TAG, the Google Threat Analysis Group, recently revealed how it had detected and disrupted an ambitious North Korean effort to use social engineering to persuade Internet security specialists to look at an interesting document of mutual interest. The document included malware that was capable of infecting the recipient's PC and any network that PC was connected to. The recipients soon discovered the true malicious nature of what they had received, developed a procedure to fix any damage and then informed the rest of the Internet security about what happened. It was eventually discovered that the perpetrator of this malware distribution effort was North Korea, which would secretly receive useful data from any system that was infected with their malware.
North Korea has long been regarded as an APT (Advanced Persistent Threat) and a major practitioner of Cyber War because of its hacking efforts that attempt to steal money and information. The North Korean efforts often succeed and bring in nearly a billion dollars a year on average and more in some years.
North Korea has maintained and expanded its hacking capabilities for years and took part in the worldwide expansion of professional hacking groups. One side effect is the creation of many tools and techniques hackers created to carry out these Cyber War attacks. What this all means is that nations see Cyber War weapons as major components of their military power because the Cyber War weapons available keep getting more effective. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2000. Within a decade, researchers began to encounter major APTs. Since then, the APTs have become scarier. Consider TajMahal and the White Company. These major malware producers and users came to be called APTs and that said it all. The White Company was discovered in 2017 by computer security companies as this new APT quietly tried to hack its way into Pakistani Air Force networks. White Company was deliberate, effective and discreet. It was called the “white” company because the group placed a premium on concealing its operations as well as its origins. This sort of thing was first noted in 2010 when Stuxnet was discovered and attributed to an Israeli-American state-level effort that produced a very elaborate, professional and stealthy bit of malware that did major damage to the Iranian nuclear program. In 2018 Iran was hit with a similar attack but this Stuxnet-like malware was even more elaborate, its source is still unknown and the Iranians would rather not talk about it. In 2020 there was another well publicized series of Cyber War battles between Israel and Iran.
North Korea took this further. For example, in 2020 they established yet another specialized college for intelligence operations. The Mangyongdae Revolutionary Academy offered a three-year course for international IW (information warfare) specialists. Students in this course will also study the detection and monitoring of radio traffic, including location of radio signals. These tech elements are already taught at Mangyongdae but not as intensively as will be the case with the new IW major. Another important area of study is how to block certain types of wireless communications at the North Korean border. This will include unwanted cell phone signals.
Prime candidates for the new course are younger (under 30) officers who demonstrate technical skills on the entry exam. Those who get into the course and graduate will have much improved career and promotion prospects. This new specialty is the latest of several new programs at Mangyongdae that are only available to the most loyal and capable upper-class North Koreans.
This new IW course is part of a trend. During the last five years, North Korea has established a program for foreign agents that was only open to members of the elite North Korean families. The children of these families are eligible to attend the Mangyongdae Revolutionary Academy, but many courses of study are only open to applicants with special aptitudes. Graduates of Mangyongdae are likely to get the most senior government and military jobs and there are only about a hundred graduates a year. A growing number of those graduates have gained some very special skills. There is a computer science program for Mangyongdae students seeking to become foreign agents in “enemy” countries, especially South Korea. These agents are trained to hunt down high-level defectors in foreign countries and either arrange to kill the defector or at least find out how the defector is doing, how many secrets they have divulged and, if possible, persuade the defector to shut up or even return to North Korea.
To accomplish this “defector remediation” task the Mangyongdae students are taught the latest hacking techniques, what tools and mercenary hackers are available in the hacker underground and how to deal with the tools, and the mercs, to put together specialized efforts to track down defectors and monitor them. This means the Mangyongdae must be able to pass as a South Korean, as in speak with a South Korea accent, as well as use the customs and slang. This is to make it possible to assume a false identity convincingly and play the role of an Internet criminal. There are a lot of those in both Koreas.
As important as all these skills are, the most important item is loyalty to North Korea. The Mangyongdae agents go after the growing number of high-level North Koreans who are illegally leaving the country. The agents are trained to use social media to seek out known or suspected defectors, make contact and obtain more information about them.
Since 2005 North Korea has been increasingly concerned about key people defecting to South Korea or simply getting into China and making asylum deals with the Chinese government. The Chinese have always been receptive to such arrangements and there have been more of this as the hundreds of families at the top of the social pyramid in North Korea get out. This is a risky endeavor although there are more and more people smugglers who, for enough money, can get anyone out of the country. Worse, many senior officials became defectors while already outside North Korea on official business. There they can arrange to disappear and defect. Some of these defectors have been diplomats and some of them were senior enough to be noticed when they disappeared.
