Bureau 121

Last updated

Bureau 121 [4] is a North Korean cyberwarfare agency, and the main unit of the Reconnaissance General Bureau (RGB) of North Korea's military. [5] [6] [7] [8] It conducts offensive cyber operations, including espionage and cyber-enabled finance crime. [6] [5] According to American authorities, the RGB manages clandestine operations and has six bureaus. [9] [10]

Contents

Cyber operations are thought to be a cost-effective way for North Korea to maintain an asymmetric military option, as well as a means to gather intelligence; its primary intelligence targets are South Korea, Japan, and the United States. [10]

History

Bureau 121 was created in 1998. [11]

Targets and methods

The activities of the agency came to public attention in December 2014 when Sony Pictures canceled the opening of its movie The Interview after its computers had been hacked. [12] [13] Bureau 121 has been blamed for the cyber breach, but North Korea has rejected this accusation. [14]

Much of the agency's activity has been directed at South Korea. [7] [10] Prior to the attack at Sony, North Korea was said to have attacked more than 30,000 PCs in South Korea affecting banks and broadcasting companies as well as the website of South Korean President Park Geun-hye. [7] [10] [15] North Korea has also been thought to have been responsible for infecting thousands of South Korean smartphones in 2013 with a malicious gaming application. [14] The attacks on South Korea were allegedly conducted by a group then called DarkSeoul Gang and estimated by the computer security company Symantec to have only 10 to 50 members with a "unique" ability to infiltrate websites. [7]

American authorities believe that North Korea has military offensive cyber operations capability and may have been responsible for malicious cyber activity since 2009. [10] As part of its sophisticated set-up, cells from Bureau 121 are believed to be operating around the world. [16] [17] [18] One of the suspected locations of a Bureau 121 cell is the Chilbosan Hotel in Shenyang, China. [11] [19] [5]

South Korea has also repeatedly blamed Bureau 121 for conducting GPS jamming aimed at South Korea. The most recent case of jamming occurred on 1 April 2016.

Structure

Bureau 121 consists of the following units as of 2019: [20]

Staffing

Bureau 121 is the largest (more than 600 hackers) and most sophisticated unit in the RGB. [5] [6] [16] According to a report by Reuters, Bureau 121 is staffed by some of North Korea's most talented computer experts and is run by the Korean military. [7] A defector indicated that the agency has about 1,800 specialists. Many of the bureau's hackers are hand-picked graduates of the University of Automation, Pyongyang [7] and spend five years in training. [23] A 2021 estimate suggested that there may be over 6,000 members in Bureau 121, with many of them operating in other countries, such as Belarus, China, India, Malaysia, and Russia. [16]

While these specialists are scattered around the world, their families benefit from special privileges at home. [17]

Alleged operations

See also

Related Research Articles

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Emerging alongside the development of information technology, cyberterrorism involves acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Some authors opt for a very narrow definition of cyberterrorism, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

<span class="mw-page-title-main">Command and control</span> Military exercise of authority by a commanding officer over assigned forces

Command and control is a "set of organizational and technical attributes and processes ... [that] employs human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or enterprise, according to a 2015 definition by military scientists Marius Vassiliou, David S. Alberts, and Jonathan R. Agre. The term often refers to a military system.

Eligible Receiver 97 was a U.S. Department of Defense exercise conducted under what is known as the No-Notice Interoperability Exercise Program. The exercises were held June 9–13, 1997 and included participants such as the National Security Agency, Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation, National Reconnaissance Office, Defense Information Systems Agency, Department of State, Department of Justice, as well as critical civilian infrastructure providers such as power and communication companies. The simulated cyber attack led directly to the formation of the United States Cyber Command.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">United States Cyber Command</span> Unified combatant command of the United States Armed Forces responsible for cyber operations

United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD's cyber expertise which focus on securing cyberspace.

The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak, Peter Lee, and Shujun Wang. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and offensive power projection thanks to comparatively advanced technology and a large military budget. Cyberwarfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

<span class="mw-page-title-main">2014 Sony Pictures hack</span> 2014 release of hacked data from Sony Pictures

On November 24, 2014, the hacker group "Guardians of Peace" leaked confidential data from the film studio Sony Pictures Entertainment (SPE). The data included employee emails, personal and family information, executive salaries, then-unreleased films, future film plans, screenplays, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure.

