US Army report says many North Korean hackers operate from abroad

US Army says many North Korean hackers are actually located outside the hermit kingdom, in countries like Belarus, China, India, Malaysia, and Russia.
Written by Catalin Cimpanu, Contributor
north korea lazarus andariel bluenoroff
Image: zhushenje, ZDNet

North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks, and many of these are operating abroad in countries such as Belarus, China, India, Malaysia, and Russia, the US Army said in a report published last month.

Named "North Korean Tactics," the report a tactical manual that the US Army uses to train troops and military leaders, and which the Army has made public for the first time last month.

The 332-page report contains a treasure trove of information about the Korean People's Army (KPA), such as military tactics, weapons arsenal, leadership structure, troop types, logistics, and electronic warfare capabilities.

US Army: Bureau 121 has at least 6,000 members

While the vast majority of the report deals with classic military tactics and capabilities, the report also shines a light into North Korea's secretive hacking units.

"Most EW [electronic warfare] and cyberspace warfare operations take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121," the US Army said.

This assessment is the same as previous reports from the intelligence and cyber-security communities, which have also linked all of North Korea's hackers back to Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency that is part of the National Defence Commission.

The US Army says Bureau 121 has grown exponentially in recent years, as North Korea has expanded its cyberspace activities.

Per the report, Bureau 121 grew from "at least 1,000 elite hackers in 2010" to more than 6,000 members today.

The number is consistent with similar figures published by the South Korean Defense Ministry, which said that North Korea was operating a cyberwarfare staff of 3,000 in 2013, a number that later doubled to 6,000 by 2015.

However, the US Army currently believes its 6,000 figure is not entirely accurate.

"This number is likely much higher now: as of 2009, North Korea's Mirim College was graduating approximately 100 cyberspace hackers per year for the KPA," the US Army said.

North Korean APT estimates

Nevertheless, Army officials say they have estimates for the internal divisions inside Bureau 121, numbers that appear to have not been released before, until last month.

US Army officials say that Bureau 121 consists of four main sub-divisions, with three dedicated to cyber-warfare, and one to electronic warfare.

The first sub-division is what the cyber-security community calls the Andariel Group, an advanced persistent threat (APT), a codename used to describe nation-state sponsored hacking units.

US Army officials claim the Andariel Group has roughly 1,600 members "whose mission is to gather information by conducting reconnaissance on enemy computer systems and creating an initial assessment of the network's vulnerabilities."

"This group maps the enemy network for potential attack," US Army officials said.

The second Bureau 121 sub-division is what the cyber-security community tracks as the Bluenoroff Group. US Army officials say this APT has roughly 1,700 hackers "whose mission is to conduct financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities."

The third sub-division is what the cyber-security calls the Lazarus Group, an umbrella term that the security industry now uses generously to describe any kind of generic North Korean hacking.

US Army officials said they don't have an exact number for the members part of the Lazarus Group sub-division, but this group is the one usually the one to which North Korean officials turn "to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime."

The fourth and last Bureau 121 sub-division is the Electronic Warfare Jamming Regiment, composed of three military battalions (between 2,000 and 3,000 troops) responsible with jamming electronic equipment. This last Bureau 121 is a classic military unit, which US Army officials believe operate out of military bases in Kaesong, Haeja, and Kumgang.

Many North Korean hackers operate from abroad

However, on the other side of the spectrum, Army officials say the three cyberwarfare sub-divisions are more loosely organized, with many of their members being allowed to travel and operate from abroad, in countries such as Belarus, China, India, Malaysia, and Russia.

While the US Army report does not go into details why the Pyongyang regime lets military hackers travel abroad, there are previous reports and court documents that have gone into these details, with the Pyongyang regime using its hackers to set up shell companies that serve both as cover when setting up foreign-based server infrastructure, but also as intermediary entities in money laundering operations.

In September 2019, the US Treasury Department unmasked and sanctioned some of these companies, claiming they were associated with Bureau 121's hacking groups Andariel, Bluenoroff, and Lazarus.

At the time, US officials said the Pyongyang regime was using its three state-sponsored hacker groups to hack banks, cryptocurrency exchanges, and others, to steal funds that they'd later launder back into North Korea, where government officials would use the same funds for their weapons and missiles programs.

United Nations report estimated that North Korean hackers stole around $571 million from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018, and that total profits from their hacking activities could go well beyond $2 billion.

However, while the US Army report acknowledges that North Korean hackers have been involved in financial cybercrime, Army officials go even further and describe the entire North Korean government as a criminal network, with the Kim regime being involved in a wide range of activities that also included drug trading, counterfeiting, and human trafficking, and not just various forms of cybercrime [1, 2, 3].

Editorial standards