North Korea hacker gangs are unique among cybercrime groups. Impenetrably secretive and transparently directed by the country’s authoritarian government, the nation’s hacker syndicates are well funded and highly capable.
North Korea, the pariah
Labeled a “pariah state” by then US President Barack Obama in 2014, North Korea has been at odds with the western world, particularly America, for decades.
A communist nation with a mandatory cult of personality around current leader Kim Jong Un and his ancestors, North Korea is a mysterious and vehemently private country. While the outside world looks on with curiosity, the nation engages in parades meant as a show of military might and national solidarity in a constant display of aggression.
North Korea is a nuclear power, with Kim Jong Un often reminding rival countries of this via threatening missile launches and rhetoric.
North Korea’s economy is completely centralized and the country’s people are allowed no freedom with regard to how they do business. Almost completely closed off from outside trade, the country has suffered from food shortages since the 1990s.
The nation’s infrastructure is also sorely lacking, with only Pyongyang, the country’s capital, glowing with electricity in satellite photos while the rest of the country remains ominously dark.
Of the 39 countries that make up the Asia-Pacific region, North Korea ranks dead last at 39.
North Korea and the internet
Citizens of North Korea are not granted access to sources of information outside of those provided by the government. The internet is tightly controlled and people aren’t even allowed to own a computer without government permission.
North Korea’s public-facing version of the internet, typically accessed with outdated dial-up technology, is called Kwangmyong. It allows for basic email functionality and only grants access to a handful of heavily censored sites.
As with all authoritarian regimes, however, proper internet access is available to the elite ruling class who are not bound by the draconian rules that common North Korean citizens adhere to for fear of potentially deadly consequences.
North Korea’s hacking activity
With such restricted internet access, it may see strange that North Korea has risen to the world stage so prominently when it comes to cybercrime.
This is because North Korea’s military is in charge of a highly sophisticated cyberwarfare division in which special internet access is given to North Koreans who work in departments related to propaganda, media and hacking.
Recruited at a young age, state hackers are allowed privileges, prestige and comforts that the rest of the country’s people are not permitted. This is largely done to prevent hackers from defecting upon learning about the outside world, an impossible to avoid consequence of relatively unrestricted internet access.
North Korea has invested heavily in its cyber capabilities. Hacks are easier to engage in, less costly and more discreet than actual military engagements that involve soldiers, equipment and weaponry.
North Korea is able to meddle with rival nations and inflict repercussions upon those who dare to speak out against its leadership under the plausible deniability afforded by the internet.
This activity allows Pyongyang to continue to portray Kim Jong Un as a fearless advocate for the pride and strength of the North Korean people in the face of the West’s antagonism, decadence and immorality.
North Korea’s hacking economy
Crucially, hacking also provides North Korea with a resource it is unable to generate via most conventional means: financial income.
Hackers, either working directly within North Korea or hired internationally and working from so-called “hacker hotels” in China, zero in on targets that can yield significant payouts.
Cybercrime is such a major component of North Korea’s economy that the country generally does little to hide or conceal its thievery aside from boilerplate denials.
In 2013, Kim Jong Un described the branch of the North Korean military that engages in cyber theft as “warriors… for the construction of a strong and prosperous nation.”
In keeping with Pyongyang’s reputation for supreme secrecy, North Korean hackers lack the braggadocio that criminals from Russia or other Eastern European countries are known for.
Cybersecurity researchers find North Korea’s hacking to be effective but unorthodox.
Because North Korea has historically engaged in illegal activity like drug trafficking in order to fund state operations, some liken the country’s cyber strategy to the behavior of an organized crime ring more so than that of a sovereign nation.
Noteworthy North Korea hacker groups
Like the gangs that do the bidding of the Chinese government, North Korean hacker groups are difficult to identify and do not stand up and take credit for their activities. Likely fearful of retribution, they are reclusive and rarely engage in hacking outside of state-directed campaigns.
North Korea has three major hacking syndicates, all falling under the umbrella of Lazarus Group, also known as DarkSeoul, Guardians of Peace or Hidden Cobra.
The FBI, the NSA and the UK’s National Cyber Security Centre (NCSC) have all determined Lazarus Group to be a major threat to national securities worldwide.
From 2009 to 2012, Lazarus Group targeted South Korean infrastructure and government websites with blunt force malware and DDoS attacks.
In an attack that put the group in the international spotlight, Lazarus Group hacked Sony Pictures in 2014. The attack exposed correspondences between production groups, actors, directors and more. It was believed to be carried out in retaliation for “The Interview,” a comedy that portrays Kim Jung Un as a bumbling but cruel and merciless dictator.
The makeup of Lazarus Group remains a frustrating mystery for international authorities. It is unclear how much of the gang is made up of North Korean individuals within the country’s borders, international hired guns or a combination of both.
In 2015, Lazarus Group began targeting financial institutions. Banks the world over saw accounts drained and finances stolen.
In recent months, the gang has set its sights on cryptocurrency. Hacks of crypto bridges and decentralized finance (DeFi) services have brought an astounding $2 billion worth of stolen funds into North Korea, and the gang shows no signs of slowing down.
In June of this year, Lazarus Group stole $100 million in crypto from Harmony’s Horizon Bridge.
Lazarus Group has two subsets under its authority: BlueNoroff and Andariel.
A subset of Lazarus Group tasked specifically with hacking banks and securing finances for the state, BlueNoroff has been described as North Korea’s “money making machine.”
According to the US Treasury, Andariel “focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry.”
Andariel also creates hacking campaigns designed to antagonize and disrupt South Korea by probing for weaknesses, harassing government personnel and engaging in cyber espionage.