These high-caste North Koreans report that there is a sense in the ruling families that the system isn’t working and is doomed. The top people in North Korea are easy to identify. When North Korea was founded in the late 1940s, a caste system was established to ensure that the most loyal and capable North Korean communists were recognized and rewarded for their efforts to maintain the new communist government for generations to come. The newly established secret police and communist party reported on everyone, making it possible to create an official list of every family assigned to one of 51 social classes. From the beginning, most (29) of these classes were composed of people considered either hostile to the government or leaning that way. These new lower classes are where most of the new (and often quite wealthy) donju (entrepreneurs) are coming from. Most of the population falls into these 29 social classes, and many of them are now getting increasingly hostile to a government that seems to do nothing but create one disaster after another.
Members of higher-caste families are catching on as well and younger members are increasingly abandoning promising careers to flee the country. All that bribe money making its way to the higher caste North Koreans doesn’t just go to buy an easier life in North Korea because that is already assured if you are high caste. The bribe money often goes to buy an escape. To deal with this problem among the most trusted classes, another special program at the Mangyongdae Revolutionary Academy created elite counter-intelligence (spy catcher) agents who often operate in China and South Korea. Apparently, some of the Mangyongdae agents have been identified or even caught and this program is no longer as secret as it once was. Meanwhile, the Mangyongdae Revolutionary Academy and its ultra-loyal students get a lot more publicity inside (and outside) North Korea.
In addition to tracking down high-caste defectors, some Mangyongdae graduates are also assigned to monitor the loyalty of North Korean hackers working outside North Korea. North Korean defectors have revealed much about how North Korea has managed to establish and maintain hacking operations outside North Korea, an operation whose main purpose is to make a lot of money for the cash hungry North Korea government. This became a higher priority operation because of the growing list of economic sanctions imposed, while at the same time there were more opportunities for Internet-based misbehavior. Some of these defectors were associated with the North Korean hackers who are, it turns out, mostly based outside North Korea because Internet access is better and operating outside North Korea makes it easier to deny that North Korean hackers are engaged in illegal activity. South Korea has obtained a lot of details about the North Korean hacker operations and even allowed some defectors familiar with those operations to speak openly about it. Obviously many of these North Korean hackers are not as loyal as they are supposed to be so North Korea became determined to identify and punish the ones that defect and expose how the hacker program works. Each time that happens North Korea has to revise the way its hackers operate. This is time-consuming and expensive.
The Mangyongdae agents are also trained in the usual methods of secretly contacting “the center”, usually via North Korea operatives based outside of North Korea and able to relay messages to and from North Korea itself. The skills North Korea hackers have developed are world-class and increasingly difficult to counter or even detect. But this edge in skills and techniques depends on having loyal operatives in key positions, thus the importance of the Mangyongdae agents.
Deceased (since 2011) North Korean leader Kim Jong Il had always been a big fan of PCs and electronic gadgets in general. Kim Jong Il founded Mirim College to train hackers and backed this new school consistently. The only instance of displeasure from Kim Jong Il was suspicions about those who graduated from Mirim between 1986 through the early 1990s. These Mirim graduates had been tainted by visits (until 1991) by Russian electronic warfare experts. Some Mirim students also went to Russia to study for a semester or two. All these students were suspected of having become spies for the Russians, and most, if not all, were purged from the Internet hacking program. Thus, it wasn't until the late 1990s that there were a sufficient number of trusted Internet experts that could be used to begin building a Cyber War organization.
South Korea has to be wary because South Korea has become more dependent on the Internet than any other on the planet, with the exception of the United States. As in the past, if the north is to start any new kind of Internet mischief, they try it out in South Korea first. While many of the first serious attacks in 2009 were more annoying than anything else, they revealed a new threat out there, and one that not only got worse but turned out to be from the usual suspects. Now the threat is very real and growing rapidly. North Korea is seeing its Internet-based capabilities damaged by the growing number of high-level defectors with valuable secrets to sell to China, South Korea or whoever will pay the most. Given the worldwide depredations of North Korean hackers, this provides defectors with a lot of potential hiding places. This led to the Mangyongdae Academy programs for specialized agents. Now some of the Mangyongdae grads are suspected of wavering loyalty and reliability. North Korea may lack food, electrical power, freedom and much more but there is no shortage of paranoia.