What we know about North Korea's cyberarmy

Snippets of information about the secretive regime's cyberops have leaked out over the years

The attack on Sony Pictures has put North Korea's cyberwarfare program in the spotlight. Like most of the internal workings of the country, not much is known but snippets of information have come out over the years, often through defectors and intelligence leaks.

Here's a summary of what we know:

The Cyberunits

North Korea's governing structure is split between the Workers' Party of Korea (WPK) and the National Defense Commission (NDC).

North Korea's main cyberoperations run under the Reconnaissance General Bureau (RGB), which itself falls under the Ministry of People's Armed Forces that is in turn part of the NDC. The RGB has been operational for years in traditional espionage and clandestine operations and formed two cyberdivisions several years ago called Unit 121 and Office 91.

Office 91 is thought to be the headquarters of North Korea's hacking operation although the bulk of the hackers and hacking and infiltration into networks is done from Unit 121, which operates out of North Korea and has satellite offices overseas, particularly in Chinese cities that are near the North Korean border. One such outpost is reportedly the Chilbosan Hotel in Shenyang, a major city about 150 miles from the border. A third operation, called Lab 110, participates in much the same work.

There are also several cyberunits under North Korea's other arm of government, the Workers' Party of Korea.

Unit 35 is responsible for training cyberagents and is understood to handle domestic cyberinvestigations and operations. Unit 204 takes part in online espionage and psychological warfare and Office 225 trains agents for missions in South Korea that can sometimes have a cyber component.


The North Korean school system emphasis the importance of mathematics to students from a young age. The most gifted are given access to computers where they can begin practicing programming skills and, if they are good enough, go on to one of a handful of schools that have specialist computer departments. These are typically Kim Il Sung University, the country's most prestigious seat of learning, Kim Chaek University of Technology or Mirim College. Much less is known about the latter, although it's believed to be a specialist cyberwarfare school.

The students learn general programming techniques and will also specialize in disciplines such as cyberwarfare. After graduating, they will sometimes be sent to study overseas. That's when, with an open Internet connection and the anonymity of a foreign network, they can start participating in hacker forums, developing malicious software and testing out their skills.

Over the past few years, it's estimated the schools have turned out several thousand students (estimates range from around 2,000 to around 6,000), who now make up North Korea's cyberforces.

International Network

North Korea has a single connection to the Internet, so attacks from inside the country would be quite easy to trace. As a result, the country uses computers around the globe to launch attacks. Often these are compromised PCs and the owners have no idea they've been infected with North Korean malware. Some of the initial attacks to help build this network of infected computers are thought to be launched from North Korean outpost offices in places like China, Russia and India.

Operations and attacks

While pinning down the true perpetrator of cyberattacks is incredibly difficult, a number of attacks in recent years have been blamed on North Korea. Some, like the Sony hack, have been high-profile but many others have gotten much less attention and appear more aimed at earning money than causing disruption.

July 2009 - Attackers target government websites in the U.S. and South Korea in large-scale distributed denial of service (DDOS) attacks that were later blamed on North Korea.

March 2011 - In an attack dubbed "10 Days of Rain," major South Korean government websites and sites operated by the U.S. military in South Korea are targeted in DDOS attacks.

April 2011 - South Korea's Nonghyup bank is targeted in a DDOS attack that was later traced to North Korea and linked with previous attacks.

August 2011 - South Korean police accuse a North Korean hacking ring of stealing around $6 million in prize money from online games.

November 2011 - A hacker attempts to hack the email system of Korea University's Graduate School of Information Security in an action later blamed on North Korea.

June 2012 - Conservative South Korean newspaper Joong Ang Ilbo is hit by a cyberattack that succeeded in destroying databases. A week earlier, North Korea had threatened the newspaper over its coverage of the country.

March 2013 - A major cyberattack, later blamed on North Korea, paralyzes the networks of several major South Korean TV broadcasters. A bank ATM network is also hit in the attack, which attempted to wipe the hard drives of computers. A second attack pushes the DNS servers of government websites offline for several hours. At around the same time, North Korea's connection with the global Internet goes down for 36 hours.

March 2013 - Responding to the attacks, the hacking group Anonymous targets North Korean websites. It succeeds in breaking into a major North Korean news portal and publishes the names and account details of thousands of subscribers.

June 2013 - Hackers post names, social security numbers and other personal information of thousands of U.S. armed forces members stationed in South Korea online.

June 2013 - South Korean government DNS servers are targeted by a DDOS attack. Similarities are found in the code that links it to the March attacks.

December 2013 - South Korean police say North Korean agents are behind a spear-fishing attack on the computer of a prominent defector.

November 2014 - South Korea's spy agency said North Korean hackers had planted malware in around 20,000 smartphones.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securitydata breach

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Martyn Williams

IDG News Service
Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?