Information Warfare: Elite Cyber War Agents From North Korea


May 9, 2018: It was recently revealed that North Korea has established a program for foreign agents that is only open to members of the elite North Korea families. The children of these families are eligible to attend the Mangyongdae Revolutionary Academy. Graduates of Mangyongdae are most likely to get the most senior government and military jobs. There are only about a hundred graduates a year and for the last few years, a computer science program has provided a specialized course for Mangyongdae students seeking to become foreign agents in “enemy” countries, especially South Korea. These agents are trained to hunt down high level defectors in foreign countries and either arrange to kill the defector or at least find out how the defector is doing, how many secrets they have divulged and, if possible, persuade the defector to shut up or even return to North Korea. To accomplish this the Mangyongdae students are taught the latest hacking techniques and what tools and mercenary hackers are available in the hacker underground and how to deal with the tools, and the mercs, to put together specialized efforts to track down defectors and monitor them. This means the Mangyongdae must be able to pass as a South Korean (speak with a South Korea accent, know the customs and slang) and assume a false identity convincingly.

As important as all these skills are the most important item is loyalty to North Korea. The Mangyongdae agents go after the growing number of high level North Koreans who are illegally leaving the country. The agents are trained to use social media to seek out known or suspected defectors, make contact and obtain more information about them.

Over the last decade, North Korea has been growing more concerned about key people defecting to South Korea or simply getting into China and making asylum deals with the Chinese government. The Chinese have always been receptive to such arrangements and there have been more of this as the hundreds of families at the top of the social pyramid in North Korea get out. This is a risky endeavor although there are more and more people smugglers who, for enough money, can get anyone out of the country. Worse, many high level defectors were already outside North Korea on official business when they arrange to disappear and defect. Some of these defectors have been diplomats and some of them were senior enough to be noticed when they disappeared.

These high-caste North Koreans report that there is a sense in the ruling families that the system isn’t working and is doomed. The top people in North Korea are easy to identify. When North Korea was founded in the late 1940s a caste system was established to ensure that the most loyal and capable North Korean communists were recognized and rewarded for their efforts to maintain the new communist government for now and generations to come. The newly established secret police and communist party reported on everyone making it possible to create an official list of every family assigned to one of 51 social classes. From the beginning, most (29) of these classes were composed of people considered either hostile to the government or leaning that way. These new lower classes are where most of the new (and often quite wealthy) donju (entrepreneurs) are coming from. Most of the population falls into these 29 social classes, and they are getting increasingly hostile to a government that seems to do nothing but create one disaster after another. Members of higher-caste families are catching on as well and younger members are increasingly abandoning promising careers to flee the country. All that bribe money making its way to the higher caste North Koreans doesn’t just go to buy an easier life in North Korea it often buys an escape. To deal with this problem among the most trusted classes a special program at the Mangyongdae Revolutionary Academy counter-intelligence program was established. Apparently, some of the Mangyongdae agents have been identified or even caught and this program is no longer as secret as it once was. Meanwhile the Mangyongdae Revolutionary Academy and its ultra-loyal students gets a lot more publicity inside (and outside) North Korea.

In addition to tracking down high-caste defectors, the Mangyongdae level agents are also assigned to monitor the loyalty of North Korea hackers working outside North Korea. North Korean defectors have revealed much about how North Korea has managed to establish and maintain hacking operations outside North Korea and make a lot of money for the cash hungry North Korea government. This became a higher priority operation in the last few years because of the growing list of economic sanctions imposed while at the same time there were more the opportunities for Internet based misbehavior. Some of these defectors were associated with the North Korean hackers who are, it turns out, mostly based outside North Korea because Internet access is better and operating outside North Korea makes it easier to deny that North Korean hackers are engaged in illegal activity. South Korea has obtained a lot of details about the North Korean hacker operations and even all0wed some defectors familiar with those operations to speak openly about it. Obviously, many of these North Korean hackers are not as loyal as they are supposed to be and something much be done to identify and punish the ones that defect and expose how the hacker program works.

The Mangyongdae agents are also trained in the usual methods of secretly contacting “the center”, usually via North Korea operatives based outside of North Korea and able to relay messages to and from North Korea itself. The skills North Korea hackers have developed are world class and increasingly difficult to counter or even detect. But this edge in skills and techniques depends on having loyal operatives in key positions, thus the importance of the Mangyongdae agents.

The North Korea hacker force consists of about 6,800 personnel but only quarter of these have software programming or engineering skills that enable them to develop and carry out the hacks. The rest are support staff, including many security personnel who monitor hacker activities to ensure loyalty and productivity. Over the last few years more and more of the hackers have been assigned to money raising operations rather than intelligence collection (spying). North Korea needs cash more than secrets and as a result each of these hackers has been bringing in about $100,000 a year in much needed income for North Korea. Alas for the hackers, like most North Koreans working abroad, see little of that money. This does not inspire loyalty and resolve to avoid the temptation to defect.

Most of the foreign operations are in China where the hackers and their support staff live in Spartan conditions and are closely watched. These hackers are aware of how much more valuable their skills would be in South Korea (where some currently are, working for South Korean software firms). Unfortunately you risk your life (and those of y0ur family) if you try to escape. But some have and some still do. Basing so many of the North Korean hackers in China is partly because there is apparently an arrangement with the Chinese to enable the North Koreans to keep operating in return for favors. In addition to not hacking Chinese networks, or any foreign ones the Chinese consider off-limits, the Chinese receive cash and, more importantly, access to data the hackers obtain. Some hacks attributed to “Chinese hackers” are apparently carried out by North Korean hackers in order to pay for continued presence in China (and the cooperation of Chinese security forces to prevent North Korean hackers from defecting.)

In 2013 South Korea came up with a number (over $800 million) for the cost of dealing with North Korean cyber attacks since 2007. The list was quite detailed. The attacks in March and June of 2013 accounted for 93 percent of the total damages. South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the 2013 ones showed that the North Koreans were getting better and that South Korea was not keeping up. The 2014 operation against smart phones was the first North Korean effort against smart phones and indicated there would be more and there were.

Long believed to be nonexistent, by 2013 it was clear that the North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the 1990s and their Mirim College program trained most of the North Korean Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit was increasingly active as the number of Mirim graduates grew.

Since the late 1980s, Mirim College was known as a facility that specialized in training electronic warfare specialists. But by the late 1990s the school was found to be also teaching some students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained five departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a three year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students. The Mirim program has been modified since 2015 and is believed to be producing more graduates each year and in a growing number of specialties. Mirim graduates were key to getting the Mangyongdae program going.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But by 2016 there was tangible and growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the late 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close