Mapping Major Milestones in the Evolution of North Korea’s Cyber Program
From 1984 to the present day, North Korea’s offensive cyber program has evolved considerably.
Pyongyang has been developing an offensive cyber program for over 35 years through domestic innovation and foreign assistance. During that time, North Korea has undergone major transformations in its cybercrime modus operandi, shifting from disruptive cyberattacks and cyber intrusions primarily targeting South Korean government agencies to hacking banks and cryptocurrency exchanges located both on and off the Korean Peninsula.
While there is a growing amount of research identifying past, present, and potentially future North Korean cyberattacks, there is relatively little investigation into the potential origins of the country’s cyber program. Understanding the evolution of North Korea’s offensive cyber program can provide countries like South Korea and the United States with valuable information that can help improve bilateral cybersecurity strategy, including the joint cyber-working group discussed in the May 2022 U.S.-ROK Summit with Presidents Joe Biden and Yoon Suk Yeol.
Early Domestic Innovation and Foreign Assistance
North Korean society has been inherently linked to the military since the founding of the country in 1945. Beyond its status as an authoritarian state, all North Korean men are required to serve in the military for 10 years. As such, Pyongyang has recruited high-scoring graduates from top technology and computer science universities into the country’s military and intelligence agencies to expand its cyber capabilities and readiness. Two leading computer science universities in North Korea, Kim Il Sung University and Kim Chaek University of Technology, share historic ties with the North Korean military and IT sector, as well as foreign exchange programs with foreign universities that have potentially contributed to the expansion of the country’s cyber program. Starting in the mid-1980s, Pyongyang established three institutions that significantly contributed to advancing the country’s offensive cyber program: Mirim College, the Pyongyang Informatics/Information Center, and the Korea Computer Center.
Mirim College (1984-86)
Publicly available information in both Korean and English indicate that Pyongyang established Mirim College between 1984 and 1986 to educate and train “cyber warriors” for the North Korean military and intelligence agencies. Similar to Soviet scientists and engineers contributing to North Korea’s military and nuclear weapons development during the Cold War, Soviet computer science professors traveled to North Korea under a bilateral cooperation agreement to teach at Mirim College. North Korean defectors familiar with Mirim College have indicated that after the fall of the Soviet Union in 1991, North Korean nationals who had previously studied at Frunze Military Academy, one of most prestigious military educational institutions in the Soviet Union, began to lead computer science and hacking courses at Mirim College. From 2009 to 2020, U.S. intelligence reports indicated that Mirim College has trained roughly 1,300 hackers that are involved in various North Korean intelligence and military operations, contributing to the estimated 6,000 state-sponsored North Korean hackers involved in illicit cyber activity.
According to North Korean defector testimony, Mirim College provides several educational tracks for future state-sponsored hackers including electronic engineering, command automation, programing, technical reconnaissance, and general computer science. A previous graduate of Mirim College who defected in 2007 claimed that while he was personally trained in war game strategy focused on cyber warfare simulations, he also received intensive training in coding languages and finding exploits in common operating systems, including Linux and Windows. Although learning how to detect and exploit vulnerabilities in codes and operating systems is an intrinsic part of advanced computer science learning, North Korea began to weaponize this knowledge to create destructive and evasive malicious codes that would later target foreign agencies, institutions, and nationals.
Pyongyang Informatics/Information Center (1986 – 1991)
The Pyongyang Informatics/Information Center (PIC) has also contributed to North Korea’s cyber capabilities. First established in 1986 and later expanded in 1991 with financial and technical support from pro-North Korean sympathizers in Japan and the United Nations Development Program (UNDP), PIC is a major developer of North Korean software, ranging from word processing and embedding software into web applications to creating information firewalls. In 2001, PIC successfully built a firewall system to monitor and control information flows between the global internet and the country’s insular intranet system, known as the Kwangmyong, indicating Pyongyang’s early interest in using this technology to surveil and digitally isolate its population from the outside world.
For decades, North Korea has outlawed the consumption, purchase, and distribution of foreign media, especially American, Japanese, and South Korean media, and violating this law can result in heavy fines, imprisonment, and even execution. As a result, only select members of the North Korean elite, mainly government officials, have relative access to the internet, while the remaining North Koreans with mobile phones or computers only have legal access to the Kwangmyong intranet.
In 2022, the U.S. government flagged PIC and other IT-related North Korean institutions as potential sanctions-busting organizations dispatching North Korea IT workers abroad to illicit earn currency for the regime.
