• United States



Senior Correspondent

What we know about North Korea’s cyberarmy

Dec 19, 20145 mins

The attack on Sony Pictures has put North Korea’s cyberwarfare program in the spotlight. Like most of the internal workings of the country, not much is known but snippets of information have come out over the years, often through defectors and intelligence leaks.

Here’s a summary of what we know:

The Cyberunits

North Korea’s governing structure is split between the Workers’ Party of Korea (WPK) and the National Defense Commission (NDC).

North Korea’s main cyberoperations run under the Reconnaissance General Bureau (RGB), which itself falls under the Ministry of People’s Armed Forces that is in turn part of the NDC. The RGB has been operational for years in traditional espionage and clandestine operations and formed two cyberdivisions several years ago called Unit 121 and Office 91.

Office 91 is thought to be the headquarters of North Korea’s hacking operation although the bulk of the hackers and hacking and infiltration into networks is done from Unit 121, which operates out of North Korea and has satellite offices overseas, particularly in Chinese cities that are near the North Korean border. One such outpost is reportedly the Chilbosan Hotel in Shenyang, a major city about 150 miles from the border. A third operation, called Lab 110, participates in much the same work.

There are also several cyberunits under North Korea’s other arm of government, the Workers’ Party of Korea.

Unit 35 is responsible for training cyberagents and is understood to handle domestic cyberinvestigations and operations. Unit 204 takes part in online espionage and psychological warfare and Office 225 trains agents for missions in South Korea that can sometimes have a cyber component.


The North Korean school system emphasis the importance of mathematics to students from a young age. The most gifted are given access to computers where they can begin practicing programming skills and, if they are good enough, go on to one of a handful of schools that have specialist computer departments. These are typically Kim Il Sung University, the country’s most prestigious seat of learning, Kim Chaek University of Technology or Mirim College. Much less is known about the latter, although it’s believed to be a specialist cyberwarfare school.

The students learn general programming techniques and will also specialize in disciplines such as cyberwarfare. After graduating, they will sometimes be sent to study overseas. That’s when, with an open Internet connection and the anonymity of a foreign network, they can start participating in hacker forums, developing malicious software and testing out their skills.

Over the past few years, it’s estimated the schools have turned out several thousand students (estimates range from around 2,000 to around 6,000), who now make up North Korea’s cyberforces.

International Network

North Korea has a single connection to the Internet, so attacks from inside the country would be quite easy to trace. As a result, the country uses computers around the globe to launch attacks. Often these are compromised PCs and the owners have no idea they’ve been infected with North Korean malware. Some of the initial attacks to help build this network of infected computers are thought to be launched from North Korean outpost offices in places like China, Russia and India.

Operations and attacks

While pinning down the true perpetrator of cyberattacks is incredibly difficult, a number of attacks in recent years have been blamed on North Korea. Some, like the Sony hack, have been high-profile but many others have gotten much less attention and appear more aimed at earning money than causing disruption.

July 2009 – Attackers target government websites in the U.S. and South Korea in large-scale distributed denial of service (DDOS) attacks that were later blamed on North Korea.

March 2011 – In an attack dubbed “10 Days of Rain,” major South Korean government websites and sites operated by the U.S. military in South Korea are targeted in DDOS attacks.

April 2011 – South Korea’s Nonghyup bank is targeted in a DDOS attack that was later traced to North Korea and linked with previous attacks.

August 2011 – South Korean police accuse a North Korean hacking ring of stealing around $6 million in prize money from online games.

November 2011 – A hacker attempts to hack the email system of Korea University’s Graduate School of Information Security in an action later blamed on North Korea.

June 2012 – Conservative South Korean newspaper Joong Ang Ilbo is hit by a cyberattack that succeeded in destroying databases. A week earlier, North Korea had threatened the newspaper over its coverage of the country.

March 2013 – A major cyberattack, later blamed on North Korea, paralyzes the networks of several major South Korean TV broadcasters. A bank ATM network is also hit in the attack, which attempted to wipe the hard drives of computers. A second attack pushes the DNS servers of government websites offline for several hours. At around the same time, North Korea’s connection with the global Internet goes down for 36 hours.

March 2013 – Responding to the attacks, the hacking group Anonymous targets North Korean websites. It succeeds in breaking into a major North Korean news portal and publishes the names and account details of thousands of subscribers.

June 2013 – Hackers post names, social security numbers and other personal information of thousands of U.S. armed forces members stationed in South Korea online.

June 2013 – South Korean government DNS servers are targeted by a DDOS attack. Similarities are found in the code that links it to the March attacks.

December 2013 – South Korean police say North Korean agents are behind a spear-fishing attack on the computer of a prominent defector.

November 2014 – South Korea’s spy agency said North Korean hackers had planted malware in around 20,000 smartphones.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is