North Korean special forces armed with modified AK rifles fitted with what are believed to be high-capacity magazines parade through Pyongyang. Despite their elite status, captured members of similar units have divulged considerable information to South Korea. Photo: AFP

One of the most shadowy arms of one of the world’s most shadowy states is finding itself bathed in a harsh and unwelcome global spotlight.

Two developments this month are adding to the mounting evidence that while North Korea’s conventional military refrains from provocations, its online operatives are actively, constantly and widely engaged across the borderless web.

On February 16, it was alleged that North Korean hackers had hacked pharmaceutical company Pfizer with the aim of stealing information about its Covid-19 vaccine. It is unclear whether the hackers succeeded. Subsequently, European intelligence officials told Reuters that North Korea planned to produce counterfeit vaccines to sell on the global black market.

Separately, on February 17, the US Department of Justice indicted two North Koreans and expanded charges against a third for their involvement in a vast multiplicity of cyber crimes, including the 2014 attack on Sony Entertainment and the 2017 global Wannacry DDOS (Distributed Denial of Service) attack. According to a 33-page DOJ report, the three attempted to extort or steal $1.3 billion, though their actions went far beyond theft.

US Assistant Attorney General John Demers described the three hackers, all whom have a variety of aliases and are believed to be key players in a North Korean unit code-named Lazarus Group as “the world’s leading bank robbers” and “a criminal syndicate with a flag.”

Assets and aims

North Korea, say experts who spoke to Asia Times, groups its cyber operatives under three arms of the state: The General Staff of the Korean People’s Army; the State Security Bureau; and the Reconnaissance General Bureau, or RGB. The latter directorate oversees intelligence operatives and special forces units, and is tasked with both espionage and military operations.

Some of the key sub-units identified, which are believed to operate under these various agencies have been dubbed Lazarus Group, APT38, Kim Suk Ki (aka Talium), D Track and Hidden Cobra Group. Their aims appear to be fourfold.

One is to gather foreign currency for a sanctioned, cash-strapped regime hence attacks on South Korean and Bangladeshi banks and crypto currency exchanges.

Another is to collect useful intelligence – be it on nuclear technologies from an Indian atomic energy plant, defense equipment from Eastern European arms companies, or even Covid-19 vaccine information from Pfizer.

Another is to silence or threaten regime opponents or those who insult the dignity of the ruling Kims – hence online attacks on outspoken North Korean defectors and Sony Entertainment (which had produced a satirical comedy featuring national leader Kim Jong Un).

Assistant Attorney General John Demers (L) calls the North Korean hackers a criminal syndicate with a flag. Photo: AFP/Sarah Silbiger

And in a regime that clearly uses tests of weapons of mass destruction and parades of military equipment to impress the outside world, yet another aim may be to showcase capabilities that awe the world – such as the infamous global Wannacry attack.

But how do Pyongyang’s cyber operations synch with its wider military? And given that cyber operations are virtual rather than real, how dangerous can they truly be? According to experts: “perfectly” and “very.”

Kim’s ‘monkey commandos’

Pyongyang’s openly shows off its WOMD in parades and tests, but these are weapons of non-use, or last resort. Cyber operations, however, are deniable, and bestride a blurred line between crime and warfare.  Hence they are in constant action.

North Korea’s cyber arm “is probably on a par with the North Korean nuclear threat or more of a threat,” said Chun In-bum, a retired major general who formerly lead South Korea’s Special Warfare Command.

 “The US and the Chinese and the Russians and the Israelis have cyber capability, but they are tied down by international norms,” Chun said. “North Korea is not in that sphere. They are a loose cannon.”

Cyber warfare synchs with North Korea’s military philosophy. State founder Kim Il-sung was an anti-Japanese guerilla leader in Manchuria, and later trained as a scout/sniper in the Red Army in the Russian Far East. The “Great Leader’s” unconventional warfare heritage continues to this day.

Exercises on cyber warfare and security are seen taking place during the NATO CWIX interoperability exercise on June 22, 2017, in Poland. North Korea’s aim is to sow confusion in a cyberwar. Photo: AFP/Jaap Arriens/NurPhoto

The North maintains some 200,000 men under the RGB – perhaps the world’s largest special forces. Its special forces “Chogyok” brigades, are usually translated into English as “sniper.” This is an error, Chun insisted: The actual etymology of is “monkey.” That may not come across in English as particularly menacing, but it connotes a principle rather than the animal itself.

