Case File #0086
Unit 121
"These hackers are considered an elite part of the North Korean social hierarcy"
With the ever-growing advancement of computer systems, cyber crime has become a global problem with talented and skilled hackers able to circumvent complex security systems and steal consumer details, corporate information and large sums of money in the blink of an eye. In the U.S, the cost of cyber crime was upwards of $100 billion every year and that number is rising. However, computer crime is not just undertaken by lone individual hackers or even groups such as Anonymous, but by state sanctioned cyber divisions who launch sophisticated online warfare on an international scale with the intention of destabilising foreign governments through the use of cyber espionage.
In the 21st century most major nations and global powers have their own cyber crime agencies to combat this growing threat. In Britain, the NCA's National Cyber Crime Unit was established to provide an effective response to cyber threats, whilst the U.S has a sophisticated cyber division within the FBI, the Computer Network Operations of the NSA, whilst the PLA Unit 61398 is the military cyberwarfare agency of the People's Republic of China.
The secretive and isolationist country of North Korea has one of the most dedicated and extensive cyberwarfare divisions in the world. Unit 121 was created in 1998 and was later absorbed as one of six bureau's of the Reconnaissance General Bureau, which is the designated intelligence agency of the North Korean military. Army General Kim Yong-chol was the first director of the RGB from February 2009 until January 2016 when he was succeeded by General Pak Yong-sik. The RGB undertakes clandestine operations to gather intelligence on both foreign nationals as well as it's own citizens, and to protect against external threats. These external threats are primarily identified as South Korea, Japan and the United States.
The North and South are technically still at war, and the Northern Government affords millions of dollars to fund their cyberware divisions. Unit 121 is allegedly made up of over 5000 personnel, although the exact number is unknown, who are handpicked graduates from the University of Automation in Pyongyang. Over 2,400 potential applicants apply each year, however only those considered to possess the best and most advanced skills are accepted, and are then sent to either China, Japan or Europe where they spend the next 5 years training in various aspects of computer code, database systems and hacking methods. Because of the rigorous training involved, North Korean cyberware departments, specifically Unit 121 is composed of some of the worlds most talented computer experts.

Kim Jong-Un

North Korean Hackers

These hackers are considered an elite part of the North Korean social hierarchy, and their families are afforded special privileges, being housed within the headquarters of the RGB. The normal citizenry of North Korean are not afforded access to the internet, but are instead allowed to use a restricted national intranet, which is strictly controlled and monitored. Although Unit 121 is considered the primary cyber division within the RGB, there are several other departments which are known to conduct cyberwarfare operations. These include, Unit 180, Lab 110, the Lazarus Group and No. 91 Office, which are all involved in illegal cyber activities. However, these various divisions appear to work more or less independently and have not been formed into an overarching cohesive unit.
Unit 180 conducts subversive operations to obtain illegal revenue for the regime and was suspected of involvement in the February 2016 Bangladesh Bank cyber heist as well as the May 2017 WannaCry ransomware attack. Although not much is known about Lab 110, they are suspected of operating in much the same way. The Lazarus Group, also known as HIDDEN COBRA, are another group suspected to have links with North Korea, and are possibly a smaller state funded hacking group who are suspected of involvement in the November 2014 Sony Hack in America. No. 91 Office is believed to be the headquarters of the cyberwarfare units, however little is known of it's functions.
Unit 121 is believed to operate in numerous countries and smaller cells have been set-up in most foreign countries with one suspected location in the Chilbosan Hotel in Shenyang, China. Whilst these units operate independently of one another, they all report directly to the National Defence Commission and to Kim Jong-Un himself, who is the supreme commander of Korean People's Army. Most attacks from North Korea's cyberwarfare bureau are mostly undetected and un-reported, however some of the most complex and high profile cyber crimes have been attributed to Unit 121 and the other various groups operating on behalf of the RGB.
One of the earliest attacks attributed to groups associated with North Korea took place in 2007, and involved the utilisation of first generation malware virus attacks which targeted the South Korean government. This incident had been referred to as "Operation Flame", and was believed to have been undertaken by the Lazarus Group. On 04 July 2009 cyber criminals targeted Government websites in both the U.S. and South Korea in what were described as large scale distributed denial of service (DDoS) attacks which were later blamed on North Korea. A DDoS attack occurs when multiple compromised systems, which are often infected with a Trojan virus and distributed by botnets, are used by the attacker to target a single victim. The target is flooded with incoming traffic from potentially thousands of different sources which makes it extremely difficult to differentiate between legitimate user traffic and those controlled by the hacker, and as such is impossible to stop by blocking any single one source.
In what would be described as an unsophisticated attack, the hackers utilised the Mydoom and Dozer malware to launch large-scale DDoS attacks on the websites. The targets were around three dozen websites, which were compromised and replaced with the text, "Memory of Independence Day" in the master boot record (MBR). The hackers also wiped data on the targeted Government PC's in Seoul, and was the primary purpose of the attack which is believed to be the first of several which became part of a clandestine undertaking known as "Operation Troy".
In March 2011, Unit 121 was believed to be responsible for attacks which became known as "10 Days of Rain" and involved the use of DDoS attacks against major South Korean websites and others operated by the U.S. military. This attack was considered by security experts to be more effective than previous attempts, indicating that the cyber groups were growing more sophisticated in their skills and abilities, whilst utilising a wide range of techniques and tools. These attacks targeted South Korean media, financial institutions and critical infrastructure and involved compromised computers within South Korea. Further attacks in 2011 included a DDoS attack on South Korea's Nonghyup Bank in April which was linked to previous attacks, and in August when South Korean Police accused North Korean hackers of stealing around $6 million in prize money from online gaming sites. In November 2011 an attempt was made to hack the email system of Korea University's Graduate School of Information Security. Operation Troy continued into 2012, when the Conservative South Korean Newspaper Joong Ang Ilbo was targeted in a cyber attack which destroyed databases. North Korea was highly suspected because one week earlier threats were made against the newspaper because of its coverage of the Northern country.
On 20 March 2013, one of the largest attacks was perpetrated, which paralysed the networks of three major South Korean TV broadcasting companies, financial institutes, and an ISP. In the same attack an attempt was made to wipe the hard-drives of computers through the use of a compromised ATM banking network. A further attack saw the DSN servers belonging to government websites taken offline for several hours and at the same time, North Korea's connection to the global internet was disrupted for 36 hours.
In retaliation to these attacks, the hacking group Anonymous targeted North Korean websites, and succeeded in breaking into a major North Korean news portal, and subsequently posted the names and account details of thousands of subscribers. South Korean officials later traced the attack to a Chinese IP address, which further increased suspicions that North Korean cyber units were behind the incident because North Korea regularly uses Chinese computer addresses to conceal cyber-attacks. At the time two independent groups, NewRomanic Cyber Army Team and WhoIs Team took credit for the attack, however it was later believed by researchers that Unit 121 was assisted in this attack by the Lazarus Group. Other sources attributed these and previous attacks to a smaller group of hackers known as "The DarkSeoul Gang" who are believed to consist of between 10 to 50 members, who possess unique skills and specialise in the infiltration of websites.
In June 2014, news reports of an American comedy film which depicted the assassination of North Korean Kim Jong-Un caused considerable attention around the world. The reaction from North Korea was hostile and the Korean Central News Agency (KCNA), reported that the government of Kim Jong-Un had made threats and promised there would be stern and merciless retaliation if the film was released. The comedy film in question, the Interview, was produced and directed by Seth Rogen and Evan Goldberg and starred Rogen and James Franco as American journalists who were recruited by the CIA to assassinate Kim Jong-Un during an arranged interview with the reclusive North Korean leader. Because of the threats made by the North Korean Government, the films release was reportedly pushed back from October until December 2014.

