Since the 1980s, the reclusive North has been known to train cadres of digital soldiers to engage in electronic warfare and profiteering exploits against its perceived enemies, most notably South Korea and the United States.

Share story

SEOUL, South Korea —

They take legitimate jobs as software programmers in neighbors of their home country, North Korea. When the instructions from Pyongyang, the capital, come for a hacking assault, they are believed to split into groups of three or six, moving around to avoid detection.

Since the 1980s, the reclusive North has been known to train cadres of digital soldiers to engage in electronic warfare and profiteering exploits against its perceived enemies, most notably South Korea and the United States. In recent years, cybersecurity experts say, the North Koreans have spread these agents across the border into China and other Asian countries to help cloak their identities. The strategy also amounts to war-contingency planning in case the homeland is attacked.

This force of North Korean hacker sleeper cells is under new scrutiny in connection with the ransomware assaults that have roiled much of the world during the past few days. Signs have emerged that suggest North Koreans not only carried out the attacks, but that the targeted victims included China, North Korea’s benefactor and enabler.

While there is nothing definitive to link the attacks to North Korea, similarities exist between the ransomware used to extort computer users into paying the hackers and previously deployed North Korean malware codes.

Moreover, North Korea has in the past timed cyberattacks to coincide with its banned weapons tests — like the ballistic missile launched Sunday — as a way of subtly flaunting the country’s technological advances despite its global isolation.

Unlike its missile and nuclear-weapons tests, however, North Korea has never announced or acknowledged its computer-hacking abilities; if anything, the country has denied responsibility for hacking and other forms of computer crimes.

It also is possible that North Korea had no role in the attacks, which exploited a stolen hacking tool developed by the National Security Agency (NSA) of the United States. Early Tuesday, the Shadow Brokers, the hacking group that spread the tool and is not believed to be linked with North Korea, threatened in an online post to start a “Data Dump of the Month” club, in which it would release more NSA hacking methods to paying subscribers.

Security officials in South Korea, the United States and elsewhere say it is well-known that the North Korean authorities have long trained squads of hackers and programmers, both to sabotage computers of adversaries and make money for the government, including through the use of ransomware — malicious software that blackmails victims into paying to release seized files.

Choi Sang-myung, an adviser to South Korea’s cyberwar command and a security researcher at Hauri, said the arithmetic logic in the ransomware attacks that began Friday and have hit more than 100 countries, including China, is similar to that used in previous attacks against Sony Pictures and the Swift international bank-messaging system, both of which were traced to North Korea. He also said the technique used by the ransomware to erase a computer’s files resembled that used by the Lazarus Group, the name experts use to identify a North Korean group deemed responsible for the Sony assault.

Security experts at Symantec, which has accurately identified attacks mounted by the United States, Israel and North Korea, found early versions of the ransomware, called WannaCry, that used tools that were also deployed against Sony Pictures Entertainment, the Bangladesh central bank last year and Polish banks in February. U.S. officials said Monday that they had seen the same similarities.

All of those attacks were linked to North Korea; President Barack Obama formally charged the North in late 2014 with destroying computers at Sony in retaliation for a comedy, “The Interview,” that envisioned a CIA plot to kill Kim Jong Un, the country’s leader.

This would not be the first time North Korean hackers have resorted to ransomware attacks. In a hack last year of Interpark, a South Korean e-commerce provider, North Korean hackers used ransomware to hijack its systems and demanded payment in Bitcoin, a digital currency.

Boo Hyeong-wook, a research fellow at the government-financed Korea Institute for Defense Analyses in Seoul, said the scale of the most recent attacks was large enough that it was likely to have been supported on a national level.

He also said it would be a logical extension of the growing boldness of North Korean hackers to exploit their abilities to raise much-needed funds for the government, which has been starved of cash by international sanctions.

While North Korean hackers have for years operated out of China, defectors and South Korean officials say they have been spreading to Southeast Asian countries, where government monitoring is less intense.

In countries like Malaysia, many North Korean hackers are believed to work undercover at information-technology companies and other jobs with the veneer of respectability. Sometimes, the hackers will also run online gambling sites or use ransomware to raise funds for themselves.

Cybersecurity officials in South Korea and elsewhere say that when instructions come from their superiors in North Korea, these hackers are activated to attack targets.

North Korea began training electronic-warfare soldiers well before the internet era, according to defectors and South Korean officials. They selected mathematical prodigies when they were 12 or 13 and trained them to become software developers, online psychological-warfare experts and hackers.

They were also trained in foreign languages so that they could operate abroad. North Korea sends students to study in Russia and China, and more recently India, to learn software and programming techniques. They return home and some are hired as hackers.

The Workers’ Party and the Korean People’s Army are believed to run their own hacking operations, creating competition. That has led some to speculate that North Korean hackers sometimes leave clues behind, in part to ensure they get credit and win promotions in North Korea.

If the North Korean hackers were responsible for the disruptions suffered by Chinese computer users, that would constitute an extraordinary assault on North Korea’s most important neighbor.

Although China is a hotbed of malware, ransomware and all sorts of other malicious computer code, there is almost no example of North Korean hackers targeting the country to raise money.

Boo said the changing dynamics in the relationship between China and North Korea, which once described themselves as close as “lips and teeth,” could be why China was attacked. “China has dialed up the pressure on North Korea,” Boo said. “Pyongyang faces the increased possibility that Beijing could abandon it. It made a loud statement.”