“A monkey causes havoc,” Chun said. “Think of a monkey in a room jumping around, running around and hitting people in the head.” For this, “cyber ops given them a really convenient tool,” Chun said doubly so, given its deniability.

One man who has in-depth – indeed, personal – knowledge of North Korea’s dark online arts is Choi Sang-myeon/Simon Choi. He agrees with Chun that the hackers are dangerous – and masters of chaos.

‘It could have been worse than Covid’

The nerdish looking 37-year-old South Korea is a cyber security professional and founder of not-for-profit collective Issue Makers, which has been tracing North Korean hackers since 2008.  He spoke to foreign reporters last week in a non-descript, second-floor cyber security firm in southern Seoul.

“When comparing hackers to nuclear missiles, I think hackers are a more major threat,” Choi said. “We know they are developing weapons and missiles, but they have not used them yet. But hacking we see every day – all around us.”

Indeed, while Pyongyang’s weapons of mass destruction have never been used, its weapons of mass confusion almost certainly have.

In May 2017, the world was shaken by the Wannacry attack, which targeted hundreds of thousands of PCs running the MS Windows operating system, infiltrating them with ransomware, and demanding Bitcoin payment. A range of organizations and companies – the UK’s National Health Service, Spain’s Telefonica and the US’ FedEx – were impacted. The attack was overcome and the chaos subsided after a “kill switch” was discovered within the malware, and MS swiftly uploaded new security patches.

Those who paid the ransoms demanded never received fixes – but that was not the point of the attack.

Britain’s National Health Service was the victim of a North Korean ransomware attack. Photo: AFP/David Cliff/NurPhoto

“The ransomware was never the main purpose of it – this started with international sanctions [against North Korea] and they wanted to show their potential and create chaos,” said Choi talking of an escalation of the global sanctions regime that picked up in 2016. “If not for the kill switch, the whole world would have been in worse chaos than Covid-19.”

Still, Choi remains puzzled about the kill switch that enabled its deactivation.

“If I was a hacker, I would make a fortune out of it, it was so powerful!” he said. “I think they put in the kill switch in case things got out of hand and they had to take full responsibility – which is ironic as it had North Korean fingerprints all over it.”

In late 2017, following investigations, the UK and US charged North Korean hackers from the Lazarus Group – hackers believed to operate under the RGB – with the attack. Microsoft also alleged that North Korea was behind Wannacry.

Tradecraft

Choi’s interest in North Korean cyberattacks started during his national service. While for most youths that means military duty, for Choi it meant working in computer security. There, his job was analyzing malicious codes – which is how he first came face-to-face with Pyongyang cyber espionage.

“Malignant codes [in South Korea] are usually aimed at online game accounts and stealing from online banking, but this code was a little different,” Choi said. This code was inserted into files related to military terms and military glossaries. The file names included words such as ‘navy’ and ‘weapons’ and even missile names and operational codes. 

“This was not a trifling matter,” Choi said.

A fascination was sparked. “I was on a mission and wanted to serve the country. I saw myself as a cyber soldier.”

After finishing his service, “I wanted to track this movement,” he said. “But I could not do it alone, so I gathered a group of friends to help. I am fully committed.”

That group became Issue Makers, which has made it to the finals of the global DEF CON CTF (“Capture the Flag”) hackathon and has spoken at global hacking conferences including Black Hat and CanSecWest. The collective has worked for both the Ministry of National Defense and the National Intelligence Service, and Choi is an advisor to the National Police Agency.

Choi’s organization was founded in 2008, but has backtracked many of North Korea’s alleged cyber operations to 2004. It has helped identify the main groups of hackers in North Korea and which of the three state agencies – Army General Staff, State Security and RGB – they operate under. It has also mapped out which groups have attacked which targets.

Citing South Korean National Intelligence Service, Choi believes there are some 1,500-1,600 dedicated hackers working for the agencies above, backed by some 5,000 support personnel.

Asked to analyze the skillsets of the North’s cyber commandos, he made clear that they are not as sophisticated as the global top tier. Regarding the alleged Israel-US “Stuxnet” cyber attack that crippled Iran’s uranium enrichment facilities in 2010, Choi noted that it took three months for experts “just to analyze the code itself.” North Korea’s codes are “not so sophisticated, but are very practical – they know what they want to know,” Choi said.

But a core competency is persistence. Noting that there have been successful hacks into secure South Korean government facilities as well as international airlines and telecommunications firms, he said. “Their MO is to keep on trying until they get what they need.”

