How North Korea built up a cadre of code warriors prepared for cyberwar

There's still debate over North Korea's role in the Sony hack and its technical skills to orchestrate the breach, but since then the US military has redoubled efforts to contain – and potentially dismantle – the hacker squads within that wild-card nation.

North Korean leader Kim Jong-un, center, at a military gathering in an undated photo.

Korean Central News Agency/Reuters

February 6, 2015

When Steve Sin was an Army intelligence officer in 2009, North Korea was starting to make its mark as a player in the burgeoning realm of cyberwarfare, and South Korea was its new battleground.

Then a major in the Pentagon’s South Korea branch of its Directorate of Intelligence, Mr. Sin was given an assignment: track the Korean press and hacker forums, then report back. At that time, even Army specialists stationed in the south had little insight into precisely how skilled these new North Korean computer warriors were becoming.

“The cyber thing was new, even in 2009, and we were really interested in their military capabilities,” says Sin, now a senior researcher at the National Consortium for the Study of Terrorism and Responses to Terrorism at the University of Maryland. “We didn’t have a lot of classified data at all, so we figured, ‘Well, this is a good place to start.’ ”

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

At that time, it appeared North Korea was capable of carrying out simple operations such as distributed denial of service, or DDoS, attacks in which soldiers tested their abilities to overwhelm websites with Internet traffic, Sin says. Their capabilities grew and attacks became more numerous, but still basic. Between 2009 to 2011, North Korea was “allegedly responsible for a series” of attacks against South Korean commercial, government, and military websites, “rendering them briefly inaccessible,” according to a 2014 Pentagon report to Congress.

But the Sony Pictures breach that the US government blames on North Korea has caused a wholesale reassessment of that nation's technical capabilities and willingness to strike. That attack is sparking debate both inside the government and out about how tough the hack was, what skills the North Korean military actually has in the cyber realm – and whether it would risk the ire of the Pentagon to take down a film company.

And while there's plenty of disagreement, the Sony attack has reaffirmed warnings that have been coming from the US intelligence community and security experts for years now: digital attacks are among the top threats to national security, and the US military will do what it takes to contain – or potentially dismantle – the capabilities growing within the wild-card nation that is North Korea.

It's a warning that lawmakers are pressing, too. Sen. Jack Reed (D) of Rhode Island on Wednesday called the Sony attack "a watershed event that should stimulate fresh critical thinking." He said the hack "demonstrates that a relatively small and weak rogue nation can reach across the oceans to cause extensive destruction of a US-based economic target, and very nearly succeed in suppressing freedom of expression, through cyberspace."

Senator Reed, the top Democrat on the Senate Armed Services Committee, warned that "the real and manifest advantages of the offense over the defense in cyberwarfare that enable militarily inferior nations to strike successfully against the homeland is a new and worrisome factor for national security."

Indeed, when US and Chinese officials met Thursday to talk about defense policy issues, cyberattacks were expected to be at the top of the agenda. It is China, after all, that has the biggest chance of exerting any influence on North Korea's nefarious hacking activities, if they choose to do so. Some analysts speculated, for example, that when North Korea lost its Internet connection in the wake of the Sony hack, it was not the US but rather China that had sent North Korea the warning.

Such warnings are necessary, officials say, as North Korean cyber capabilities become increasingly sophisticated. "They have moved from basic denial of service attacks to the ability to hack a little bit to this kind of disruptive action against Sony," says James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington. "It's been in the last four or five years that they have figured it out."

Typically, the Pentagon isn’t in the business of downplaying threats, and is particularly concerned with what the country might be able to pull off against military targets. Gen. Curtis Scaparrotti, the commander of US Forces Korea, told Congress last year that North Korea is “aggressively investing in cyber warfare capabilities” – and developing the ability to “paralyze the US Pacific Command and cause extensive damage to defense networks inside the United States.”

Much of the intelligence that both US and South Korean officials have been able to cite is based on reports from defectors who claimed that they were close to North Korean cyber-operations as scientists who either worked with them or who trained some soldiers assigned to the technical units.

North Korea's code warriors

In this way, some rather detailed organizational charts have emerged pointing to a number of known units. The two chief units are 121 and 91, both of which belong to the Reconnaissance bureau of the General Staff Department (more commonly known as the Reconnaissance bureau, or RGB) and are headquartered in Pyongyang. The RGB is responsible for North Korea's clandestine operations, to include cyber and overseas intelligence.

