North Korea is continuing with its military provocations.
Starting with its missile launch at the break of 2023, North Korea has fired missiles on more than 20 occasions so far this year. But the country is posing an even graver threat.
North Korea is frequently carrying out hacking operations in cyber space. It attempted to launch a malicious cyber attack targeting the South Korea-U.S. combined military exercise that was held last month. What kinds of groups are responsible for North Korea’s hacking attacks and why is the country resorting to cyber operations?
Today, we’ll analyze North Korea’s hacking groups with Professor Jeong Eun Chan at the National Institute for Unification Education.
The South Korean government announced unilateral sanctions on a North Korean hacking group called “Kimsuky” on June 2, two days after North Korea launched a projectile carrying its military reconnaissance satellite.
Significantly, the measure marks the world’s first unilateral sanctions against the North Korean hacking group. What is “Kimsuky” and why did the Seoul government take such action?
Kimsuky has been behind major cyber attacks in South Korea and Western countries including the U.S. for more than ten years. The hacking group would often impersonate famous people to steal information from South Korean public institutions as well as experts in the fields of cryptocurrency, diplomacy and security.
North Korea’s Reconnaissance General Bureau has specialists in cyber operation. Under the country’s intelligence agency, the 3rd bureau known as the Technical Reconnaissance Bureau and Lab 110 are assumed to direct North Korea’s hacking groups. Kimsuky is also known to belong to the Reconnaissance General Bureau.
Since 2010, the Kimsuky group has launched hacking attacks on South Korean government agencies and relevant organizations, including the Ministry of National Defense and the Ministry of Unification.
“Kimsuky” was named by a Russian security firm, while it was tracking a cyber attack by hackers seemingly based in North Korea. The group is notorious for its hacking attack on Korea Hydro & Nuclear Power in South Korea in 2014. Last year, it even impersonated a South Korean National Assembly member to send phishing emails.
I was stunned by the sophisticated nature of the scheme. At first, I thought that my office had sent the emails, so I asked my aides to check the message.
Kimsuky sent emails to foreign affairs and national security experts in the name of the office of Thae Yong-ho, a North Korean diplomat defector-turned-South Korean lawmaker. In doing so, the hacking group monitored online communications and provided the information to the North Korean government.
Other than Kimsuky, there are many more North Korean hacking groups that steal intelligence through cyber attacks.
It seems there are numerous hacking groups associated with North Korea. They include APT 38, Temp.Hermit, Hidden Cobra, Reaper, which is also known as APT 37, Group 123, Nickel Academy and Lazarus. Lazarus, in particular, is infamous for hacking financial institutions around the world. In 2016, the group stole 81 million US dollars from the central bank of Bangladesh.
North Korea’s hacking groups belong to the country’s military or the communist party. 15 to 20 hacking teams are known to be working at the Technical Reconnaissance Bureau alone, which is tasked with computer hacking.
The Lazarus Group, among others, made the international community very nervous. The group hacked into Sony Pictures Entertainment in 2014, in response to the American film company’s movie about the fictional assassination of North Korean leader Kim Jong-un.
In 2016, Lazarus hacked 101 million dollars deposited at the Federal Reserve Bank of New York account belonging to Bangladesh’s central bank and stole 81 million dollars. These incidents show North Korea’s hacking capabilities have reached a significant level. The country continues to use intelligent and advanced hacking methods.
North Korean hackers carry out hacking operations targeting specific individuals or institutions in a certain period of time. When their mission is over, they are deployed to different teams for new operations. They set up cyber operation bases, disguised as trade firms, in Chinese cities such as Shenyang, Guangzhou and Dalian as well as in Mongolia and Indonesia.
Through indiscriminative hacking attempts, North Korean hacking group Kimsuky secured 326 servers in 26 countries to launder Internet Protocol or IP addresses. They use the laundered IP addresses to send out phishing emails disguised as lawmakers’ offices, government agencies or reporters. The emails have malicious programs attached or direct readers to a phishing website that is linked to the message. Once the readers click on the programs or the link, hacking starts.
In terms of hacking ability, experts evaluate that North Korea ranks third in the world, following the U.S. and Russia. It is assumed that North Korean hacking groups have launched cyber attacks in at least 29 countries for the last 14 years. Apart from the high number of attacks, North Korea’s hacking schemes are widespread, regardless of areas, such as subways, aerospace, nuclear energy and bio-related industries. The purpose is to steal information and disrupt society. In 2021, Reuters reported that North Korean hackers secretly breached computer networks at a missile developing company in Russia, which is North Korea’s traditional ally.
