clock menu more-arrow no yes mobile

Filed under:

Here's What We Know About North Korea's Cyberwar Army

How can a country with almost no connection to the Internet be considered a cyberwar power?

Astrelok /

It is still not definitively known if the hacking attack that brought the computer network belonging to Sony Pictures to its knees was carried out on behalf of North Korea or not.

U.S. government agencies, however, are considering the possibility. Today, NBC News, citing classified briefings, reported that North Korea is now considered a possible suspect by U.S. law enforcement and intelligence agencies. Separately Reuters reported that the FBI issued a confidential five-page “flash briefing” to US businesses warning of malware attacks that can destroy data on computer hard drives.

Re/code reported Friday that Sony was investigating a possible link.

North Korea has publicly called for Sony not to release a forthcoming comedy film called “The Interview,” the plot of which involves an attempt to assassinate the country’s leader, and has even called the film “an act of war” in its propaganda.

And while we don’t typically think of North Korea as a serious threat on the cyber warfare front, it has in fact stepped up its game in recent years. Numerous security and intelligence researchers have stitched together a picture of how North Korea’s military hackers operate.

Over the summer, the computer security unit at computing giant Hewlett-Packard did a deep dive on the evolution of North Korea’s personnel and capabilities, and summarized it in a detailed 75-page report, while another report was prepared in 2009 by a U.S. Army intelligence analyst.

Here are a few highlights:

North Korean hackers have penetrated U.S. military systems more often than attackers from any other country, including Russia and China. The North Korean army’s Unit 121 is its primary force for attacking the computer assets of its enemies. In 2004, a North Korean defector revealed that the unit operates primarily out of a North Korea-owned luxury hotel in Shenyang, China, located about three hours from the North Korean border.

In 2004, Unit 121 was said to have gained access to 33 of the 80 wireless communications networks used by the South Korean military. The attack coincided with the timing of a military exercise held with U.S. military forces.

North Korea has practically no meaningful Internet infrastructure inside its territory, and oddly enough that’s an advantage. As HP put it in its report in August: “Cyber warfare provides [North Korea] a strategic advantage since outbound attacks are possible, but inbound attacks would have limited reach.” It is also considered a cost-effective way to offset North Korea’s lack of traditional military prowess on land, on the sea and in the air.

North Korea sees online games as a theater of cyber warfare operations. In 2011, South Korean police arrested five people and accused them of collaborating with operators in North Korea. They were alleged to have used “auto-players” in the online game Lineage to level up in the game and then use its in-game marketplace to obtain real money. In 2013, the South Korean government said hackers from North Korea released malware that infected 100,000 computers which were then hijacked and used to launch a distributed denial of service attack on computers at the Inchon Airport. It had little effect, but the attack was considered a “clever tactic” for using an online game as what military planners call a “force multiplier.”

North Korea also has the ability to jam signals from GPS satellites and to inject false coordinates into GPS signals. It demonstrated this capability during joint U.S.-South Korean military exercises in 2011.

North Korean hackers get some of their training in China and in Russia. In 2012, North
Korea also signed an agreement with Iran to cooperate in combating “common enemies in cyberspace.” One motivating factor for their alliance was the appearance of Stuxnet, a cyber weapon created by the U.S. and Israel and used to attack Iran’s nuclear research facilities.

North Korea likes to launch its cyber attacks on important dates. On the Fourth of July in 2009, North Korea launched an attack, which included a denial-of-service operation against media and government websites in South Korea and the U.S. The attack included malware that wipes data from the hard drives of targeted machines. A similar attack was carried out by what researchers at Symantec have branded the “DarkSeoul gang,” thought to be working for North Korea, which attacked South Korean banks and TV networks in 2011 and 2013. The attacks in 2013 froze ATM networks in South Korea and prevented people from taking money out of their accounts. They also coincided with North Korea’s cutting of the official communications link between it and South Korea. Further cyber attacks since then have often coincided with the anniversary of the start of the Korean War and other notable dates.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.