Underground network of North Korean hackers are operating in China, defector says
They're based in Shenyang, defector says, near the North Korean border
North Korean embassy in Beijing and other government officials declined to comment
On the streets of the neon-lit Chinese city of Shenyang, you’ll find a restaurant, hotel, and other businesses owned and operated by the North Korean government.
You’ll also find a secret network of North Korean hackers, known as Bureau 121, according to defector Kim Heung-Kwang.
“It’s easy for them to work secretly. It also has great Internet infrastructure,” says Kim Heung-kwang, a former Pyongyang computer science professor who escaped North Korea in 2004.
Kim says some of his own students became cyber warriors for the hacker network.
“By day, they worked regular jobs. But the rest of the time, they were acting on orders from Pyongyang,” he says.
What is ‘Bureau 121’?
Kim claims North Korean hackers operated secretly in Shenyang for years, moving from location to location to conceal their whereabouts and activities.
“Bureau 121 began its large-scale operation in China in 2005. It was established in the late 90s,” Kim says.
“Team members entered China separately – in smaller groups – 20 members at a time,” he says. “When they entered China, they came under different titles. For example an office worker, an official with a trade company or even as a diplomatic staffer.”
Long before North Korea had its own Internet, it dialed in to servers in Shenyang, in Liaoning Province, in the country’s north.
Today, nearly all of North Korea’s Internet traffic is still routed through China.
Kim says the operation in China scaled back considerably a few years ago, when North Korea expanded its high speed Internet access. But he believes hackers are still operating in Shenyang.
“North Korea does have illicit activities in China,” says Steve Sin, a terrorism expert at the University of Maryland and former U.S. military intelligence analyst.
Sin wrote a report naming the northeastern Chinese city of Shenyang as a North Korean hacker hub. “It has the location, security, as well as infrastructure,” Sin says.
“Right now, the best information available to us is that they are still conducting such an operation and they can still conduct such an operation from that location.”
The North Korean embassy in Beijing, and government officials reached by email in Pyongyang, tell CNN they have no comment on Kim’s claims. For its part, China says it opposes any illegal cyber activity on its territory.
For a Chinese city, Shenyang has a distinctly North Korean flavor.
At the state-owned “Pyongyang Restaurant,” waitresses told us they came to China on what is considered a prestigious three-year assignment. They say they’re all from the same university in Pyongyang. They serve “North Korean meals,” in far more substantial portions than the food rations at home.
They also sing and entertain customers with popular folks songs like “Arirang,” considered the “unofficial anthem” for both North and South Korea.
A short drive away is state-owned The Chilbosan hotel, a joint venture between North Korea and China.
The women who work in the hotel wear traditional North Korean clothing. There is an art gallery featuring pieces that glorify North Korea, a gift shop with Pyongyang souvenirs, and even a travel office for North Korea’s state-owned national airline “Air Koryo.”
There is also a marketplace – which caters to Shenyang’s large Korean community. And not far from the government business, there’s a North Korean consulate.
As the biggest Chinese city near North Korea, Shenyang is a place where many from Pyongyang come to work. According to Sin, they also come to hack.
“If you are going to conduct illicit activities or covert operations, it’s better to hide among this population, if you will,” Sin says.
“Large, complicated attacks require a certain amount of cyber infrastructure to carry it out. Shenyang, China has that capability.”