North Korea is a communist dictatorship that is isolated from the outside world. It is known as an impoverished state suffering from the lack of goods. However, the country’s hacking units relentlessly infiltrate computer systems all around the world. How is that possible?
It is said that North Korea began to reinforce its cyber forces in the mid-1980s. It tried to foster them in order to overcome military and economic inferiority. The country founded Mirim College in 1986 as a place to train cyber operation specialists. In the 1990s, the North began to teach information technology to gifted children, improving the conditions for strengthening cyber forces. Hackers are trained from early on. Science prodigies are educated at Pyongyang Senior Middle School No.1 or Kumsong School. They are then nurtured as cyber warriors at Mirim College, Kim Il-sung University or Kim Chaek University of Technology.
Since the years of former leader Kim Jong-il, North Korea has intensively fostered hackers, in the belief that hacking is the most effective means of attack, considering the initial cost of investment.
Former leader Kim Jong-il instructed officials to provide IT education to gifted children at the national level. Talented students selected from elementary schools nationwide receive extensive computer education, including algorithm design and programming, at schools for science prodigies. Among them, excellent students are admitted to university to learn more advanced skills. North Korean students have actually proved their outstanding computer programmer skills at international competitions.
North Korean students trained as cyber warriors often take part in international events. This year, North Korean university students took top four spots at a hacking contest hosted by HackerEarth, a company based in San Francisco in the U.S. At the competition, students from Kim Chaek University of Technology came in first, third and fourth, while a student from Kim Il-sung University took second place. The Kim Chaek University of Technology said on its website that its student won the contest with a perfect score of 800. Again, North Korean students swept the top four places in the hacking competition, where some 1,700 people participated.
North Korean university students who are raised as cyber warriors receive overseas training in China or Russia. When the training is over, they are deployed to hacking units to participate in North Korea’s global cyber operations. So, why is the North nurturing hackers at the state level?
In North Korea, hacking operations are led by the state. The purpose is to continue with espionage activities and to earn foreign currency. With the money it stole through hacking, the country enhances its cyber warfare capabilities, develops missiles and raises professional hackers.
North Korea’s three-pillared military strategy consists of preemptive, surprise attack, quick decisive war, and mixed tactics. In mixed tactics, North Korea seeks to make attacks both in the frontline and in the rear. While regular forces attack the front, others are supposed to harass the enemy’s rear by digging underground tunnels. But now, North Korea is preparing for cyber warfare so it can disrupt the rear at the click of a button. With that purpose in mind, it uses hacking.
North Korea operates hacking units to raise funds and gather intelligence for regime maintenance. It created a new phrase “cyber foreign currency income” in 2015, indicating that its hackers are engaging in all sorts of illegal activities as an important means of earning foreign currency. The issue of North Korea’s cryptocurrency thefts was mentioned by U.S. officials during a recent congressional hearing.
Democratic politician Elizabeth Warren said that North Korean hackers have raised over three billion dollars from crypto heists over the past five years. About 50 percent of them are assumed to have been used to procure parts needed for nuclear and missile development.
Amid the prolonged international sanctions and economic difficulties, North Korea is likely to boost its hacking capabilities even further.
Under Kim Jong-un’s rule, North Korea has focused on developing its cyber war capabilities. On top of economic benefits from its hacking operations, the country is expanding its cyber attacks to governments, military organizations, defense industries and energy research institutes overseas in order to collect military and diplomatic information more extensively. That’s why the U.S., the EU and the U.N. continue to slap sanctions on North Korea’s hacking groups and malicious cyber actors.
The South Korean government is preparing for training aimed at responding to cyber terrorism effectively. South Korea and the U.S. have discussed ways to deal with North Korea’s cyber attacks through bilateral cooperation. These efforts will lead to stronger, strategic cooperation between the allies in cyber security, and South Korea is expected to strengthen its cyber response capabilities
Kim Jong-un once stressed that cyber warfare, along with nuclear weapons and missiles, is an all-purpose sword that guarantees the North Korean People’s Armed Forces’ striking ability. As the leader’s remarks indicate, North Korea uses its cyber capabilities to steal confidential information as well as assets from other countries.
The international community needs to seek closer cooperation and make greater efforts to prevent state-sponsored North Korean hackers from engaging in illicit cyber activities.