Gettyimagesbank

What do the cyberattack on Sony Pictures Entertainment in 2014, Bangladesh's central bank heist in 2016 and the WannaCry ransomware strike targeting over 230,000 computers in 2017 all over the world have in common?

North Korea was the culprit behind all three notorious computer intrusions.

South Korea is no stranger to the North's disruptive cyber operations. The South Korean government, media outlets, financial institutions and other private entities have suffered the consequences of North Korea's cyber operations multiple times during the past two decades.

North Korea's weaponization of its asymmetrical cyber capabilities to disrupt target entities, both in the private and public sectors, and steal technologies and money through ransomware attacks to finance its nuclear weapons and missile programs, has become a growing threat to South Korea.

Kim Heung-kwang, a North Korean defector who previously worked as a professor of computer science in the North, said South Korea is ill-prepared for North Korea's cyberattacks.

"South Korea does not seem to be well informed about North Korea's cyber capabilities and how they work," he told The Korea Times. "It needs to have a clear picture of the enemy's capabilities, either through human intelligence or other means."

According to Kim, North Korea has approximately 6,000 cyber warriors, a number smaller than South Korea's defense ministry's estimate of 7,000.

Kim used the analogy of a gang of robbers to explain how North Korea's cyber workers perform their roles under a division of labor.

He said hackers are based outside of North Korea to avoid their IP addresses being tracked, calling them robbers as they steal others' assets by gaining unauthorized access to their networks.

Once they successfully obtain what they want from the intrusions, he said they pass on the stolen goods to their teammates based in Pyongyang.

"The roles of these stolen goods handlers vary. Some analyze data and files to produce reports, while others compile the data. There are some who are responsible for reporting the information to the person overseeing the cyber operations," he said.

He said cyberattacks are not a numbers game.

"This is because all you need is a handful of highly-trained hackers capable of intruding target computers against all odds to get what they want," he said.

Industry experts say North Korea's cyber capabilities are world class.

According to Australian think tank Lowy Institute's 2021-2022 expert survey on the offensive and defensive cyber capabilities of different countries, North Korea ranked 7th with 67.2 points. The U.S. topped the survey with 94.7 followed by Russia and China. South Korea ranked fourth with 74.5 points in the survey.

Another survey, conducted in 2023 by cybersecurity firm Humanize Security, paints a similar picture of North Korea's cyberwarfare capabilities. The North came in 7th. The U.S. also topped the ranking, followed by China, Russia and the United Kingdom. South Korea is not included in the world's top 10 countries list with the most powerful cyberwarfare capabilities. The survey is based on the National Cyber Power Index.

An official warns of North Korea's spear-phising emails posing as government employees and journalists among others during a press briefing held on Nov. 21 in the National Police Agency. Yonhap

It remains a mystery just how North Korea was able to become such a highly capable player in cyberwarfare, considering its weak information and technology infrastructure.

Unlike people in other parts of the world, North Korean residents are cut off from the outside world. They are not allowed to have access to the internet. Only those who are authorized can access the internet and their cyber activities are thoroughly monitored by the regime.

North Koreans have limited access to information and are only allowed to access state-controlled media outlets through a nationwide intranet network called Kwangmyong, which means guiding light.

According to DataReport, a website providing free reports about people's online activities, 99.9 percent of North Koreans remain offline as of 2022.

"Our analysis of the available data suggests that fewer than 1,000 people in the country are able to access international websites, and it seems likely that a sizeable proportion of this small group will be made up of foreign expatriates and the country's political elite," it said in its annual report, Digital 2022, available on its website.

Given North Korea's population is 28 million, the number of people with access to the internet is miniscule.

How did a country like North Korea, with no IT infrastructure, become a world-class player in cyber attacks?

The regime's "choose and focus" tactic to discover and train promising computer programmers partially explains how that happened.

It seeks out math prodigies in their early ages and trains them through rigorous advanced education. At the age of 12 or 13, chosen students are sent to elite schools, such as the First and Second Keumseong senior or middle schools, and undergo intensive computer courses. The successful students then gain admissino into Kim Il-sung University, Kim Chaek University of Technology, or the Command Automation University, previously known as Mirim University, and receive intensive computer training.

Through this process, the best of the best are chosen as talented students are pitted against each other to compete and survive.

This undated photo released by the FBI shows Park Jin Hyok, a computer programmer accused of working at the behest of the North Korean government, who was charged in 2018 for his involvement in several high-profile cyberattacks, including the Sony Pictures Entertainment hack and the WannaCry ransomware virus attack that affected hundreds of thousands of computers worldwide. AP-Yonhap

North Korean programmer Park Jin-hyok, also known as Park Jin-hek, who has been wanted by the U.S. Federal Bureau of Investigation (FBI) since 2018 for "conspiracy to commit wire fraud and computer-related fraud," is one of the most capable computer experts in the North.

"I don't know him at all. But considering his educational background, I have no doubt that he would have proven programming skills," said Kim.

Park is a graduate of Kim Chaek University of Technology. Between 2011 and 2013, he worked at Choseon Expo, a front company for the North Korean government based in Dalian, China. He is believed to have returned to North Korea in 2014, according to the FBI.

Like Park, the selectively chosen programmers are recruited by the regime to work as cyber warriors at Unit 121, also known as Bureau 121, at the General Bureau of Reconnaissance. Unit 121 is responsible for North Korea's covert cyberwarfare operations against targeted countries or their financial networks.

Unit 121

Unit 121 consists of several sub-divisions, including the hacking groups Andarial, Bluenoroff and Lazarus.

According to a U.S. Army report released in 2020, Andarial has 1,600 members who conduct "reconnaissance on enemy computer systems and map the enemy network for potential attacks." The hacking group is responsible for cyberattacks on South Korea's defense contractors, research institutes and other entities last year and stealing military technologies and encrypted data and files for a ransom. Some institutions paid a ransom in the cryptocurrency Bitcoin to recover their data and files, according to the police.

Bluenoroff conducts financial crimes and Lazarus is the hacking group behind the cyberattacks on Sony Pictures Entertainment and the Bangladesh central bank heist, among others.

Due to a lack of a solid IT infrastructure, North Korean hackers are stationed in several different countries, including Belarus, China, India and Russia to name a few.

On top of North Korea's focused effort to discover and train talented students, experts say there are external factors that contributed to strengthening its cyber workforce.

Kwon Ho-cheon, a consultant, public speaker and columnist for IT Chosun who specializes in North Korea's cyberwarfare capabilities, said the North took advantage of its permanent mission to the United Nations in New York to train computer scientists in the United States.

Citing a U.S. media report, he said some North Korean diplomats or attaches posted in New York enroll themselves at universities there as auditing students and attend computer courses to hone their programming and hacking skills.

Once they master the necessary skills, Kwon said they are sent back to the North and new people replace them to go through the same process. Some of them purchase computers and related equipment and send them in diplomatic pouches back to North Korea. These computers and materials help North Korean cyber workers upgrade their computer skills, he said.

China and Russia, among others, are two other countries that contributed to the development of North Korea's cyber capabilities by training North Korean programmers.