This expansion in Pyongyang’s cyber capabilities to create an intranet with a functional firewall to track and block digital flows of outside information entering the country was highly significant for two main reasons: it likely contributed to North Korean developing hacking intrusion skills and to national aspirations of digital authoritarianism. In addition to blocking outside data flows, this firewall was also designed to prevent external hacking, which likely required Pyongyang to develop hacking techniques and tools to test the system’s resiliency. North Korea would later apply these capabilities to future cyberattacks on foreign targets.
Korea Computer Center (1990)
The Korea Computer Center (KCC) plays an important role in supporting North Korean IT contract workers abroad to illicitly generate currency for Pyongyang. In addition to collaborating with PIC and other state-sponsored institutions on software development projects, including the creation of the Kwangmyeong, KCC is responsible for evading global sanctions on the country that prohibit the employment of North Korean laborers abroad for illicit earning currency for Pyongyang.
KCC continued to expand during the late 1990s as former North Korean leader Kim Jong Il allegedly declared 1999 as the “Year of Science,” emphasizing the importance of software development over hardware. This was likely a reference to the country’s inability to acquire modern-day hardware technology, such as computers, due to economic sanctions and export controls. On January 27, 1999, the North Korea-state sponsored media agency the Korean Central Network Agency (KCNA) reported that the KCC has developed “comprehensive computing technology including software development and production process control using Windows 95 & NT, Mac OS 7 & 5, and others,” and “uses programming languages such as C, Visual Basic, Java, and Power Builder,” adding that it has employed around 800 people for research and development. These technological developments directly coincide with the reported hacking education offered at Mirim College, signaling a national effort to rapidly improve offensive cyber capabilities through software development.
A year later, the KCNA publicly attributed the work of the KCC to helping advance the interest of the North Korean Communist Party in an article commemorating the 10th anniversary of the KCC. In 2018, the U.S. Department of the Treasury would designate the KCC pursuant to the DPRK3 sanctions program, specific for illicit cyber activities, for circumventing U.S. and U.N. sanctions on behalf of Pyongyang through offering IT services abroad in countries including China, Syria, India, Germany, and the United Arab Emirates. This discovery ultimately revealed the role of KCC in procuring foreign currency for Pyongyang through offering overseas IT work services in clear violations of U.S. and U.N. economic sanctions.
The Sunshine Policy (Late 1990s to Early 2000s)
The Sunshine Policy marked unprecedented levels of engagement and cooperative efforts between North and South Korea, including academic and technical exchanges regarding information and communications technology (ICT) and computer science. From 1998 to 2008, South Korea abandoned its former defensive approach to Pyongyang and pursued “flexible reciprocity,” meaning that Seoul would offer economic and political concessions without North Korea having to meet any specific conditions in the hopes of eventual behavioral change.
Although the policy was ultimately a failure, as North Korea resumed its nuclear weapons development program in secret, both South Korea and the United States did achieve superficial diplomatic victories with North Korea. Examples include the 2000-inter-Korean summit between then-South Korean President Kim Dae-jung and then-Supreme Leader Kim Jong Il, and the 2003 Six-Party Talks featuring prominent political leaders from North Korea, South Korea, China, Japan, Russia, and the United States discussing possible ways to denuclearize the Korean Peninsula. However, Pyongyang’s inability to resist exploiting the good faith of other nations led to its secret development of enriched uranium while the South Korean government and private companies provided billion of U.S. dollars’ worth of humanitarian aid to North Korea. Under new presidential leadership in 2010, the South Korean Ministry of Unification (MOU) noted the failure of the Sunshine Policy, citing its inability to change North Korean aggression and aspirations to further develop ballistic and nuclear weapons.
The Sunshine Policy included numerous educational and technical exchanges between North and South Korea. In 2003, leading South Korean computer scientists and IT professors traveled to Pyongyang to offer ICT-related training and coursework to North Korean graduate students at universities such as Kim Chaek University and Kim Il Sung University, which are affiliated with the now-sanctioned KCC and civil-military fusion efforts. While Seoul’s intent was to marry “South Korea’s outstanding IT expertise with North Korea’s remarkable labor force to share and develop cutting-edge technology together,” the sheer level of illicit cyber operations conducted against South Korean cyber infrastructure and technology just several years after these educational exchanges occurred indicates the need for further research into the actual applications of the knowledge obtained during this period.