The Interview

Kim Jong-Un

On 24 November 2014, a post on Reddit claimed that Sony Pictures had been hacked, despite no official press release from the company. It was later verified that Sony had indeed been hacked by a group which referred to themselves as the "Guardians of Peace". The attackers were able to hack their way into the Sony network, which left it offline for several days. The hack had penetrated deep into the network and the hackers were able to gain access to information on unreleased films, as well as internal emails and personal information on approximately 4,000 former and current Sony employees. The group made several communications with Sony and by December had sent a private message to Sony Executives stating they would not release any information on the condition that the Interview was not released. Subsequently some theatres in America decided not to show the movie, whilst others were given the option by Sony. However, by the late December Sony had pulled release date for the film and had no further plans to release it on any platform. Eventually over 300 mostly independent movie theatres decided to screen the movie on Christmas Day despite the four major theatre chains refusing to reverse their decision.
The American government stated their belief that North Korea was centrally involved in the hacking, and claimed to have evidence which linked this incident to previous hacking attacks conducted by North Korea. The North Korean government rejected all accusations of complicity in cyber operations and maintained that Unit 121 was not involved in any of the hacking attempts. It is strongly believed the Lazarus Group, in conjunction with Unit 121 were responsible for the Sony Hack. Unit 121 now received international attention because of this incident and its operatives were now strongly suspected to have been involved in many previous hacking attempts, including the planting of malware in around 20,000 smartphones and 30,000 South Korean computers which were hacked during 2014.
It is believed by some that Unit 180 of the RGB was involved in an attack in which $81 million was stolen from Bangladesh Bank's account at the Federal Reserve Bank of New York through the use of Dridex malware. Initially five transactions were requested via the SWIFT network to the combined total of $101 million, which succeeded. However, $20 million was later traced by the US to Sri Lanka and was recovered. At the request of the Bangladesh Bank another thirty transactions were blocked by the Federal Reserve Bank of New York which amounted to $851 million. North Korea was increasingly becoming more involved with cryptocurrency and in February 2017 hackers later identified as associated with Unit 121 stole $7 million from the South Korean bitcoin exchange Bithumb.
It is also suspected that Unit 180, in a coordinated attack under Unit 121 were behind the WannaCry ransomware attack of 2017. The Wannacry is described as a ransomware cryptoworm which targeted computers running on the Microsoft Windows operating system and encrypted data, locking access to the user and demanding a ransom in order to regain control of the system. The attack began on 17 May 2017 and reportedly infected some 230,000 computers in over 150 countries. All infected computers systems were required to pay between $300 and $600 via bitcoin for the decryption of files. Security experts found malicious code which they attributed to previous attacks conducted by North Korean units, specifically the Lazarus Group.
Unit 121 and the other various hacking groups associated with the RGB continue to be involved in large-scale cyber attacks, targeting numerous countries and are involved in a wide range of activities, including bitcoin mining, hacking, ransomware and cyber-theft as a way of circumventing the economic and financial sanctions imposed by the U.S government because of the secretive Northern states refusal to abandon it's nuclear capabilities.

Written by Nucleus