The growing number of North Korean defectors are revealing more details of how North Korea is trying to adapt to the increasing list of economic sanctions and the opportunities for Internet based misbehavior. Some of these defectors were associated with the North Korean hackers who are, it turns out, mostly based outside North Korea because Internet access is better and operating outside North Korea makes it easier to deny that North Korean hackers are engaged in illegal activity. South Korea has obtained a lot of details about the North Korean hacker operations and recently all0wed some defectors familiar with those operations to speak openly about it.
The North Korea hacker force consists of about 6,800 personnel but only quarter of these have software programming or engineering skills that enable them to develop and carry out the hacks. The rest are support staff, including many security personnel who monitor hacker activities to ensure loyalty and productivity. Over the last few years more and more of the hackers have been assigned to money raising operations rather than intelligence collection (spying). North Korea needs cash more than secrets and as a result each of these hackers has been bringing in about $100,000 a year in much needed income for North Korea. Alas for the hackers, like most North Koreans working abroad, see little of that money.
Most of the foreign operations are in China where the hackers and their support staff live in Spartan conditions and are closely watched. These hackers are aware of how much more valuable their skills would be in South Korea (where some currently are, working for South Korean software firms). Unfortunately you risk your life (and those of y0ur family) if you try to escape. But some have and some still do. Basing so many of the North Korean hackers in China is partly because there is apparently an arrangement with the Chinese to enable the North Koreans to keep operating in return for favors. In addition to not hacking Chinese networks, or any foreign ones the Chinese consider off-limits, the Chinese receive cash and, more importantly, access to data the hackers obtain. Some hacks attributed to “Chinese hackers” are apparently carried out by North Korean hackers in order to pay for continued presence in China (and the cooperation of Chinese security forces to prevent North Korean hackers from defecting.)
Meanwhile the economic hacks are getting more and more ambitious. For example a January 2018 hack of a Japanese cryptocurrency (bitcoin and the like) exchange got away with half a billion dollars’ worth of cryptocurrency. The North Koreans are the chief suspects because North Korea prefers to use cryptocurrency to finance their illegal activities (like smuggling in needed items). The cryptocurrency had North Korean “fingerprints” all over it but that could be faked (with a lot of effort). American, Japanese and South Korean banking and Internet security investigators are trying to hunt down and halt (or at least damage) North Korean cryptocurrency operations.
Meanwhile South Korea has been the victim of many North Korean hacks and takes an intense interest in what North Korean hackers are up to. And for good reason. For example in late 2016 South Korean officials revealed that there had indeed been another major North Korean penetration of government Internet networks in August. The government also admitted that the cause was failure of network security officials to adhere to the new (since 2014) security measures that had proved capable to making the networks safer from hackers. In other words, it wasn’t a technical failure but a human one. This was quite embarrassing because two months before the August attack South Korean officials revealed that they had discovered (earlier in 2016) and stopped another major Internet based attack on South Korea by North Korean hackers. The proof, as in the past, was more of the text in the hacker software that could be traced back to North Koreans. This hack was extensive and had been going on, largely undetected, since 2014. This campaign was largely against defense industry and government networks and over 40,000 documents have been identified as probably copied and sent to North Korea. Back in 2014 there were indications something like this was coming.
In late 2014 South Korean intelligence reported that between May and September North Korea managed to distribute to over 20,000 South Korean smart phone users games containing spy software. The North Korean “spyware” was seeking information from banks as well as documents relating to reunification plans and defense matters. The spyware allowed the North Koreans to transfer data from the infected smart phone and secretly turn on the camera. The government reported that this effort has since been blocked. North Korea denied any involvement in this, as it usually does. But since 2009 the evidence has been piling up of increasing North Korean Internet based espionage via the Internet.
In late 2013 South Korea came up with a number (over $800 million) for the cost of dealing with North Korean cyber attacks since 2007. The list was quite detailed. The attacks in March and June of 2013 accounted for 93 percent of the total damages. South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the 2013 ones showed that the North Koreans were getting better and that South Korea was not keeping up. The 2014 operation against smart phones was the first North Korean effort against smart phones and indicated there would be more and there were.
Long believed to be nonexistent, by 2013 it was clear that the North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the 1990s and their Mirim College program trained most of the North Korean Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit was increasingly active as the number of Mirim graduates grew.
Since the late 1980s, Mirim College was nown as a facility that specialized in training electronic warfare specialists. But by the late 1990s the school was found to be also teaching some students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained 5 departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a 3 year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students. The Mirim program has been modified since 2015 and is believed to be producing more graduates each year and in a growing number of specialties.
It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But by 2016 there was tangible and growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.
Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.
South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.