ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronEye IconIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintTitle ChevronIcon Twitter
North Korean leader Kim Jong Un has dispersed an army of hackers across the globe, ordering them to dig up cash for his nuclear and ballistic missile programs.   © Reuters
International relations

North Korea's cybertroops span the globe in quest for cash

Kim Jong Un's hackers work from 10 to 7 and take an hour off for lunch

JIRO YOSHINO, Nikkei staff writer | North Korea

TOKYO -- How good are Kim Jong Un's hackers?

While the world prepares for an unprecedented meeting between U.S. President Donald Trump and the North Korean leader, and while analysts discuss the chances of denuclearization, there is much more to North Korea's clandestine activities.

Nikkei talked to Kim Heung-kwang, a defector from North Korea who heads North Korea Intellectuals Solidarity, a Seoul-based nonprofit group. 

The interview took place in Kim's Seoul office in early February. Standing in the room was a fierce-looking bodyguard, "a detective from the South Korean policy agency," Kim said. Kim knows "too much" about North Korea's cyberforces to consider himself safe from Pyongyang assassins. Therefore, a South Korean police officer stays with him at all times.

Before leaving North Korea in the early 2000s, Kim was a computer science teacher at a North Korean university. Many of his students went on to join the Reconnaissance General Bureau, a military intelligence body. Kim still has connections in his home country.

North Korean defector Kim Heung-kwang heads a Seoul-based nonprofit organization.

Kim is widely known among information security specialists in various countries. His information is valued, and he has been quoted in reports about the capabilities of North Korean hackers.

"The reconnaissance bureau directly reports to Kim Jong Un and is divided into six sections," Kim Heung-kwang said, drawing a pyramid. The North Korean leader stands atop the hierarchy, with a number of hacking groups under one of the six sections.

Once techniques are mastered, hackers are positioned in North Korea or sent to China, Southeast Asia or various other overseas locations. Ones that live abroad have assumed identities, perhaps as construction workers, trading company employees or students.

Unit 121 is the largest of the forces, and its mission is to wreak havoc on infrastructure -- such as communications, transport and electricity -- in unfriendly nations. Unit 121 also steals information from key figures in other countries. The global information security industry is aware of Unit 121's presence. But Kim also mentioned an unfamiliar name -- Unit 180.

"Unit 180's primary job is to gain foreign currency to fund projects to develop 'five major weapons' -- including nuclear bombs, long-range missiles and submarine-launched ballistic missiles," Kim said. Unit 180 is believed to have been established by Kim Jong Un in 2013, luring about 500 members from Unit 121.

After Kim Jong Un succeeded his father in 2011, North Korea accelerated the pace of its nuclear and missile testing. The faster North Korea's program moved forward, the tighter international economic sanctions squeezed the state. Foreign funds to the country dwindled, so Kim Jong Un had a special unit set up that would obtain foreign currency.

North Korean leader Kim Jong Un shakes hands with an envoy from South Korea on March 5. (Korean Central News Agency/Korea News Service)

FireEye, a U.S. information security consultant, has identified a suspected North Korean cyber espionage group that it calls "Reaper." According to FireEye, from 2014 to 2017, Reaper had primarily gone after targets in South Korea, including the government, military, defense industry and media.

But in 2017, it expanded the scope of its activities, planting malware and stealing information from targets in Japan, Vietnam and the Middle East.

"Reaper is now in Japan," Ben Read, a senior manager in charge of cyberespionage at FireEye, told Nikkei.

Last year, FireEye found a document Reaper stole from an entity in Japan related to United Nations sanctions. "The document was written in Japanese," Read said.

Reaper had stored the stolen document on a third party web server, which made tracing it difficult. It took FireEye close to a year to determine that the group was associated with North Korea.

Close monitoring showed the compilation times of Reaper's malware, and these revealed a developer operating in the North Korea time zone, usually 10 a.m. to 7 p.m. with a dip around noon.

Furthermore, an individual believed to be the developer behind several pieces of Reaper malware "inadvertently disclosed personal data, showing that the actor was operating from an IP address and access point associated with North Korea," FireEye said in a report published in February.

Reaper's activities account for only a small portion of all North Korea-sponsored cyberattacks. According to intelligence agencies and information security consultancies from a number of countries, North Korea's hackers have stolen funds from financial institutions and cryptocurrency exchanges around the world. The loot has played a key role in funding Pyongyang's nuclear and missile programs.

The Bangladesh central bank building in Dhaka   © Reuters

The hackers' activities have been getting more extravagant by the year.

In February 2016, hackers stole $81 million from the money transfer system of the central bank of Bangladesh. Financial institutions in the Philippines, Vietnam, Ecuador and Taiwan have also been targeted in cyberattacks.

In May 2017, a ransomware virus swept 150 countries. In South Korea, many cryptocurrency exchange operators have been hacked; some have lost their digital coins. South Korean intelligence even suspects that North Korean hackers were behind the big heist from Japan's Coincheck in January.

Considering the virus type and methodology, information security experts believe these hacks have been carried out by Lazarus, a hacker group associated with North Korea.

Choi Sang-myung, a director of Hauri, a South Korean information security consultancy, said the virus's program contains Hangul, including expressions unique to North Korea.

Park Seong-su, a researcher at Kaspersky Lab's South Korean unit, said Lazarus hackers are divided into at least two groups; one is assigned to target only South Korea while the other randomly targets other countries.

Many security experts are tracking Lazarus. Kim Heung-kwang says Lazarus is part of Unit 180. A former cyber information warfare expert at a British intelligence organization, meanwhile, said Unit 180 itself is none other than Lazarus.

In any case, the two experts agree that Lazarus' mission is to obtain foreign currency. Many of the cyberattacks that have taken place around the world in recent years were carried out to fund North Korea's weapons development programs.

Kim talked more about Unit 180: In addition to carrying out cyberattacks, he said, the group develops software for companies whose earnings fund North Korea's weapons development programs. This kind of contract work was initially the unit's primary job, he said.

Unit 180's main markets are Japan and China because of geographic proximity and cultural similarities, Kim said. Orders are processed by pro-North Korean groups based in these countries. These brokers operate incognito, pretending to have no ties to North Korea. Their rock-bottom prices have won them many orders.

Unit 180 develops software for home appliances and industrial machines. Once an order comes in, its members in North Korea and China get to work to meet the deadline.

According to Kim Heung-kwang, the programs written by Unit 180 for Japanese customers are "highly likely" to be embedded with "backdoors" -- malicious codes that allow for the devices in which they are used to be controlled remotely.

The unit even takes orders via a software development brokering website based in Japan.

This would seem to indicate that Unit 180 has been earning large sums in Japan to fund North Korea's weapons development programs right under the nose of a Japanese government that has been trying to cut off this flow of funds.

Fumiaki Yamasaki, an information security expert, agrees with Kim. "The software companies Unit 180 has set up in countries like Vietnam and Malaysia are disguised as ordinary companies," he said. "And they have provided factory control systems and other products for Japanese businesses."

And, Yamasaki added, Unit 180 seems to have started taking orders directly from Japanese companies.

The operator of the matching website Kim mentioned is based in central Tokyo. It has not answered a request for an interview.

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Try 1 month for $0.99

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends January 31st

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to Nikkei Asia has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more