<span class="mw-page-title-main">Reconnaissance General Bureau</span> North Korean intelligence agency

The Reconnaissance General Bureau, part of the General Staff Department, is a North Korean intelligence agency that manages the state's clandestine operations. Most of their operations have a specific focus on Japan, South Korea, and the United States. It was established in 2009.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">United Front Department of the Workers' Party of Korea</span> North Korean governmental agency tasked with relations with South Korea

The United Front Department of the Workers' Party of Korea is a department of the Central Committee of the Workers' Party of Korea (WPK) tasked with relations with South Korea. It conducts propaganda operations and espionage and manages front organizations, including the Chongryon.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

References

  1. Pinkston, Daniel A. (2016). "Inter-Korean Rivalry in the Cyber Domain: The North Korean Cyber Threat in the "Sŏn'gun" Era". Georgetown Journal of International Affairs. 17 (3): 67–68. ISSN   1526-0054. JSTOR   26395976.
  2. Park, Donghui (2019). "3.5 North Korea's Cyber Proxy Warfare Strategy" (PDF). North Korea's Cyber Proxy Warfare: Origins, Strategy, and Regional Security Dynamics (PhD). University of Washington. pp. 137–150.
  3. Gause, Ken E. (August 2015). "North Korea's Provocation and Escalation Calculus: Dealing with the Kim Jong-un Regime" (PDF). Defense Technical Information Center. CNA Analysis & Solutions. Archived (PDF) from the original on March 6, 2021.
  4. AKA: Department/Office/Unit 121, Electronic Reconnaissance Department, or the Cyber Warfare Guidance Department [1] [2] [3]
  5. 1 2 3 4 "Strategic Primer: Cybersecurity" (PDF). American Foreign Policy Council. 2016. p. 11.
  6. 1 2 3 Bartlett, Jason (2020). "Exposing the Financial Footprints of North Korea's Hackers". Center for a New American Security.
  7. 1 2 3 4 5 6 Park, Ju-Min; Pearson, James (December 5, 2014). "In North Korea, hackers are a handpicked, pampered elite". Reuters. Archived from the original on December 19, 2014. Retrieved December 18, 2014.
  8. Gibbs, Samuel (December 2, 2014). "Did North Korea's notorious Unit 121 cyber army hack Sony Pictures?". The Guardian . Retrieved January 20, 2015.
  9. John Pike. "North Korean Intelligence Agencies". Federation of American Scientists, Intelligence Resource Program. Retrieved January 20, 2015.
  10. 1 2 3 4 5 United States Department of Defense. "Military and Security Developments Involving the Democratic People's Republic of Korea 2013" (PDF). Federation of American Scientists. Retrieved January 20, 2015.
  11. 1 2 David E. Sanger, Martin Fackler (January 18, 2015). "N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say". nytimes.com . Retrieved January 20, 2015.
  12. Lang, Brett (17 December 2014). "Major U.S. Theaters Drop 'The Interview' After Sony Hacker Threats". Variety. Retrieved December 17, 2014.
  13. Brown, Pamela; Sciutto, Jim; Perez, Evan; Acosta, Jim; Bradner, Eric (December 18, 2014). "U.S. will respond to North Korea hack, official says". CNN . Retrieved December 18, 2014.
  14. 1 2 Cloherty, Jack (17 December 2014). "Sony Hack Believed to Be Routed Through Infected Computers Overseas". ABC News. US: Go.
  15. Sangwon Yoon, Shinyye Kang (June 25, 2013). "S. Korea Government, Media Sites Hacked Closed for Review". Bloomberg . Retrieved December 20, 2014.
  16. 1 2 3 Healthcare Sector Cybersecurity Coordination Center, (HC3) (2021). "North Korean Cyber Activity" (PDF). U.S. Department of Health & Human Services.{{cite web}}: CS1 maint: numeric names: authors list (link)
  17. 1 2 Sciutto, Jim (19 December 2014). "White House viewing Sony hack as national security threat". CNN. WWLP 22 News. Archived from the original on 2014-12-19.
  18. Tapper, Jake (18 December 2014). "Panel: Were North Korean "cyber soldiers" behind Sony hack?". The Lead with Jake Tapper . CNN. Archived from the original on 26 March 2021. Retrieved 21 January 2015.
  19. Daly, Michael (December 20, 2014). "Inside the 'Surprisingly Great' North Korean Hacker Hotel". The Daily Beast. Retrieved 25 December 2014.
  20. Kong, Ji Young; Lim, Jong In; Kim, Kyoung Gon (2019). The All-Purpose Sword: North Korea's Cyber Operations and Strategies (PDF). 2019 11th International Conference on Cyber Conflict. Tallinn, Estonia: NATO. doi:10.23919/CYCON.2019.8756954.
  21. "The Organization of Cyber Operations in North Korea" (PDF). Center for Strategic and International Studies (CSIS). Archived from the original (PDF) on 2019-06-30. Retrieved 2020-06-28.
  22. Park, Ju-min; Pearson, James. Gopalakrishnan, Raju (ed.). "Exclusive: North Korea's Unit 180, the cyber warfare cell that worries the West". Reuters. Archived from the original on May 21, 2017.
  23. Waterhouse, James; Doble, Anna (2015-05-19). "Bureau 121: North Korea's elite hackers and a 'tasteful' hotel in China". BBC News. Retrieved 2017-04-27.