02.02.2019 Author: Konstantin Asmolov

News about “North Korean Hackers” and IT Penetration in DPRK


The last time we discussed the subject of North Korean hackers was when the U.S. Department of the Treasury imposed sanctions against the hacker Park Jin Hyok from DPRK and the North Korean company Chosun Expo Joint Venture, which he had worked for as a programmer, because of links connecting them to cyberattacks carried out on orders from Pyongyang.

Afterwards we received requests to provide more detailed updates about this North Korean case of hacking. And although due to a lack of informative sources it is hard to see the big picture, here are a few facts.

On 25 August 2018, the U.S. Radio Free Asia announced that an international conference on blockchain technologies and cryptocurrencies would be held in Pyongyang on 1-2 October. According to yet another anonymous expert, the plans included not only a conference but also negotiations between North Korean business circles and experts in this field. Then this piece of news was used to illustrate the fact that DPRK intended to showcase its own high tech developments, which ensure high security levels during transactions, transparency during transfers and movements of funds, and anonymity with full access to stored information. However, the author has not come across any news items confirming that the conference had actually taken place during the previously mentioned period.

Instead, the August edition of a journal, published in English by ROK’s Korean Society for Internet Information, included a research paper on computer technologies co-authored by six North Korean scientists. The paper discussed the issue of increasing processing speed of data while it is stored in the Cloud, and also included new methods of using biotechnology-based artificial intelligence innovations. It was reported that these North Korean scientists had intended to include their article in the edition of the journal since April, subsequently their paper was peer reviewed and, in the end, it was deemed worthy of publication in a reputable South Korean journal.

On 7 November, the 29th National Exhibition of IT Achievements was held at the Temple of Science and Technology (this center is home to the largest electronic library in the country and an analogue to a museum of technology) in DPRK. More than 800 exhibits divided into 9 sections were showcased there. The exhibition included a competition on software packages (involving machine translation and voice and face recognition) as well as talks on development trends in IT.

Overall, North Korea has been gradually providing greater access to the internet. In the nearest future, university students will be able to access the internet without restrictions. According to Chan-Mo Park, a Korean American and the Chancellor of the Pyongyang University of Science and Technology (the first private university in North Korea), achievements in software development in DPRK have reached levels equivalent to those in developed countries, as evidenced at numerous international competitions on software development and coding.

In fact only in 2008, there were approximately 550,000 mobile phones for 24 to 25 million of DPRK residents. Today, based on data provided by South Korea’s Ministry of Unification, the estimated number of phones is around 6 million for North Korea’s population of 25 million people, and each device costs from 100 to 200 US dollars.

Another piece of recent news is that North Korea has introduced face recognition technology to manage records of people who enter and exit some government facilities. The website Meari states that a research institute of Kim Il-Sung University in Pyongyang has developed this technology, and that this facial recognition system has been installed in a hospital in the capital and other buildings. It is worth noting that in October 2012, Rodong Sinmun reported that DPRK scientists were focusing their efforts on developing world-class facial recognition products.

Discussions about North Korean hackers also surface from time to time. However, a particular aspect in such reports stands out: the key message that Pyongyang hackers pose as Russians.

In addition, according to a report by the U.S. company FireEye, a famous group of hackers called APT38 originates from North Korea, and it is responsible for financial crimes. The virus NACHOCHEESE, created by them, contained badly translated lines of code in Russian, most likely meant to confuse investigators.

Media outlets have also reported information on the fact that in the beginning of 2018, Pyongyang uploaded three applications to Google Play aimed at collecting data about defectors from North Korea who reside in, first and foremost, South Korea as well as other countries. Two of these applications masked as software meant to enhance users’ device security, while the third as software that displays nutrients in food items. In reality, all three applications collected information about a device, personal photos, and copied contacts and text messages. Experts from McAfee, a cyber security company, discovered that the code of these software packages included unique Korean words that are not used by residents of South Korea, which pointed to Pyongyang’s involvement.

