North Korean operatives have hacked South Korea’s Cyber Command
November 2019 by Ray Walsh
North Korean operatives have hacked South Korea’s Cyber Command, a 600-person agency whose job is to protect national interests and military systems against cyberwarfare. The cyberattack, which is thought to have been carried out by some of Kim Jong Un’s most elite hackers, has successfully infected the agency with malware that it is believed may have compromised up to 20,000 military computers.
The successful cyber penetration is likely to have been carried out by a state-sponsored North Korean hacking collective widely known as Bureau 121. That elite group of state-sponsored hackers is made up of North Korea’s most talented computer experts - many of whom previously trained in Shenyang, China. Others are chosen from candidates who study at the University of Automation, a highly sought after institution located behind barbed wire in Pyongyang.
Bureau 21 is believed to be manned by around 1,800 specialist agents whose role it is to carry out cyberwarfare and cyber espionage on primary targets located in South Korea, Japan, and the US. According to reports dating back to 2010, a number of those hackers - sometimes referred to as the DarkSeoul Gang - actually run cyberwarfare operations on behalf of North Korea from a location hidden within the basement of a hotel in Shenyang. From that location, and North Korea itself state sponsored hackers run operations that have previously targeted South Korean banks, television broadcasters, and financial companies. In addition, Bureau 21 hackers are believed to have deployed malware of all types onto victimized computer networks for the purposes of surveillance and Intellectual Property theft. In 2017, a similar attack to the one recently discovered - resulted in the theft of 60 classified military documents that were stolen from South Korea’s Daewoo Shipbuilding and Marine Engineering Company. During that penetration, it is believed that North Korean snoops stole classified blueprints for missile-equipped ships and submarines.
This latest attack is part of an ongoing cyber espionage campaign designed to improve North Korea’s military while systematically undermining its enemy in the south. On this occasion, it has been claimed that that sensitive military documents have again been stolen - including confidential information, meaning that the cyberattack could have severe ramifications for the country’s national security.
North Korea’s ongoing cyberwarfare campaign is largely funded using crypto assets stolen in hacking campaigns, including ransomware attacks worldwide. For example, cybersecurity experts working for the US government previously announced that the WannaCry ransomware attack, which targeted businesses and individuals worldwide during the summer of 2017, actually originated in North Korea.
In 2018, news also emerged that North Korean hackers had begun targeting cryptocurrency investors in order to minimise the effect of international sanctions. These crypto-heists are used to fund Kim Jong Un’s ongoing cyberwarfare campaigns. South Korea’s cyber command has also recently alleged that Bureau 21 hackers are behind an ongoing operation aimed at hacking international banks in order to appropriate funds illegally. According to a report commissioned by the U.N. Security Council, those illegal operations have amassed around $670 million in the last five years alone.
Ray Walsh is a digital privacy expert at ProPrivacy.com