Another competency is identifying and exploiting vulnerabilities.

“In the past, they used the skillsets China and the US have, and tweaked those skillsets, but recently they have been finding weaknesses of targets and going through,” he said. “They are one of the top three in the world in identifying vulnerabilities.”

What, then, are the clues that suggest North Korean involvement?

In 2009, following a denial of service (DOS) attack on the server of the South Korean presidential office and hundreds of thousands of PCs, Choi and his team analyzed the codes and protocols, and traced them into North Korea.

As an example of fingerprints, Choi cited the first clue: The code itself, written in Korean. “So, it was 1+1,” he said. “It could have been a hacker who knows Korean, but some words are a little different in North Korean dialect.” He showed Asia Times some recovered text – the word “Russia” in Korean – which is spelled differently, North and South.

Counter hacker Simon Choi of Issue Makers Lab. Photo: Asia Times/Andrew Salmon

Hacking the hackers

Choi has gone face to face – virtually – with North Korean hackers in real time. That required the risky step of directly luring them with a “honey pot.”

In 2019, Choi posed as a South Korean government representative. He set up a computer loaded with official-looking documents – but with a program designed to monitor and follow the hacker’s every move.

Contacted, he began an online chat and asked if the hacker was North Korean. The mark replied in the affirmative. They briefly chatted – “five to ten pings” – on three occasions. On their third discussion, the North Korean suddenly discontinued the conversation and unleashed a virus designed to destroy Choi’s computer.

That did not succeed: Choi having seen similar viruses during attacks on South Korean media firms in 2013, had installed appropriate defenses.

Choi traced his opposite number back to a PC with a motherboard dubbed “Pureun Haneul.” Choi did not know what that was, but after a short investigation he discovered it was the brand name of a North Korean electronics firm.

 “I am not 100% sure it was a North Korean hacker,” he admitted. “But all these details add up.”

In a world in which even powerful state agencies in the United States require years of  detailed investigation to pinpoint, identify and bring charges to bear against North Korean hackers, Asia Times cannot confirm Choi’s statements.

However – purely by coincidence – his veracity became clear during our interview.

Target identified

Choi was showing this writer a directory of targets amassed by a North Korean hacker. Given that the list, which originated in December 2018, includes the names and online details of multiple persons including South Korean politicians and a prominent defector, Asia Times did not photograph and cannot publish it.

But one name and email address on the list caught Asia Times’ eye: Daniel Tudor, an acquaintance of this writer.

Briton Tudor is currently a Seoul-based entrepreneur in IT, but was formerly a journalist with The Economist and the co-author of a 2015 book, North Korea Confidential: Private Markets, Fashion Trends, Prison Camps, Dissenters and Defectors.

That book, which lifted a veil on the lives of ordinary North Koreans, so irked Pyongyang that Tudor and his co-author, James Pearson, were given police protection in South Korea.

Subsequently, after the Moon Jae-in administration came to power in 2017, Tudor became an advisor to the Blue House, the presidential office. Given that the list seen by Asia Times also included Blue House email addresses, it seems likely that it was that affiliation, rather than his book, that had make him a target for direct hacking (“spear phishing”) – particularly as Pearson was not on the list.

Contacted by Asia Times with the information that he was a target of North Korean hackers, Tudor’s immediate response was, “That explains a few things!”

 “A couple of years ago, I kept getting emails almost every few days that ‘government-backed attackers are trying to hack into your account,’” Tudor said. “Who could it have been?”  There were multiple attempts to infiltrate his Twitter and Facebook accounts, and even to access his Apple ID, he continued.

“In some ways, I am flattered, I did not realize I was that important,” he said. “But I don’t know what they think they could discover – I don’t have that much money to blackmail.”

While Tudor may not have had access to millions – and, with a background in IT, was sensible enough not to become a victim – that is not true of other targets.

Indeed, North Korea cyber ninjas have not only stolen currencies and crypto currencies, they have broken into defense-related South Korean computers, and far beyond Korean shores, have stolen information on both weapons systems and nuclear technologies.

In Part II of this story, to run in Asia Times on Sunday, we explore some of the targets worldwide that have been hit by North Korean hackers, from arms manufacturers to cryptocurrency wallets; whether North Korea’s actions constitute crime or warfare; and an assessment of how vulnerable – or not – North Korea’s own online infrastructure is to counterattack.