part of the Reconnaissance General Bureau, conduct malicious cyber activities thatr are posing a threat to the entire world. In 2009, South Korean National Intelligence Service and the Defense Security Command reported that Unit 110 intercepted confidential defence strategy plans, including OPLAN 5027 detailing US-ROK responses to potential North Korean provocations. In the same year, North Korean hackers reportedly stole information from the South Korean Chemical Accidents Response Information System developed by the National Institute of Environmental Research under the Ministry of Environment after infiltrating the ROK Third Army headquarters' computer network and using a password to access CARIS' Center for Chemical Safety Management.

They have conducted distributed denial-of-service attacks against four dozen targets in South Korea and the US in 2009, as well as "Ten Days of Rain" DDoS attacks targeting South Korean government websites and networks of the US Forces Korea (USFK) lasting for 10 days in 2011.

In January 2020 a Russian cyber security firm said that a North Korea-sponsored cybercrime group, Lazarus, had stolen cryptocurrency using the Telegram messaging app. In December 2019, Microsoft in the U.S. sued a North Korean hacking group for allegedly stealing user information.

The 2014 Defense White Paper from the Ministry of National Defense in South Korea states that, “North Korea currently operates about 6,000 cyber warfare troops and conducts cyber warfare, including the interruption of military operations and attacks against major national infrastructure, to cause psychological and physical paralysis in the South.”

Donghui Park noted that the "RGB formed “Office 91” as the headquarters of North Korea’s hacking operations. Office 91 has four subordinate organizations. First, Unit 110, also known as Technology Reconnaissance Team, was suspected of carrying out the July 2009 DDoS attacks against South Korea and the US Second, Unit 35, the Central Party’s Investigations Department, is the smallest group, but is a highly capable cyber unit with both internal security functions and external offensive cyber capabilities. Third, the North Korean People’s Army Joint Chiefs Cyber Warfare Unit 121 has over 600 hackers specializing in disabling South Korea’s military command, control, and communication networks in case of armed conflict. Finally, the Enemy Secret Department Cyber Psychological Warfare Unit 204 has about 100 hackers and specializes in cyber elements of information warfare."

North Korea’s growing cyber capability emerged most starkly in 2013. South Korea suffered a series of cyberattacks that damaged its commercial and media networks, and disrupted banking services. Despite limited Internet capacity in the North Korea, defectors and security experts point to an elite cyber warfare unit known as “Bureau 121” as the source of these attacks. Chilbosan Hotel in Shenyang, one of Liaoning Hongziang's joint ventures with the DPRK, is alleged to be the staging area for Bureau 121, a group of North Korean hackers. It has been widely reported that Bureau 121 may have been responsible for the 2014 Sony hack. The cyber-attack is estimated to have cost Sony hundreds of millions of dollars in damage.

For North Korea, one of the most important purposes of training hackers is to complete the final stage of war preparations. The North’s basic military strategy consists of three principles — preemptive surprise attacks, blitzkrieg tactics based on quick and decisive battles, and hybrid warfare. In hybrid warfare, the state seeks to win a victory both in the front and rear. In terms of old military strategies, regular forces would attack along the battlefront, while others would dig underground tunnels to harass the enemy’s rear. But today, North Korea chooses to wage cyber warfare in order to collapse and disrupt the enemy simply with a button. For that reason, the country is known to have nurtured specialists on cyber terrorism since the 1990s.

It is known that North Korea has two cyber warfare organs — the Enemy Collapse Sabotage Bureau under the military and the General Bureau of Reconnaissance. The former collects internal information to control local residents, while the latter is in charge of hacking campaigns, in which it breaks into security systems to steal sensitive information. This General Bureau of Reconnaissance was pinpointed as the perpetrator of the distributed denial-of-service or DDoS attacks on 35 websites of major institutions in South Korea and the U.S. in 2009.

To train hackers or “cyber warriors” systematically, North Korea is working hard on education for gifted children. In the North, cyber warriors are groomed from childhood. Would-be cyber agents are selected among those aged 14 or 15 or even younger. They are taught at Kumsong Middle School No. 1 and No. 2 and then enter Kim Il-sung University or Kim Chaek University of Technology for further education. After graduation, they are assigned to the cyber warfare unit under the General Bureau of Reconnaissance to work as hackers.

North Korea cultivates “cyber elites” systematically by selecting science prodigies and giving them intensive cyber security training. In addition, some of the brilliant graduates of Kim Il-sung Military University are selected to receive computer training before being appointed as hacker unit officers. After going through rigorous training, hackers are entitled to various privileges.

