A secret network of North Korean hackers known as “Bureau 121” work out of the Chinese city of Shenyang, according to North Korean computer science professor.
“It’s easy for them to work secretly. It also has great Internet infrastructure,” Kim Heung-kwang, a former teacher in the North Korean capital of Pyongyang, told CNN.
“Bureau 121 began its large-scale operation in China in 2005,” Kim, who escaped North Korea in 2004, told CNN. “It was established in the late 90s.”
The US government has accused North Korea of hacking American-based Sony Entertainment, a cyberattack which reportedly destroyed about three-quarters of the computers and servers at the studio’s main operations.
US Director of National Intelligence James Clapper said that he suspects his North Korean counterpart, General Kim Youn Chol, ordered the hack.
A different North Korean defector who took classes with the hackers that are now in Bureau 121 told Business Insider that the hackers are taught “to develop its own hacking programs and computer viruses without having to rely on programs already built in the outside world.”
The malware that wiped Sony’s systems bears resemblance to malware previously linked to North Korean hackers. The US says there is a body of evidence, some of it currently classified, that points to Pyongyang.
On Wednesday FBI Director James Comey said that threats made against Sony were traced to IP addresses used exclusively by the North Koreans.
‘The location, security, as well as infrastructure’
Many North Koreans work in Shenyang as the city is the largest Chinese metropolis near North Korea.
Kim said that some of his students went on to join North Korea’s army of an estimated 6,000 government hackers, working regular jobs during the day while otherwise concealing their whereabouts and activities in the city.
“Team members entered China separately — in smaller groups — 20 members at a time,” he says. “When they entered China, they came under different titles. For example an office worker, an official with a trade company or even as a diplomatic staffer.”
Will Ripley of CNN notes that North Korea used to dial in to servers in Shenyang long before Pyongyang had Internet. Today, all North Korean internet traffic passes through China and specifically through a single meta-network based in Shenyang.
Steve Sin, a terrorism expert at the University of Maryland and former US military intelligence analyst who wrote a paper about North Korea’s hacking hub in Shenyang, told CNN that the city “has the location, security, as well as infrastructure.”
He added: “Right now, the best information available to us is that they are still conducting such an operation and they can still conduct such an operation from that location.”
And Shenyang has a “distinctly North Korean flavour,” according to CNN.
“At the state-owned ‘Pyongyang Restaurant,’ waitresses told us they came to China on what is considered a prestigious three-year assignment,” Ripley reports. “They say they’re all from the same university in Pyongyang. They serve ‘North Korean meals,’ in far more substantial portions than the food rations at home.”
The mileu is reminiscent of the rural North Korean logging camps in Russia, where North Koreans live in North Korean-themed camps while chopping down trees in Siberia. Vice News visited the region in 2011:
“So, we’re here, in a North Korean logging camp in the middle of Siberia.” – @SimonOstrovsky https://t.co/lch2wkN53G pic.twitter.com/Kt4zWJIiBX
— Michael B. Kelley (@MichaelKelleyBI) December 24, 2014
The notion that China may have abetted the attack raises the stakes considerably as the US seeks ways to deter cyberwarfare on US-based companies.
“The only lever that I can see is China,” Dave Aitel, a former NSA research scientist and CEO of the cybersecurity firm Immunity, told Business Insider in an interview. “And what you may see is that it comes out there were some Chinese resources involves in this, and then pressure them to get on board.”
The Sony hack’s rapid, destructive nature contrasts with China’s strategy of slowly siphoning off intellectual property such as military technology and business information “to learn about how a company might approach negotiations with a Chinese company,” according to FBI Director James Comey.
“China’s involvement is the elephant in the room,” Aitel told Busines Insider in a separate email. “Asking China to help with NK may allow them to save face by disentangling them from the regime. But eventually we have to address the Chinese uber-espionage program that is doing the same kind of damage NK did to Sony to many US corporations, just slower.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.