SEOUL (Reuters) – Despite its poverty and isolation, North Korea has poured resources into a sophisticated cyber-warfare cell called Bureau 121, defectors from the secretive state said as Pyongyang came under the microscope for a crippling hack into computers at Sony Pictures Entertainment.
A North Korean diplomat has denied Pyongyang was behind the attack that was launched last month but a U.S. national security source said it was a suspect.
Defectors from the North have said Bureau 121, staffed by some of the most talented computer experts in the insular state, is part of the General Bureau of Reconnaissance, an elite spy agency run by the military. They have said it is involved in state-sponsored hacking, used by the Pyongyang government to spy on or sabotage its enemies.
Pyongyang has active cyber-warfare capabilities, military and software security experts have said. Much of it is targeted at the South, technically still in a state of war with North Korea. But Pyongyang has made no secret of its hatred of the United States, which was on the South’s side in the 1950-53 Korean War.
Military hackers are among the most talented, and rewarded, people in North Korea, handpicked and trained from as young as 17, said Jang Se-yul, who studied with them at North Korea’s military college for computer science, or the University of Automation, before defecting to the South six years ago.
Speaking to Reuters in Seoul, he said the Bureau 121 unit comprises about 1,800 cyber-warriors, and is considered the elite of the military.
“For them, the strongest weapon is cyber. In North Korea, it’s called the Secret War,” Jang said.
REUTERS/Jo Yong-HakSouth Koreans burned portraits of former North Korean leader Kim Jong-il and current leader Kim Jong-un after a cyber attack in 2009.
One of his friends works in an overseas team of the unit, and is ostensibly an employee of a North Korean trading firm, Jang said. Back home, the friend and his family have been given a large state-allocated apartment in an upscale part of Pyongyang, Jang said.
“No one knows … his company runs business as usual. That’s why what he does is scarier,” Jang said. “My friend, who belongs to a rural area, could bring all of his family to Pyongyang. Incentives for North Korea’s cyber experts are very strong … they are rich people in Pyongyang.”
He said the hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
“They are handpicked,” said Kim Heung-kwang, a former computer science professor in North Korea who defected to the South in 2004, referring to the state hackers. “It is a great honor for them. It is a white-collar job there and people have fantasies about it.”
The technology news site Re/code reported on Wednesday that Sony intends to name North Korea as the source of the attack. But when asked about the Re/code report, a Sony spokeswoman said no announcement from the studio was coming. The company declined comment on Thursday.
Sony Pictures, a unit of Japan’s Sony Corp, is the distributor of “The Interview,” a forthcoming comedy featuring a plot to assassinate North Korean leader Kim Jong Un. North Korea has described the film as an “act of war”.
Last year, more than 30,000 PCs at South Korean banks and broadcasting companies were hit by a similar attack that cybersecurity researchers widely believe was launched from North Korea.
Months later, the South Korean government’s online presence was targeted, with the president’s website defaced with a banner reading “Long live General Kim Jong Un, president of reunification!”
Neither attack was particularly sophisticated, but South Korean authorities said North Korea was to blame, even though ‘hacktivist’ groups – online activists who hack high-profile targets in order to spread political messages – first appeared to claim responsibility.
Those attacks used rudimentary but effective malware which security researchers later dubbed DarkSeoul.
Also known as the DarkSeoul Gang, the hackers have been involved in a five-year spree against South Korean targets, according to a report last year by computer security firm Symantec, which estimated the group included 10 to 50 hackers and described it as “unique” in its ability to carry out high-profile and damaging attacks over several years.
Some security experts have cast doubt on North Korean involvement in the attack on Sony, citing the publicity-seeking hacktivist style of the attacks. However, the use of an unknown name by the group behind the Sony attacks, “Guardians of Peace”, is similar to previous attacks by the DarkSeoul gang.
It remains unclear if the DarkSeoul gang are outsiders working on behalf of North Korea, or some of Pyongyang’s troops in the isolated country’s own ‘cyber army’.