Intelligence also points to a Lab 110, responsible for technology reconnaissance and targeting South Korea’s telecommunications infrastructure, as well as planting viruses on enemy networks, warns a Hewlett-Packard (HP) security briefing on the North Korean cyber threat published last year.

Unit 35 is reportedly responsible for training cyber specialists and also serves as the internal investigation service for North Korea's cyber division, so their function is primarily data collection, says Egle Murauskaite, a research and training specialist at the US National Consortium for the Study of Terrorism and Responses to Terrorism.

Unit 35 is also thought to maintain some offensive capabilities. As a result, she adds, Unit 35 includes specialists with hacking capabilities in order to penetrate systems – particularly South Korean systems – including navigating firewalls and cracking passwords to obtain files.

North Korea's premiere hacking unit is Unit 121, which forms the bulk of the cyberforce and is the source of its most advanced capabilities. The US believes it is the group behind a series of high-profile attacks that crippled South Korean banks in 2009.

Reportedly headquartered at the Chilbosan Hotel in Shenyang – a Chinese military district that borders North Korea – Unit 121 is tasked with taking out the command, control, and communications systems of the South Korean military in the event of an armed conflict.

This in turn suggests the potential for some bleak scenarios for the US military.

“A prime example could be if we’re imagining that North Korea was under attack from South Korea, which was being supported by the US Army,” says Ms. Murauskaite. “North Korea could attack satellites to disrupt communication between the US and allies and impede the US ability to reach targets,” she adds. “A lot of precision guided missiles involve electronics--so being able to disrupt the signals as they are passing using cyber would be very damaging.”

As dire as this sounds, however, there remains plenty of disagreement among the world’s foremost computer security experts about just how skilled North Korea is in the cyber realm.

Sin recalls the difficulty of even estimating how many cyber warriors the North Korean Army had at its disposal after it launched its cyber operations in earnest in 2009 – wide variations in estimates that persist today. Cyberforces include “everyone from software engineers working to develop new attack methods to analysts who survey the operating environment,” says Sin. They also include teams of people who actually conduct the attacks.

The best manpower guesses at the time, particularly those coming from South Korean intelligence agencies, ranged from 500 to 1,000. But Sin believed back then that “100 sounded about right.”

He adds, “The problem with the South Korean reports is that they do tend to inflate their numbers and the threat because it serves their purposes to do that war-hawkish thing.” These purposes include a vested interest in pressing the urgency of the threat, in an ongoing bid for US assistance and a more forceful response to North Korea.

“I’m not so sure the South Koreans don’t do this sometimes to get the United States excited about protecting them again,” says retired Col. Joe Adams, a former West Point professor who coached the military academy’s cyber team and is now executive director of research and cybersecurity for Merit Network Inc.

Technical skills still limited

Today, North Korea’s cyber-ranks have grown, but just how much remains unclear. Estimates currently range from 3,000 to 6,000.

That hardly puts them in league with the US, UK, Russia, China, and Israel. Still, North Korea “might be in the top 10,” says Lewis of the Center for Strategic and International Studies. “But they can’t do something like Stuxnet,” the sophisticated computer virus designed to set back Iran’s quest for nuclear weapons. “They’re not going to be able to do the most damaging kind of cyberattack.”

In addition to their own cadre of trained cyber soldiers, North Korea also has a “huge” network of state-sponsored black market operations in places such as Singapore, Malta, and Japan that are associated with criminal gangs, Lewis adds.

“This gives North Korea another pipeline into the tech world – they have an ability to use Japan, China, and this black market,” he says. “I’ve asked some Japanese intelligence officials, ‘Why do you guys allow this?,’ and they just look chagrined and frustrated.”

North Korea is faced with tremendous limitations. All of its Internet connections go through servers in China, for example. But it soon may find other ways to connect to the outside world. North Korean leader Kim Jong-Un is expected to meet with Russian President Vladimir Putin later this year in a bid to, among other things, begin running networks through Russia, too.

Indeed, North Korea will continue to improve it computing and technical capabilities by nearly any means necessary, say analysts. “The thing I’m wondering,” Lewis says, is how much North Korea will learn from forays such as the Sony hack. “I think it’s going to make them take a step back and think, ‘How far can we go, what are the limits? And how much can we do without putting ourselves at risk?”

In the meantime, he adds, “They’ll continue to develop these capabilities – I know they won’t stop.”