Though almost no one in DPRK has broad access to the Internet, Pyongyang has managed to nurture an army of highly skilled hackers from the best students of mathematics, who are becoming the country's unofficial elite.
Prof Kim Heung-Kwang, a computer science professor from DPRK, who fled to South Korea in 2004, said
the country had around 6,000 cyber warfare troops who report directly to the Cabinet General Intelligence Bureau. For comparison: the United States Cyber Command, created by Barack Obama in 2009, has about 700 military and civil servants. The U.S. military maintain
s 6,200 personnel in its cyber units and the United States does recognize the danger of the threat. Vincent Brooks, commander of United States Forces Korea, is sure
that North Korean hackers are some "of the best in the world and the most organized." Adam Meyers, vice president of intelligence at CrowdStrike
that the DPRK is "a formidable cyber adversary".
Donghui Park and Jessica L. Beyer noted
"The potential for North Korea to destroy critical infrastructure without a nuclear weapon has largely been ignored, yet Pyongyang has enough cyber offensive capability to cause serious damage."
UK Parliament Defense Committee reported
that North Korean cyber-attacks are "far more likely" than a nuclear missile attack. Parliamentarians called for increased extra-budgetary investment in ensuring the cybersecurity of the kingdom. At the same time, the British complained about the acute shortage of qualified personnel. Meanwhile, Pyongyang not facing this issue.
DPRK's cyber subunits into three groups, based on the declarations of defectors and South Korean researchers:
"Group A" attacks foreign objects and is linked to the most high-profile DPRK campaigns, such as WannaCry
"Group B" focuses on South Korea, military, and infrastructure secrets;
"Group C" performs low-skilled work, such as targeted e-mail attacks.
However, a different classification would be more appropriate. This classification was first used
experts (the company has customers in 170 countries around the world, and participated in the investigation of attacks on Sony Pictures
and the U.S. Democratic Party). Their methodology takes not only the targets into account, but also the methods the groups use. Analysts used the root word in the name Chollima — a mythical horse with wings, revered in DPRK.
group should not be considered as a single organization: it is appropriate to divide it into four units: Stardust Chollima
specializes in "commercial attacks" that generate revenue; Silent Chollima
acts against the media and government agencies; Labyrinth Chollima
focuses on countering intelligence services; Ricochet Chollima
is responsible for stealing confidential user data.
Recently, another group has been noticed on the Net. This group, the APT37, is apparently not connected with Lazarus
, and is trying to stay out of sight and to not attract attention. APT37
is involved in serious penetrations into the systems of various countries from South Korea to the countries of the Middle East.
According to defectors and South Korean experts in the area of cyber intelligence, promising candidates are being selected from the age of 11 and sent to special schools where they teach
the basics of cybersecurity and the development of computer programs. The cyber soldiers are given appropriate indulgences: they do not need to worry about accommodation, they get luxury food that other North Koreans do not get, and they can bring their entire family to Pyongyang. Cyber soldiers are also exempted from
compulsory military service — they perform a different service.
However, there is a downside: elite cyber-soldiers have elite status. But, like in every army, there is "infantry" in a completely different situation. Bloomberg
interviewed North Korean Jong Hyok, who worked in DPRK cyber forces, and produced a lengthy report on the status of the North Korean cyber capabilities. Though the Bloomberg report
contains a huge amount of data, it is not possible to verify the validity of all the statements made in it.
The hacker interviewed by Bloomberg did not participate in high-profile operations and was engaged exclusively in making money through illicit online activities. Jong was allocated to Computer Science School, studied in China, and upon returning to his homeland, joined cyber forces, and was sent to the PRC for work. The hacker had to earn money himself to buy a computer. In the beginning he used his hostel roommates' laptop, but later earned his first profit by selling software. Then, he started to hack software on request and in his free time he ravaged gambling sites and developed characters in online games for further resale.
The hackers who did not earn the required rate of USD 100,000 a year were sent back to DPRK. Programmers were allowed to retain less than 10% of the profits.
After the incident with a civil servant, Jong Hyok fled to Bangkok, bought a fake passport and asked the Embassy of South Korea for help, which allowed him to start a new life in Seoul.
In addition to hacking, cyber forces are also engaged in other tasks. On request, hackers develop iOS and Android software, and profits from software sales go to the DPRK treasury. "Branches" of North Korean units are scattered around the world, but most hackers live in China. Given the volume of traffic and careful monitoring of Internet users' requests, the Chinese authorities are certainly aware of the activities of the North Koreans, but no proven measures have been taken against cyber-frauds. Apparently, DPRK and PRC adhere to a silent convention on network non-aggression.