Friday, March 29, 2013

Just How Formidable are North Korea's Hackers?

[Index for translated Joo Seong-ha articles]

When it comes to North Korean news, the Korean has one simple rule: listen carefully to people who have actual access to the facts at the ground level in North Korea. One of the few people who do have such access is Mr. Joo Seong-ha, reporter for Dong-A Ilbo. 

Long time readers of this blog are familiar with Mr. Joo. He was born and raised in North Korea, and graduated from Kim Il-Sung University. In other words, he was on track to be an elite officer of the North Korean regime. Instead, he escaped from North Korea into China, and eventually made his way into South Korea, to work as a reporter. Because of his unique background, he is able to access the facts of North Korea like few others can. For example, in 2009 when American journalists Laura Ling and Euna Lee were captured in North Korea, Mr. Joo was able to speak directly with the North Korean border patrol who captured them.

From Mr. Joo, here is another good one. Recently, South Korea was rocked by a massive cyber attack, for which North Korea was suspected to be responsible. Mr. Joo spoke with one of the North Korean hackers to get a sense of North Korea's cyber attack capabilities. Below is the translation.

*             *            *

Conversation with North Korean Cyber Warrior

To write, or not to write.

I agonized long and hard about writing this article. It could be a violation of the National Security Act. Some may look at me askance. And do I really need to write something like this in this type of environment? But in the end, I decided to write this.

To confess--I know the two of the so-called "North Korean cyber warriors." Because of personal security issues, even the question of "know" versus "knew" is sensitive. At any rate, the person with whom I have had conversations for the last several months is not a former cyber warrior; he is currently one.

Recently, all kinds of myths about North Korean hackers are permeating South Korea: "The Mirim University in North Korea raises a thousand selected cyber agents every year"; "North Korea has 30,000 cyber soldiers"; "North Korea's hacking ability is commensurate to that of the CIA."

I asked one of the cyber warriors about Mirim University. He said: "That place is for soldiers who did not open a book for nearly a decade. The teachers for that school can't wait to transfer out to a different school." According to him, there are around 50 students who learn "a little bit" of computer skills before they graduate. In short, the idea that Mirim University is a training camp for cyber warriors is a massive exaggeration. Come to think of it, the original name for Mirim University is the University of Military Command Automation.

Then I asked which places teach computer skills. The answer was Geumseong Middle Schools 1 and 2, which are magnet schools. The schools apparently teach approximately 500 hours of Internet-related lessons for six years. But no one in the faculty of Geumseong has sophisticated hacking ability.

I asked if Geumseong Middle Schools 1 and 2 were the best; the answer was no. Those who excel from those schools advance to Kim Il-Sung University, or Kim Chaek University of Technology. But he said that the top destination for the North Koreans who learned computer skills is India. Since mid-2000s, North Korea sends around 10 computer engineers to study abroad in India; these are the best of the best. The very first team that was sent to India stayed there, for software development. Later, some of them were transferred to China.

I asked if there were several thousand North Korean cyber warriors in China. He said that there are around 10 teams that each has less five members; they somewhat know each other. But he added that they receive almost no assistance from the North Korean regime, because the "old men" (the decision makers) did not grasp the concept. I heard this a few years ago. Even though the young Kim Jong-Un's leadership began to grasp the concept, it is an unwarranted exaggeration to say that there are several thousands of North Korean hackers in China.

I did not ask about their missions, because that is the confidential information on which their lives depend. Other than that, there was nothing I could not ask, and no answer I did not receive. The cyber warriors who live outside of North Korea have not a shred of loyalty for the Labor Party. I regret that I cannot disclose the full transcript.

I used to live in Pyongyang. I know Mirim University and Geumseong Middle School. Therefore, I trust the people I spoke with about a hundred times more than the people who chatter without never having been to Pyongyang. Of course, this is not to say that we should ignore North Korea's capabilities for cyber terrorism. It only takes a few dozen truly great hackers to deal a significant amount of damage. But that is about as much as North Korea can do.

To conclude:  I know there is someone from Pyongyang who visited my personal blog on North Korea every day, because he leaves the traces of browsing around the different pages. I am sure he will see this article as well. I would love to speak with him too.

Got a question or a comment for the Korean? Email away at


  1. Basic computer attacks are as simple as renting time on a botnet and launching a DDoS, or pointing and clicking with automated tools. There is no skill required. Such attacks are an everyday occurrence.

    Developing skilled computer attackers would require finding people who think outside the box and giving them unfiltered Internet access. Even free countries have uneasy relationships with such people.

  2. What would you consider a good, reliable source for North Korea related news in English?

    1. is pretty good. I know the Korean has referenced them before.

  3. Here is a TED talk from a girl who managed to escape from North Korea:

  4. In reading some of the security blog entries, there's good reason to be hesitant to conclude that the North Korean military launched the cyberattacks. The DarkSeoul trojans were targeted at South Korean banks, and did interfere with antivirus software common in South Korea (AhnLab and Hauri AV), but that alone does not constitute any proof. It may be that the cyberattackers decided on the timing because the heightened tensions with the North would distract investigators.

    Also, trojans targeting banking institutions have been used to cover up fraudulent wire transactions. The diversion created by the cyberattack distracts the IT staff from noticing the fraudulent activity at the time and creates a mass of server log data that can hide the traffic of the real attack.

    The fact that media organizations were also affected doesn't preclude a financial attack either. The attackers could have included media organizations as a ruse to confuse investigators further, or they may have been incidentally affected as people in the newsroom were following leads on the story of the banking attack as it progressed.

    According to SophosLabs, the trojan was not that sophisticated, and had been detectable for some time.

    Cisco and SophosLabs blogs document some of the initial research:

    Anyway, the investigation could ultimately end up proving a state-sponsored attack, it's just important not to immediately jump to that conclusion since there are other equally plausible scenarios.


Comments are not available on posts older than 60 days.

Related Posts Plugin for WordPress, Blogger...