Defined by Kim Jong-un as a "dagger ready to strike without stopping" the enemies of the nation1, cyber force today represents one of the main military tools in Pyongyang's asymmetric arsenal2.
Over the years, the hacker North Koreans have shown great skill and inventiveness, carrying out some of the most sophisticated cyber operations in history. Skills that range from espionage to cyber warfare, but also to the theft of money from bank accounts around the world, conveniently laundered in order to finance that nuclear arsenal that has made the small Asian nation infamous in the eyes of the planet.
Pyongyang's activities in cyberspace undoubtedly constitute a danger to global security, a threat that does not even spare its allies, victims of the same malware produced by North Korean cyber units that infect electronic devices on all five continents.
Although the veil of secrecy surrounding North Korea's cyber activities is thick and sometimes impenetrable, Pyongyang's cyber activities have attracted particular attention from security agencies around the world, which have carefully studied its capabilities and organization. In most cases, in fact, the cyber activities of hacker North Koreans are attributable to one of the main organs of intelligence of the Asian country, theGeneral Reconnaissance Office (UGR)3. It is a relatively new organization, formed in 2009 following the merger of several offices responsible for unconventional warfare. The result was the creation of a structure specialized in the management of unconventional and clandestine activities, directed largely against Seoul and its regional and international allies.
The establishment of the UGR is part of a broader reorganisation process, which has allowed the development of offensive and intelligence significant enough to transform North Korea from a small Asian country to a threat to international security for the Western world. Circumstances that make the UGR a valuable, if not vital, tool in the eyes of the leadership North Korean.
The importance of the UGR is further confirmed by its particular position within the state structures. The office, in fact, formally belongs to the North Korean armed forces, but is placed under the control of the State Affairs Committee, the most important body in the government structure in matters of national security and defense. This approach corroborates the hypothesis of a UGR acting as an "instrument" at the service of the North Korean high officials and the leader supreme, who presides over the important commission4.
As mentioned above, the UGR is in charge of unconventional and clandestine activities, which also include cyber operations. In this context, Pyongyang is positioning itself as a major global player, equipped with a cyber force that according to South Korean and American sources would consist of a number that is around six thousand to seven thousand units. These are individuals specialized in offensive activities and intelligence in cyberspace, who over time have demonstrated their capabilities in major operations of global resonance. Some of them operate abroad under a false identity and exploit the globalization of the technology sector to their advantage, obtaining regular work contracts in strategic Western companies. Once hired, they use their skills to ensure access to North Korean cyber forces, with damage to the company and potentially also to the national security of the country in which they operate5.
The main organ of North Korea's cyber forces is theOffice 121 (Cyber Warfare Directorate). It deals with a wide range of activities, from information gathering to computer sabotage, through specific units and offices. In the plots of this organization are hidden some of the most important threat actors, specialized in specific disciplines: Andariel6, with three-year experience in destructive and financial operations, mainly directed against South Korea; APT377, a group with expertise in cyber espionage and active mainly in the Middle and Far East; APT388, a major player in the field of financial cyber crimes, responsible for the theft of 81 million dollars from the central bank of Bangladesh, the Bank of Bangladesh; Kimsuky9, sister group of APT37 active in cyber espionage in Asia, Europe and America.
These groups operate at the highest levels and are the subject of ongoing study and investigation by major cybersecurity firms and big tech, as well as of intelligence from all over the world. Furthermore, the impermeability of North Korean society has made it extremely difficult to study Pyongyang's cyber forces over time, a reason that has prompted some intelligence agencies intelligence and the (Western) scientific community to group these entities under the name of Lazarus Group o HIDDEN COBRA10.
The UGR, however, is not the only entity in the North Korean armed forces to be equipped with cyber capabilities. In fact, the North Korean military sector is equipped with units specialized in various cyber disciplines, ranging from the management of military information infrastructures to psychological warfare. These are specialized offices and units that perform those functions recognized in NATO with the acronym C4ISTAR (command and control, communications, computers, intelligence, surveillance, target acquisition and reconnaissance).
A special role is played by theGeneral Office for General Automation (UGAM), which is responsible for managing the information technology infrastructure of all North Korean armed forces and the ministries of the People's Armed Forces, State Security and Social Security11. The UGAM thus turns out to be a fundamental element of the system of intelligence North Korea, both for overseas espionage (UGR) and for counter-espionage (Ministry of State Security), providing the necessary information technology capabilities and resources to conduct such activities.
Electronic Warfare and Cognitive Warfare12 are the other two fundamental components of North Korea's cyber forces13The first involves the skills of the Electronic Warfare Office and the Communications Office, which also carries out operations intelligence signals intelligence (SIGINT). The second, instead, is the responsibility of the Office for Sabotage and Defeat of the Enemy, which deals with psychological and information warfare. In cyberspace, this activity is carried out by Unit 204, specialized in cyber information warfare.
The pervasiveness of the cyber domain offers those who possess certain capabilities, to strike anywhere and at any time. And that small but determined nation that is North Korea has understood this very well. A nation that, for fifteen years now, has aimed to increase its weight on the international scene, without repudiating the use of unconventional tools.
Time will tell whether Kim Jong-un's gamble will be a winning one, and whether nuclear and cyber capabilities will really bring Pyongyang benefits and progress in the long run. But the most cynical, who are riding the wave of leader supreme have no intention of aiming, perhaps one further question remains to be asked: What fate will befall these North Korean intelligences when the letter of marque expires and Pyongyang's national interest is no longer their profession?
1 Cyber War: North Korea's Cyber Operations and Strategies. Global Defense Insight. (https://defensetalks.com/cyber-war-north-koreas-cyber-operations-and-strategies/)
2 North Korea Cyber Attacks: A New Asymmetrical Military Strategy. The Henry M. Jackson School of International Studies, University of Washington. (https://jsis.washington.edu/news/north-korea-cyber-attacks-new-asymmetrical-military-strategy/)
3 North Korea's Cyber Operations. Center for Strategic & International Studies. (https://www.csis.org/analysis/north-koreas-cyber-operations)
4 State Affairs Commission. Global Security. (https://www.globalsecurity.org/military/world/dprk/ndc.htm)
5 Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Mandiant. (https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat)
6 Andariel. MITRE. (https://attack.mitre.org/groups/G0138/)
7 APT37. MITRE. (https://attack.mitre.org/groups/G0067/)
8 APT38. MITRE. (https://attack.mitre.org/groups/G0082/)
9 Kimsuky. MITRE. (https://attack.mitre.org/groups/G0094/)
10 North Korean Cyber Activity. US Department of Health & Human Services. (https://www.hhs.gov/sites/default/files/dprk-cyber-espionage.pdf)
11 DPRK's Reorganized Military Automation General Bureau to Manage Integrated Computerized Command Network for Entire Armed Forces. NK Insider. (https://www.nkinsider.org/dprks-reorganized-military-automation-general-bureau-to-manage-integrated-computerized-command-network-for-entire-armed-forces/)
12 From information warfare to cognitive warfare. Online Defense. (https://www.difesaonline.it/evidenza/cyber/da-information-warfare-cognitive-warfare)
13 The All-Purpose Sword: North Korea's Cyber Operations and Strategies. Kyoung Gon, Ji Young, Jong In. (https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf)