Bureau 121

Last updated

Bureau 121 [4] is a North Korean cyberwarfare agency, and the main unit of the Reconnaissance General Bureau (RGB) of North Korea's military. [5] [6] [7] [8] It conducts offensive cyber operations, including espionage and cyber-enabled finance crime. [6] [5] According to American authorities, the RGB manages clandestine operations and has six bureaus. [9] [10]

Contents

Cyber operations are thought to be a cost-effective way for North Korea to maintain an asymmetric military option, as well as a means to gather intelligence; its primary intelligence targets are South Korea, Japan, and the United States. [10]

History

Bureau 121 was created in 1998. [11]

Targets and methods

The activities of the agency came to public attention in December 2014 when Sony Pictures canceled the opening of its movie The Interview after its computers had been hacked. [12] [13] Bureau 121 has been blamed for the cyber breach, but North Korea has rejected this accusation. [14]

Much of the agency's activity has been directed at South Korea. [7] [10] Prior to the attack at Sony, North Korea was said to have attacked more than 30,000 PCs in South Korea affecting banks and broadcasting companies as well as the website of South Korean President Park Geun-hye. [7] [10] [15] North Korea has also been thought to have been responsible for infecting thousands of South Korean smartphones in 2013 with a malicious gaming application. [14] The attacks on South Korea were allegedly conducted by a group then called DarkSeoul Gang and estimated by the computer security company Symantec to have only 10 to 50 members with a "unique" ability to infiltrate websites. [7]

American authorities believe that North Korea has military offensive cyber operations capability and may have been responsible for malicious cyber activity since 2009. [10] As part of its sophisticated set-up, cells from Bureau 121 are believed to be operating around the world. [16] [17] [18] One of the suspected locations of a Bureau 121 cell is the Chilbosan Hotel in Shenyang, China. [11] [19] [5]

South Korea has also repeatedly blamed Bureau 121 for conducting GPS jamming aimed at South Korea. The most recent case of jamming occurred on 1 April 2016.

Structure

Bureau 121 consists of the following units as of 2019: [20]

Staffing

Bureau 121 is the largest (more than 600 hackers) and most sophisticated unit in the RGB. [5] [6] [16] According to a report by Reuters, Bureau 121 is staffed by some of North Korea's most talented computer experts and is run by the Korean military. [7] A defector indicated that the agency has about 1,800 specialists. Many of the bureau's hackers are hand-picked graduates of the University of Automation, Pyongyang [7] and spend five years in training. [23] A 2021 estimate suggested that there may be over 6,000 members in Bureau 121, with many of them operating in other countries, such as Belarus, China, India, Malaysia, and Russia. [16]

While these specialists are scattered around the world, their families benefit from special privileges at home. [17]

Alleged operations

See also

Related Research Articles

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

<span class="mw-page-title-main">Unit 8200</span> Intelligence unit of the Israel Defense Forces

Unit 8200 is an Israeli Intelligence Corps unit of the Israel Defense Forces responsible for clandestine operation, collecting signal intelligence (SIGINT) and code decryption, counterintelligence, cyberwarfare, military intelligence, and surveillance. Military publications include references to Unit 8200 as the Central Collection Unit of the Intelligence Corps, and it is sometimes referred to as Israeli SIGINT National Unit (ISNU). It is subordinate to Aman, the military intelligence directorate.

<span class="mw-page-title-main">Command and control</span> Military exercise of authority by a commanding officer over assigned forces

Command and control is a "set of organizational and technical attributes and processes ... [that] employs human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or enterprise, according to a 2015 definition by military scientists Marius Vassiliou, David S. Alberts, and Jonathan R. Agre. The term often refers to a military system.

Eligible Receiver 97 was a U.S. Department of Defense exercise conducted under what is known as the No-Notice Interoperability Exercise Program. The exercises were held June 9–13, 1997 and included participants such as the National Security Agency, Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation, National Reconnaissance Office, Defense Information Systems Agency, Department of State, Department of Justice, as well as critical civilian infrastructure providers such as power and communication companies. The simulated cyber attack led directly to the formation of the United States Cyber Command.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">United States Cyber Command</span> Unified combatant command of the United States Armed Forces responsible for cyber operations

United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD's cyber expertise which focus on securing cyberspace.

The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

<span class="mw-page-title-main">2014 Sony Pictures hack</span> 2014 release of hacked data from Sony Pictures

On November 24, 2014, a hacker group identifying itself as "Guardians of Peace" leaked a release of confidential data from the film studio Sony Pictures Entertainment (SPE). The data included personal information about Sony Pictures employees and their families, emails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, plans for future Sony films, scripts for certain films, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure.

The Reconnaissance General Bureau is a North Korean intelligence agency that manages the state's clandestine operations. Most of their operations have a specific focus on Japan, South Korea, and the United States. It was established in 2009.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">United Front Department of the Workers' Party of Korea</span> North Korean governmental agency tasked with relations with South Korea

The United Front Department of the Workers' Party of Korea is a department of the Central Committee of the Workers' Party of Korea (WPK) tasked with relations with South Korea. It conducts propaganda operations and espionage and manages front organizations, including the Chongryon.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

References

  1. Pinkston, Daniel A. (2016). "Inter-Korean Rivalry in the Cyber Domain: The North Korean Cyber Threat in the "Sŏn'gun" Era". Georgetown Journal of International Affairs. 17 (3): 67–68. ISSN   1526-0054. JSTOR   26395976.
  2. Park, Donghui (2019). "3.5 North Korea's Cyber Proxy Warfare Strategy" (PDF). North Korea's Cyber Proxy Warfare: Origins, Strategy, and Regional Security Dynamics (PhD). University of Washington. pp. 137–150.
  3. Gause, Ken E. (August 2015). "North Korea's Provocation and Escalation Calculus: Dealing with the Kim Jong-un Regime" (PDF). Defense Technical Information Center. CNA Analysis & Solutions. Archived (PDF) from the original on March 6, 2021.
  4. AKA: Department/Office/Unit 121, Electronic Reconnaissance Department, or the Cyber Warfare Guidance Department [1] [2] [3]
  5. 1 2 3 4 "Strategic Primer: Cybersecurity" (PDF). American Foreign Policy Council. 2016. p. 11.
  6. 1 2 3 Bartlett, Jason (2020). "Exposing the Financial Footprints of North Korea's Hackers". Center for a New American Security.
  7. 1 2 3 4 5 6 Park, Ju-Min; Pearson, James (December 5, 2014). "In North Korea, hackers are a handpicked, pampered elite". Reuters. Archived from the original on December 19, 2014. Retrieved December 18, 2014.
  8. Gibbs, Samuel (December 2, 2014). "Did North Korea's notorious Unit 121 cyber army hack Sony Pictures?". The Guardian . Retrieved January 20, 2015.
  9. John Pike. "North Korean Intelligence Agencies". Federation of American Scientists, Intelligence Resource Program. Retrieved January 20, 2015.
  10. 1 2 3 4 5 United States Department of Defense. "Military and Security Developments Involving the Democratic People's Republic of Korea 2013" (PDF). Federation of American Scientists. Retrieved January 20, 2015.
  11. 1 2 David E. Sanger, Martin Fackler (January 18, 2015). "N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say". nytimes.com . Retrieved January 20, 2015.
  12. Lang, Brett (17 December 2014). "Major U.S. Theaters Drop 'The Interview' After Sony Hacker Threats". Variety. Retrieved December 17, 2014.
  13. Brown, Pamela; Sciutto, Jim; Perez, Evan; Acosta, Jim; Bradner, Eric (December 18, 2014). "U.S. will respond to North Korea hack, official says". CNN . Retrieved December 18, 2014.
  14. 1 2 Cloherty, Jack (17 December 2014). "Sony Hack Believed to Be Routed Through Infected Computers Overseas". ABC News. US: Go.
  15. Sangwon Yoon, Shinyye Kang (June 25, 2013). "S. Korea Government, Media Sites Hacked Closed for Review". Bloomberg . Retrieved December 20, 2014.
  16. 1 2 3 Healthcare Sector Cybersecurity Coordination Center, (HC3) (2021). "North Korean Cyber Activity" (PDF). U.S. Department of Health & Human Services.{{cite web}}: CS1 maint: numeric names: authors list (link)
  17. 1 2 Sciutto, Jim (19 December 2014). "White House viewing Sony hack as national security threat". CNN. WWLP 22 News. Archived from the original on 2014-12-19.
  18. Tapper, Jake (18 December 2014). "Panel: Were North Korean "cyber soldiers" behind Sony hack?". The Lead with Jake Tapper . CNN. Archived from the original on 26 March 2021. Retrieved 21 January 2015.
  19. Daly, Michael (December 20, 2014). "Inside the 'Surprisingly Great' North Korean Hacker Hotel". The Daily Beast. Retrieved 25 December 2014.
  20. Kong, Ji Young; Lim, Jong In; Kim, Kyoung Gon (2019). The All-Purpose Sword: North Korea's Cyber Operations and Strategies (PDF). 2019 11th International Conference on Cyber Conflict. Tallinn, Estonia: NATO. doi:10.23919/CYCON.2019.8756954.
  21. "The Organization of Cyber Operations in North Korea" (PDF). Center for Strategic and International Studies (CSIS). Archived from the original (PDF) on 2019-06-30. Retrieved 2020-06-28.
  22. Park, Ju-min; Pearson, James. Gopalakrishnan, Raju (ed.). "Exclusive: North Korea's Unit 180, the cyber warfare cell that worries the West". Reuters. Archived from the original on May 21, 2017.
  23. Waterhouse, James; Doble, Anna (2015-05-19). "Bureau 121: North Korea's elite hackers and a 'tasteful' hotel in China". BBC News. Retrieved 2017-04-27.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.