Hackers can enter the party and have a successful career as well. They are proud of being part of the advance guard that defends the country. Hackers enjoy various benefits ordinary citizens can’t even think of. They are given chances to study or work abroad and also provided with economic incentives. For example, if they successfully hack a cryptocurrency exchange with a system they have developed, they can get 10 percent of the gains. It’s no wonder that hackers are launching cyber attacks competitively.

North Korean hackers can secure the livelihood of the top one percent of society. In fact, their hacking skills are highly sophisticated. One of the most sensational cyber attacks linked to North Korea was the 2014 hack of Sony Pictures, the distributor of a film entitled The Interview that depicts the assassination of North Korean leader Kim Jong-un. At the time, the hacking destroyed data on 70 percent of the company’s computers. In 2016, North Korean hackers made off with 81 million US dollars through a cyber theft of the Bangladesh central bank’s account at the Federal Reserve Bank of New York. Lately, North Korea has conducted hacks on cryptocurrency exchanges.

With the value of cryptocurrency rising, North Korea has attacked crypto exchanges to seize virtual currencies including bitcoin. In 2017, the National Police Agency Cyber Bureau in South Korea said that North Korea made ten hacking attempts against four cryptocurrency exchanges in the South. North Korean hackers are suspected of being behind the 2017 cyber attack using the WannaCry computer virus. It is a sort of ransomware, which refers to malicious software that encrypts computer systems, leaving them inaccessible to users and demands money to decrypt them.

North Korean hackers are being used as a means of earning foreign currency to maintain the impoverished regime. According to a report by the U.N. Security Council, North Korea illegally gleaned US$570 million by hacking crypto exchanges in East Asia five times between 2017 and September of 2018. As a Russian security firm recently said, the North is stealing digital currencies using new hacking methods. Along with Russia, China and Iran, North Korea is included in the list of countries that pose a grave cyber threat. These countries are linked to some of the most infamous hacking incidents in the past ten years.

The U.S. has been sanctioning North Korean hackers, including Park Jin-hyok who caused great damage by hacking computers all around the world for three years starting in 2014. In response to the DPRK's cyber attack on Sony Pictures, the President signed an Executive order, Executive Order 13687, on January 6th, 2015, granting the Treasury Department the authority to impose sanctions against agencies, instrumentalities, officials and entities controlled by the Government of North Korea and the Worker's Party of Korea.

Executive Order 13687 represented a significant broadening of Treasury's authority to increase financial pressure on the DPRK and to further isolate it from the international financial system. For the first time, Treasury has the authority to designate individuals and entities based solely on their status as officials, agencies, or controlled entities of the Government of the DPRK. Treasury also now has the authority to designate those providing material support to the Government of the DPRK.

Simultaneous to the issue of this Executive order, Treasury designated three entities and ten individuals, whom Secretary Jack Lew described as ``critical North Korean operatives.'' These include the Reconnaissance General Bureau, known as RGB, which is the DPRK's primary intelligence organization, which is responsible for many of its cyber operations; the Korean Mining Development Trading Corporation, also known as KOMID, which is the DPRK's primary arms dealer; and ten officials of the DPRK Government, including eight KOMID officials based throughout the world.

The U.S. regards all hacking attempts as an attack to national security. So it follows the hackers’ tracks, reveals their identities and openly searches for them. In September of 2018, the U.S. Department of Justice charged North Korean computer programmer Park Jin-hyok with conspiracy to conduct computer intrusions and wire fraud. In September of 2019, the U.S. Treasury Department decided to impose sanctions on three North Korean hacking groups under the General Bureau of Reconnaissance.

Actually, however, it is difficult to punish the hackers. International cooperation is necessary to come up with ways to block North Korea’s cyber crime operations. North Korea is acquiring hard currency through illegal means and stealing important security information. It seems necessary for the international community to devise proactive countermeasures against North Korean hacking attacks, which is a serious threat to global cyberspace.

In 2019, they stole 10 million US dollars from a Chilean bank through a cyber theft. It seems North Korean hacking group Lazarus has recently taken the lead in stealing more than 500 million dollars in cryptocurrencies.

According to a report released by the expert panel under the U.N. Security Council’s committee on sanctions on North Korea in August 2019, North Korea is estimated to have collected about 2 billion US dollars by hacking banks and crypto exchanges. The amount is staggering, almost equivalent to foreign currency income that North Korea had earned before the sanctions were imposed on it. For North Korea, hacking operations do not cost much, as it can mobilize skilled hackers at low costs.

