What we know about North Korea's cyberarmy

Snippets of information about the secretive regime's cyberops have leaked out over the years

The attack on Sony Pictures has put North Korea's cyberwarfare program in the spotlight. Like most of the internal workings of the country, not much is known but snippets of information have come out over the years, often through defectors and intelligence leaks.

Here's a summary of what we know:

The Cyberunits

North Korea's governing structure is split between the Workers' Party of Korea (WPK) and the National Defense Commission (NDC).

North Korea's main cyberoperations run under the Reconnaissance General Bureau (RGB), which itself falls under the Ministry of People's Armed Forces that is in turn part of the NDC. The RGB has been operational for years in traditional espionage and clandestine operations and formed two cyberdivisions several years ago called Unit 121 and Office 91.

Office 91 is thought to be the headquarters of North Korea's hacking operation although the bulk of the hackers and hacking and infiltration into networks is done from Unit 121, which operates out of North Korea and has satellite offices overseas, particularly in Chinese cities that are near the North Korean border. One such outpost is reportedly the Chilbosan Hotel in Shenyang, a major city about 150 miles from the border. A third operation, called Lab 110, participates in much the same work.

There are also several cyberunits under North Korea's other arm of government, the Workers' Party of Korea.

Unit 35 is responsible for training cyberagents and is understood to handle domestic cyberinvestigations and operations. Unit 204 takes part in online espionage and psychological warfare and Office 225 trains agents for missions in South Korea that can sometimes have a cyber component.


The North Korean school system emphasis the importance of mathematics to students from a young age. The most gifted are given access to computers where they can begin practicing programming skills and, if they are good enough, go on to one of a handful of schools that have specialist computer departments. These are typically Kim Il Sung University, the country's most prestigious seat of learning, Kim Chaek University of Technology or Mirim College. Much less is known about the latter, although it's believed to be a specialist cyberwarfare school.

The students learn general programming techniques and will also specialize in disciplines such as cyberwarfare. After graduating, they will sometimes be sent to study overseas. That's when, with an open Internet connection and the anonymity of a foreign network, they can start participating in hacker forums, developing malicious software and testing out their skills.

Over the past few years, it's estimated the schools have turned out several thousand students (estimates range from around 2,000 to around 6,000), who now make up North Korea's cyberforces.

International Network

North Korea has a single connection to the Internet, so attacks from inside the country would be quite easy to trace. As a result, the country uses computers around the globe to launch attacks. Often these are compromised PCs and the owners have no idea they've been infected with North Korean malware. Some of the initial attacks to help build this network of infected computers are thought to be launched from North Korean outpost offices in places like China, Russia and India.

Operations and attacks

While pinning down the true perpetrator of cyberattacks is incredibly difficult, a number of attacks in recent years have been blamed on North Korea. Some, like the Sony hack, have been high-profile but many others have gotten much less attention and appear more aimed at earning money than causing disruption.

July 2009 - Attackers target government websites in the U.S. and South Korea in large-scale distributed denial of service (DDOS) attacks that were later blamed on North Korea.

March 2011 - In an attack dubbed "10 Days of Rain," major South Korean government websites and sites operated by the U.S. military in South Korea are targeted in DDOS attacks.

April 2011 - South Korea's Nonghyup bank is targeted in a DDOS attack that was later traced to North Korea and linked with previous attacks.

August 2011 - South Korean police accuse a North Korean hacking ring of stealing around $6 million in prize money from online games.

November 2011 - A hacker attempts to hack the email system of Korea University's Graduate School of Information Security in an action later blamed on North Korea.

June 2012 - Conservative South Korean newspaper Joong Ang Ilbo is hit by a cyberattack that succeeded in destroying databases. A week earlier, North Korea had threatened the newspaper over its coverage of the country.

March 2013 - A major cyberattack, later blamed on North Korea, paralyzes the networks of several major South Korean TV broadcasters. A bank ATM network is also hit in the attack, which attempted to wipe the hard drives of computers. A second attack pushes the DNS servers of government websites offline for several hours. At around the same time, North Korea's connection with the global Internet goes down for 36 hours.

March 2013 - Responding to the attacks, the hacking group Anonymous targets North Korean websites. It succeeds in breaking into a major North Korean news portal and publishes the names and account details of thousands of subscribers.

June 2013 - Hackers post names, social security numbers and other personal information of thousands of U.S. armed forces members stationed in South Korea online.

June 2013 - South Korean government DNS servers are targeted by a DDOS attack. Similarities are found in the code that links it to the March attacks.

December 2013 - South Korean police say North Korean agents are behind a spear-fishing attack on the computer of a prominent defector.

November 2014 - South Korea's spy agency said North Korean hackers had planted malware in around 20,000 smartphones.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breach

More about IDGNDCNewsSonyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place