North Korea's Cyber Soldiers Are Concealed Abroad

The growing number of North Korean defectors are revealing more details of how North Korea is trying to adapt to the increasing list of economic sanctions and the opportunities for Internet based misbehavior. 

Some of these defectors were associated with the North Korean hackers who are, it turns out, mostly based outside North Korea because Internet access is better and operating outside North Korea makes it easier to deny that North Korean hackers are engaged in illegal activity. 

South Korea has obtained a lot of details about the North Korean hacker operations and recently allowed some defectors familiar with those operations to speak openly about it.

The North Korea hacker force consists of about 6,800 personnel but only quarter of these have software programming or engineering skills that enable them to develop and carry out the hacks. The rest are support staff, including many security personnel who monitor hacker activities to ensure loyalty and productivity. 

Over the last few years more and more of the hackers have been assigned to money raising operations rather than intelligence collection (spying). 

North Korea needs cash more than secrets and as a result each of these hackers has been bringing in about $100,000 a year in much needed income for North Korea. Alas for the hackers, like most North Koreans working abroad, see little of that money. 

Most of the foreign operations are in China where the hackers and their support staff live in Spartan conditions and are closely watched. These hackers are aware of how much more valuable their skills would be in South Korea (where some currently are, working for South Korean software firms). 

Unfortunately, you risk your life (and those of y0ur family) if you try to escape. But some have and some still do.

Basing so many of the North Korean hackers in China is partly because there is apparently an arrangement with the Chinese to enable the North Koreans to keep operating in return for favors. In addition to not hacking Chinese networks, or any foreign ones the Chinese consider off-limits, the Chinese receive cash and, more importantly, access to data the hackers obtain. Some hacks attributed to “Chinese hackers” are apparently carried out by North Korean hackers in order to pay for continued presence in China (and the cooperation of Chinese security forces to prevent North Korean hackers from defecting.) 

Meanwhile the economic hacks are getting more and more ambitious. For example, a January 2018 hack of a Japanese cryptocurrency exchange got away with half a billion dollars’ worth of cryptocurrency. 

The North Koreans are the chief suspects because North Korea prefers to use cryptocurrency to finance their illegal activities ,like smuggling. The cryptocurrency had North Korean “fingerprints” all over it but that could be faked. 

American, Japanese and South Korean banking and Internet security investigators are trying to hunt down and halt or at least damage North Korean cryptocurrency operations. 

Meanwhile South Korea has been the victim of many North Korean hacks and takes an intense interest in what North Korean hackers are up to. And for good reason. For example, in late 2016 South Korean officials revealed that there had indeed been another major North Korean penetration of government Internet networks in August. The government also admitted that the cause was failure of network security officials to adhere to the new security measures that had proved capable to making the networks safer from hackers. 

In other words, it wasn’t a technical failure but a human one. This was quite embarrassing because two months before the August attack South Korean officials revealed that they had discovered  and stopped another major Internet based attack on South Korea by North Korean hackers. 

The proof, as in the past, was more of the text in the hacker software that could be traced back to North Koreans. This hack was extensive and had been going on, largely undetected, since 2014. This campaign was largely against defense industry and government networks and over 40,000 documents have been identified as probably copied and sent to North Korea. Back in 2014 there were indications something like this was coming.

In late 2014 South Korean intelligence reported that between May and September North Korea managed to distribute to over 20,000 South Korean smart phone user games containing spy software. The North Korean “spyware” was seeking information from banks as well as documents relating to reunification plans and defense matters. The spyware allowed the North Koreans to transfer data from the infected smart phone and secretly turn on the camera. 

The government reported that this effort has since been blocked. North Korea denied any involvement in this, as it usually does. But since 2009 the evidence has been piling up of increasing North Korean Internet based espionage via the Internet. 
In late 2013 South Korea came up with a number (over $800 million) for the cost of dealing with North Korean cyber-attacks since 2007. The list was quite detailed. The attacks in March and June of 2013 accounted for 93 percent of the total damages. 