South Korea is one of the biggest targets of North Korean hackers. Cyberattacks by Thallium, which is another hacking group believed to be operated by North Korea, have increased significantly. In 2019, Microsoft filed a lawsuit against this cybercrime group with a federal district court in Virginia for allegedly attacking U.S. government employees. It is assumed that the group is identical to a North Korean hacking organization that was previously known as Kimsuky.

On 26 August 2020, multiple U.S. agencies issued a joint alert against North Korea’s cyber theft. The agencies are the Cybersecurity and Infrastructure Security Agency under the Homeland Security Department, the Treasury Department, the FBI and the U.S. Cyber Command. They said that a North Korea-backed hacking group called BeagleBoyz stole money from bank accounts and ATMs around the world. The alert was followed by a complaint from the Justice Department to seize cryptocurrency accounts linked to North Korean hackers.

The US consistently raised the alarm about North Korean hackers’ money-laundering scheme related to crypto-assets. On 27 August 2020, the U.S. Justice Department filed a complaint to forfeit 280 cryptocurrency accounts suspected of having ties to North Korean hackers who stole digital currencies. As a matter of fact, international concerns about North Korea’s cyber threats are not something that started just recently. Here’s political commentator Lee Jong-hoon with more.

On 02 September 2020, the Society Worldwide for Interbank Financial Telecommunication or SWIFT said that North Korea started laundering money using cryptocurrencies. In a report jointly published by British security firm BAE Systems, SWIFT said that one of the North Korean hacking groups called Lazarus attempted to launder crypto funds by stealing them from an exchange and then pass transactions through different exchanges.

On 05 September 2020, South Korean cybersecurity firm, ESTsecurity, said that Thallium launched attacks on South Koreans working in defense firms, researchers of North Korean issues, defectors and journalists specializing in North Korea. It has reportedly spread emails carrying malicious code, disguised as a research material of a person who has worked at the Gaeseong Industrial Complex before.

This group is known for its highly sophisticated hacking methods. It sends emails that look completely harmless, but once people click it, they are linked with malicious code. For example, Thallium sent emails with the title of “Samsung Cloud Gallery Services” to South Koreans working in North Korea-related areas. It has also launched phishing attacks on journalists, pretending to be Naver, South Korea’s largest web portal service operator. North Korean hackers used phishing and smishing, or SMS phishing, which have evolved considerably both in South Korea and abroad. Their targets include South Korean financial companies, so they may possibly steal South Korean funds.

North Korea’s cyberattacks continue to evolve. In the past, they typically paralyzed, disrupted or destroyed cyberinfrastructure, as seen in a series of distributed denial-of-service or DDoS attacks. With North Korea reeling from a financial crunch due to international sanctions, it has recently turned to hacking in order to make money. In other words, North Korea is using its cyber operations capabilities to earn money. For that purpose, it mines, steals and produces cryptocurrencies such as Bitcoin, Litecoin and Monero. Global security industries warn countries to take extra precautions because North Korea uses more sophisticated and well-planned hacking techniques.

It is believed that North Korean hackers have stolen cryptocurrencies worth hundreds of millions of US dollars by hacking crypto exchanges. But it is very difficult to trace the process. To make their hacking incidents untraceable, hackers are known to transfer cryptocurrencies more than 5,000 times using highly advanced and elaborate techniques. The scale is so large that North Korea is suspected of supporting illegal cyber operations at a state level to funnel the funds into weapons development. Industry watchers estimate that the level of North Korea’s cyber capabilities is close to Russia’s and China’s.

Many believe North Korea trains hackers systematically at major universities and organizations because they prove to be cost-effective. Foreign money illegally earned by North Korean hackers is a major source of funding for the North Korean regime, which is subject to various sanctions.

North Korea finds it increasingly difficult to earn foreign money due to international sanctions. It is easy to imagine that the country will continue to hack financial institutions all over the world and steal cryptocurrencies in a bid to secure money. Amid the prolonged international sanctions against North Korea, the already impoverished local economy is deteriorating further and leader Kim Jong-un is running short of his governing funds. To secure the funds at least, hacking will be indispensable. In a sense, cyber theft is the easiest way to earn money. Previously, North Korea would circulate counterfeit dollars. But hacking costs less and has fewer risks to exposure.