Winning: Surviving and Thieving


August 28, 2019: North Korea still has useful friends at the UN and that’s a major reason why North Korea keeps going despite more and more economic sanctions. It’s not exactly winning but it avoiding losing and according to North Korean propagandists, that’s a win.

For example, China and Russia are the principal obstacles to the release of a new UN report on North Korean sanction violations. China and Russia continue to tolerate North Korean evasion of the sanctions, although such tolerance is more restricted than in the past, even in China. The new UN report got leaked anyway and the contents documented the support North Korea still obtains from Chinese and Russian sources. Not from the governments of China and Russia, but from the companies or criminal gangs in those two nations that make possible illegal imports and exports with North Korea. Having these operations described in a UN sponsored report that has been officially released puts pressure on UN members listed as working with North Korea to curb those activities. Russia and China are the biggest offenders and among the few UN members who have permanent use of a veto over UN decisions. Thus UN sponsored research like this usually has problems getting past Russia and China, which tend to have some of their people showing up as involved in whatever bad behavior is being studied. In practice, it is mainly China the UN has to worry about because Russia is increasingly dependent on Chinese economic and diplomatic support to survive and can be pressured by China to do whatever China wants. In the case of UN sanctions on North Korea, the report shows how China is not bothered by blatant Russian efforts to help North Korea evade sanctions. This ranges from tolerating the North Korean use of Russian student visas to continue exporting workers to Russia (who have most of their pay taken by the North Korean government) to facilitating illegal exports (coal) and imports (oil).

The UN study detailed how North Korea was continuing to carry out transfers of refined petroleum products at sea. This is being done by using smaller ships to take the cargo from Chinese or Russian tankers. These smaller ships are not required to have the most effective transponders (to show the position of the ship) and can more easily evade detection as they head back to North Korea with their cargo. In this way, North Korea has been importing about three times more refined petroleum products than sanctions allow. North Korea is also able to illegally export coal and other minerals using the same technique.

These UN investigations rarely reveal anything that is not already known, at least in general terms. That North Korean hackers have stolen about two billion dollars’ worth of cryptocurrency (bitcoin and the like) and bank funds since 2016 is not new but the UN study goes into some useful details, like how North Korea has most of its hackers operating outside North Korea because otherwise they would be too easy to track down. All North Korea access to the Internet comes from Chinese ISPs (Internet Service Providers). The Chinese government exercises a lot of control over Chinese ISPs and would prefer that the UN investigators avoid bringing international attention to how much hacking activity China tolerates.

For years North Korean defectors have been providing more details about how North Korean hackers operate openly in China, as do a lot of other North Korean efforts to evade economic sanctions. Another interesting revelation is that the two billion obtained by North Korea hackers paid for about 30 percent of North Korean nuclear and missile development efforts since 2016. North Korean defense spending, which is about $3.5 billion a year, consumes about a quarter of annual GDP. That’s about ten times more (as a percentage of GDP) than other nations in the region spend. That much spending on the military is the main reason the North Korean economy is broken and North Koreans are hungry and without much fuel or electricity.

Some of these North Korean defectors were associated with the North Korean hackers operating outside North Korea and provided lots of useful details. South Korea also collects a lot of information about the North Korean hacker operations and will share some of those details with UN investigators. The North Korea hacker force consists of about 7,000 personnel but only a quarter of these have software programming or engineering skills that enable them to develop and carry out the hacks. The rest are support staff, including many security personnel who monitor hacker activities to ensure loyalty and productivity. Over the last few years, more and more of the hackers have been assigned to money raising operations rather than intelligence collection (spying). North Korea needs cash more than secrets and as a result, each of these hackers has been bringing in about $100,000 a year in much needed income for North Korea. Alas for the hackers they, like most North Koreans working abroad, see little of that money. But they do live better than most North Koreans and have very marketable skills. However, trying to escape, and failing, is usually a death sentence for the hacker and his family back in North Korea.

Most of the foreign operations are in China where the hackers and their support staff live in Spartan conditions and are closely watched. These hackers are aware of how much more valuable their skills would be in South Korea (where some currently are, working for South Korean software firms). But some have escaped and some are working on it. Basing so many of the North Korean hackers in China is partly because there is apparently an arrangement with the Chinese to enable the North Koreans to keep operating in return for favors. In addition to not hacking Chinese networks, or any foreign ones the Chinese consider off-limits, the Chinese receive cash and, more importantly, access to data the hackers obtain. Some hacks attributed to “Chinese hackers” are apparently carried out by North Korean hackers in order to pay for continued presence in China, and the cooperation of Chinese security forces to prevent North Korean hackers from defecting.

Meanwhile, the economic hacks are getting more and more ambitious. Since 2016 the North Korean hackers have not just gone after banks but also cryptocurrency exchanges (“banks” for stuff like bitcoin) as well as all manner of legal and illegal online banking activity. South Korea has been the victim of many North Korean hacks and takes an intense interest in what North Korean hackers are up to. North Korean penetration of South Korea government and military Internet networks has done more damage to South Korean military capabilities than the North Korean armed forces. South Korea has admitted that the cause of many of these successful North Korean hacks was a failure of network security officials to adhere to the new (since 2014) security measures that had proved capable to making the networks safer from hackers. In other words, it wasn’t a technical failure but a human one. This was quite embarrassing because, in general, South Korea has better online defenses than most other nations. This is one reason so many Western nations have become more energetic about improving their own Internet security.

South Korea has been dealing with North Korean Internet-based attacks longer than anyone else. Back in 2013, South Korea came up with a number (over $800 million) for the cost of dealing with North Korean cyberattacks since 2007. The list was quite detailed. The attacks in March and June of 2013 accounted for 93 percent of the total damages. South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the 2013 ones showed that the North Koreans were getting better and that South Korea was not keeping up. The 2014 operation against smartphones was the first North Korean effort against smartphones and indicated there would be more and there were. Since 2013 the North Korea attacks have been less successful but the North Korean hackers have taken their experience against South Korean networks and applied it to many other nations.

Long believed to be nonexistent, by 2013 it was clear that the North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues since the 1990s and their Mirim College program trained most of the North Korean Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit was increasingly active as the number of Mirim graduates grew.

Since the late 1980s, Mirim College was known as a facility that specialized in training electronic warfare specialists. But by the late 1990s, the school was found to be also teaching some students how to hack the Internet and other types of networks. Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained 5 departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a 3-year course (resulting in the equivalent of a Master’s Degree) for a hundred or so students. The Mirim program has been modified since 2015 and is believed to be producing more graduates each year and in a growing number of specialties.

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years, North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But by 2016 there was tangible and growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly. North Korea would prefer as little publicity as possible about its hacking, and which nations are making themselves useful in those hacking enterprises.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close