As the internet quickly expanded across the globe and changed the nature of business and communication, Western nations capitalized on its capabilities. Authoritarian regimes felt threatened by the internet’s potential for damaging the regime’s power structure. In the 1990s, Kim Jong-il, father of current North Korean leader Kim Jong-un, restricted internet access, usage, and technology in his country. Eventually, Kim Jong-il’s attitude shifted after recognizing the potential benefits of the internet. The North likely received assistance from China and the Soviet Union to begin training a rudimentary cyber corps during the 80s and 90s. Cyber was and still is reserved explicitly for military or state leadership use.
The expansion of North Korea’s cyber program continued under Kim Jong-un, who today seeks to project military might by displays of a capable nuclear program. But Kim Jong-un, who possesses a degree in computer science, also understood the potential for cultivating cyber power. For North Korea, cyber is not just an asymmetrical medium of warfare, but also a method of surveillance, intelligence-gathering, and circumventing sanctions. Within the last decade, North Korea has demonstrated an impressive understanding and application of offensive cyber competence. Several experts and reports estimate North Korean cyber forces range from 1,800 to upwards of 6,000 professionals. Internet access is reportedly routed through China, which lends added difficulty to attribution but provides a measure of defense. North Korea is largely disconnected from the rest of the world and maintains a rudimentary internet infrastructure. The disconnect between the state and the internet leaves a significantly small and less vulnerable attack surface for other nations to exploit.
Little information is available regarding the internal structure of North Korea’s cyber forces. What is thought to be known suggests an organizational hierarchy that operates with some autonomy to achieve designated mission priorities. Bureau 121, No. 91 Office, and Lab 110 report to North Korea’s Reconnaissance General Bureau (RGB). Each reportedly operate internally and externally from Pyongyang. Bureau 121’s main activities include intelligence gathering and coordinating offensive cyber operations. Lab 110 engages in technical reconnaissance, such as network infiltration and malware implantation.