In addition to economic and humanitarian aid, other foreign institutions, including U.S. universities, provided technical support and training to North Korean students. Starting in 2002, U.S. university professors and North Korean computer science scholars engaged in more than 10 joint training programs in both New York and Pyongyang. This was the first, and only, official educational partnership between a U.S. and North Korean university. Participants from Syracuse University and the Kim Chaek University of Technology, as well as the Permanent Mission of the DPRK to the United Nations, published a joint report outlining the goals and outcomes of the partnership, including training on computer language tools and developing the first digital library in North Korea at Kim Chaek University.
Although the lessons allegedly comprised of all open-source data material, the report mentioned interaction with PIC, which raises concerns over the potential misuse of information in subsequent years. Data that is publicly available to the world outside of North Korea cannot be equated to the restricted access to data inside North Korea during the early 2000s. As North Korea has now become a major cyber adversary to the United States, South Korea, and many other nations, any previous exchange of information or technology that could have supported Pyongyang’s early development of offensive cyber capabilities requires warrants further investigation.
Continued Academic and Technical Support From Beijing and Moscow
Beijing has directly supported Pyongyang’s illicit cyber operations through blatantly evading sanctions on behalf of North Korea. During the 2000s, North Korean cyber operatives reportedly used hotels in northeast China, such as the Chilbosan Hotel, to illicitly earn funds for Pyongyang through providing IT-services to foreign customers. During this time, North Korean actors also conducted overseas cyber operations using Chinese internet service providers while Pyongyang was expanding its domestic capabilities.
This trend has continued into the modern day as Pyongyang has sent North Korean hackers abroad to China to moonlight as IT workers or other professions at Chinese-North Korean front companies while conducting state-sponsored illicit cyber activities. The most famous example would be Park Jin Hyok, a North Korean cyber operative affiliated with the Lazarus Group, a leading North Korea-state sponsored hacking agency under the direction of the country’s primary intelligence service, the Reconnaissance General Bureau. The FBI and the U.S. Department of Justice have attributed several destructive and disruptive North Korean cyber operations to Park over the years, like the 2014 Sony Pictures Entertainment hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry 2.0 ransomware attack. Both the U.S. government and the U.N. have claimed that China and Russia continue to employ North Korean laborers in violation of international sanctions, including the hiring of North Korean IT workers who illicitly procure funds for the regime and could also contribute to offensive cyber operations like Park.
Beijing has also continued to pursue academic partnerships related to computer science and technology with North Korean universities. Dating back to 1988, Chinese universities like the Harbin Institute of Technology have maintained and renewed official exchange agreements with leading computer science universities in North Korea, including with Kim Chaek University of Technology and Kim Il Sung University in 2013. Moscow and Beijing have also provided industrial support to North Korea. Over the years, Chinese and Russian telecommunication companies as well as those from Thailand and Egypt have provided internet connection lines and service providers to North Korea. For example in 2017, Russian telecommunications company TransTeleCom and China’s Unicom handled roughly 60 and 40 percent of North Korea’s internet traffic, respectively. As a result, telecommunication assistance from foreign countries has likely expanded North Korea’s offensive cyber capabilities, which it continues to leverage within its illicit cyber operations targeting South Korea, Japan, the United States, and other countries.
Modern Day
Following the collapse of the Sunshine Policy in the late 2000s, Pyongyang began to launch disruptive and destructive cyberattacks against South Korean government agencies, websites, and military infrastructure. Despite its status as a pariah state, North Korea is acutely aware of growing trends within the global financial system and is identifying creative ways to evade economic sanctions.
The expansion of U.S. and U.N. sanctions on North Korea during the mid-2010s coinciding with the rising popularity of Bitcoin and other cryptocurrency coins, likely contributing to Pyongyang’s shift toward targeting financial institutions, including banks and cryptocurrency exchanges. Since 2016, North Korea has successfully implemented a range of cyber intrusion and currency extortion tactics specifically effective against financial institutions, including spear phishing campaigns laced with malware like ransomware, bank drops, and denial of service (DDoS), and supply chain attacks.
Current North Korean leader Kim Jong Un has transformed North Korea into the greatest state-sponsored cyber threat to the global financial services sector. While Kim has been unsuccessful in securing U.S. and U.N. sanctions relief, his hackers have been able to procure more than $1 billion worth of stolen cryptocurrency for Pyongyang from 2021 to June 2022. In order for Seoul and Washington to craft an effective, long-lasting cybersecurity strategy against this major financial threat, both national governments need to have a deeper understanding of the origins and facilitators of North Korean illicit cyber activity.
Want to read more?
Subscribe for full access.
SubscribeThe Authors
Jason Bartlett is a contributing author to The Diplomat and a research assistant in the Energy, Economics, and Security Program at CNA