South Korea has been subjected to a growing number of Cyber War attacks since 2009, and the high cost of the 2013 ones showed that the North Koreans were getting better and that South Korea was not keeping up. The 2014 operation against smart phones was the first North Korean effort against smart phones and indicated there would be more and there were.

Long believed to be nonexistent, by 2013 it was clear that the North Korean cyber warriors did exist and were not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. 
North Korea has had personnel working on Internet issues since the 1990s and their Mirim College program trained most of the North Korean Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit was increasingly active as the number of Mirim graduates grew.

Since the late 1980s, Mirim College was known as a facility that specialized in training electronic warfare specialists. But by the late 1990s the school was found to be also teaching some students how to hack the Internet and other types of networks. 
Originally named after the district of Pyongyang it was in, the college eventually moved and expanded. It had several name changes but its official name was always “Military Camp 144 of the Korean People's Army.” Students wore military uniforms and security on the school grounds was strict. 

Each year 120 students were accepted (from the elite high schools or as transfers from the best universities). Students stayed for 5 years. The school contained 5 departments: electronic engineering, command automation (hacking), programming, technical reconnaissance (electronic warfare), and computer science. There's also a graduate school, with a 3 year course, (resulting in the equivalent of a Master’s Degree) for a hundred or so students. 
The Mirim program has been modified since 2015 and is believed to be producing more graduates each year and in a growing number of specialties. 

It was long thought that those Mirim College grads were hard at work maintaining the government intranet, not plotting Cyber War against the south. Moreover, for a few years North Korea was allowed to sell programming services to South Korean firms. Not a lot, but the work was competent and cheap. 

So it was known that there was some software engineering capability north of the DMZ. It was believed that this was being used to raise money for the government up there, not form a major Internet crime operation. But by 2016 there was tangible and growing evidence of North Korean hackers at work in several areas of illegal activity. The Cyber War attacks apparently began around 2005, quietly and nothing too ambitious. But year-by-year, the attacks increased in frequency, intensity, and boldness. By 2009, the North Korean hackers were apparently ready for making major assaults on South Korea's extensive Internet infrastructure, as well as systems (utilities, especially) that are kept off the Internet.

Deceased North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. He not only founded Mirim but backed it consistently. The only form of displeasure from Kim was suspicions that those who graduated from 1986 through the early 1990s had been tainted by visits (until 1991) by Russian electronic warfare experts. 

Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the end of the 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organisation.

South Korea has to be wary because they have become more dependent on the web than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of mischief, they try it out on South Korea first. 

While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly.

Strategy Page

You Might Also Read:

Russia Is Providing North Korea With Internet Connectivity:

North Koreans Study Bitcoin:
 

 

« UK Police Introduce Cyber Security Certification
The Growing Threat Of Russian Cyber Reprisals On Britain »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AvePoint

AvePoint

AvePoint is an established leader in enterprise-class data management, governance, and compliance software solutions.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Council of Europe Convention on Cybercrime

Council of Europe Convention on Cybercrime

The Council of Europe helps to protect societies worldwide from the threat of cybercrime through the Convention on Cybercrime.

Innova

Innova

Innova is Turkey's leading IT solutions company, providing platform independent solutions to organizations in telecommunication, finance, production, public and service sectors.

Bellvista Capital

Bellvista Capital

Bellvista Capital connects entrepreneurs with capital and unmatched business expertise in the technology areas of Cloud Computing, Cyber Security and Data Analytics.

Caveonix

Caveonix

Caveonix’s RiskForesight TM solution is an automated, proactive risk and compliance platform designed for hybrid and multi-cloud.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

stackArmor

stackArmor

stackArmor specializes in compliance and security-focused solutions delivered using our Agile Cloud Transformation (ACT) methodology.

Difenda

Difenda

Difenda Shield is a fully integrated and modular cybersecurity suite that gives your organization the agility it needs to implement a world-class cybersecurity system.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

Harmonic Security

Harmonic Security

Harmonic Security helps companies to adopt Generative AI without risking the security and privacy of their data.

SysGroup

SysGroup

SysGroup is an award-winning managed IT services, cloud hosting, and IT consultancy provider.