According to defectors, Bureau 121 is one of six divisions of North Korea’s General Bureau of Reconnaissance that is charged with cyber-intelligence operations. The bureau was created in 1998 and it consists of ~1800 handpicked hackers who are allegedly the “most talented and rewarded personnel within the North Korean military” according to a Reuters interview with a defector known as Jang Se-yul. Students are recruited directly from the University of Automation and paid relatively significant sums.

North Korea uses cyber warfare as a cost effective intelligence branch of their military. Many in North Korea see cyber warfare as their strongest weapon. Bureau 121 most frequently targets South Korea, Japan, and the United States. Bureau 121 targets financial institutions and media companies. In one March 2014 attack, 30,000 South Korean servers associated with banking and media broadcasting outlets were damaged. These systems were infected with Dark Seoul malware and they displayed messages claiming that they were hacked by the Whois Team. In November 2014, Sony Pictures’ email server was hacked by a group claiming to be called the Guardians of Peace, in response to the upcoming release of the movie “The Interview” because it portrays a story and portrayal that is unflattering to Kim Jong-un. An estimated 100 terabytes of data were exfiltrated from Sony before the Wiper Trojan was used to delete the servers. The information contained emails, unreleased films, employees’ personal information and financial information. Threats were also made against Sony that contained imagery reminiscent of the September 11, 2001 attacks.

The FBI, Obama Administration, and the NSA have attributed the Sony breach to North Korea. Members of the press and some security researchers doubt the evidence attributing the Sony attack to North Korea. North Korea may not have been capable of exfiltrating hundreds of terabytes of data.

The Whois Team and the Guardians of Peace attacks are very similar. Both attacks were relatively unsophisticated and both attacks offered a moniker of a previously unheard of group. The procedure of each attack was to install malware through phishing campaigns, steal data, lock down the infected systems, display a banner message claiming responsibility, and then using malware to wipe the system.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google