Reports, made by some ROK newspapers on hacker attacks on the Ministry of Unification before the inter-Korea Summit, held in Pyongyang in September 2018, are also noteworthy. The ministry’s spokesman stated that these attacks spanned an entire year, but there was no mention of North Korean involvement or open discussions about evidence to this fact.

On 22 November 2018, a closed hearing of South Korea’s intelligence committee confirmed that global hacker attacks initiated by DPRK continue. It seems that they were referring to an incident involving e-mails, aimed at creating a rift between South Korea and the United States, sent from at least two accounts belonging to high ranking officials in the Moon Jae-in administration. While referencing recipients of these e-mails, the ROK presidential administration stated that these attacks were either an attempt to steal classified information on policies of North Korea or an attempt to put an end to the U.S. – South Korea alliance by using falsified documents.

The increased scope of this scandal can be accounted for by the fact that on 27 November, the Asia Business Daily published an article that discussed U.S. distrust towards South Korea based on this deceptive information. The spokesman of the Blue House, Kim Eui Keum, said that this was the most ill-intentioned incident in the history of journalism, and added that those responsible would be “hunted down”.

The first set of emails was supposedly sent from the Secretary to the President on State Affairs, who requested that recipients send him digital documents pertaining to policies of North Korea. However, one of the recipients was surprised that these files needed to be sent to the Secretary’s personal e-mail account and not his official e-mail address at the Blue House. He called the official to clarify the situation and it turned out that criminals had hacked the Secretary’s e-mail account, which he had not used for a number of years. And based on the IP address, the person who had sent those messages did so from abroad.

In any case, this is the official version of the incident, and it is still unclear how much confidential or classified information the hacker of the e-mail account had received.

As for the second set of e-mails, someone posed as an employee of a cybersecurity service and sent e-mails to dozens of experts on security. The message included a PDF attachment entitled Assessment of Situation in the Korean Peninsula and in Northeast Asia, which discussed the fact that disagreements between South Korea and the USA on denuclearization of DPRK had intensified, while Washington’s distrust towards Seoul also increased.

In their report, the Asia Business Daily treated the document as authentic. But the Blue House issued a statement that it had been falsified as its style, font and other aspects were completely different from those used in Cheong Wa Dae.

In December 2018, one of the computers at South Korea’s population relocation center in the North Gyeongsang Province was infected with a virus, and as a result hackers were able to access names, dates of birth and addresses of 997 defectors from North Korea. The Ministry of Unification reported that this was the largest leak of information of this kind. The ministry, together with the police, are investigating the incident and attempting to uncover who was behind this cyberattack. Since, we would like to remind our readers, it is often human trafficking brokers who get hold of such data in order to, among other things, continue extorting money from defectors.

The last incident took place in January 2019. An e-mail with a compressed file, which purportedly contained malware, was sent to dozens of journalists, especially those who report on relations with North Korea, and members of the Unification Ministry’s press corps. The sender happened to be an individual Yoon Hong-geun, and as the ministry’s spokesman Baik Tae-hyun noted “Since the start of this year, many hacking attempts and cyberattacks have been carried out by those disguising themselves as the Government and the Unification Ministry.” This information was passed on to relevant authorities, and an anonymous IT expert, who analyzed the e-mail, said that it could have originated from North Korea “based on the names of the files attached and how it fits into the pattern of attacks.” Still, unlike in the times the conservative ruled, he emphasized that more time was required to find out who carried out the attack, “given the fact that the code itself and the way it was designed to infiltrate a computer system is relatively uncommon.”

It is yet unclear whether the new presidential administration has stopped, to an extent, blaming all of its problems on DPRK hackers or if this is a temporary measure for the sake of easing dialogue. The author will continue to keep track of news connected to this topic and the latest developments in investigations that are currently underway.

Konstantin Asmolov, PhD in History, Leading Research Fellow at the Center for Korean Studies of the Institute of Far Eastern Studies of the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook”.