Kay Kyoung-ju Kwak, a South Korean cybersecurity researcher, can usually tell when malware emanates from his neighbors to the north: They drop clues in the malicious code that show they understand their adversary. “Sometimes they put a K-pop star name in there,” he says, laughing. “They don’t like BTS.” (Instead, he says, they prefer the all-female ensemble Girls’ Generation.) Kwak says he’s also stumbled across digital evidence of North Koreans illegally downloading South Korean soap operas, presumably to entertain themselves when their shifts end.
Kwak is a threat researcher at the Seoul-based cybersecurity firm S2W Inc., where he oversees a team of about 20 cybersecurity specialists called the Talon Group. The majority of them have expertise in North Korea, and they work with international law enforcement to thwart North Korean hacking attempts. The company also has private-sector clients in e-commerce, automotive, semiconductors, and biotech.
The work can be tedious, frustrating, and, on occasion, hugely rewarding: Kwak was among the first to identify a new North Korean hacking group several years ago, christening it Andariel, after a demon also known as the Maiden of Anguish in the role-playing video game Diablo II.
The regime of Supreme Leader Kim Jong Un has developed hacking as an effective tool for stealing military intelligence, raising money for the cash-strapped country, and punishing adversaries. Its hackers announced themselves with the 2014 attack on Sony Pictures Entertainment, in which state-sponsored hackers stole and leaked sensitive content in apparent retaliation for The Interview, a comedy centered on a plot to assassinate Kim. Since then, North Korea’s hackers have been accused of stealing $81 million from Bangladesh Bank in 2016, launching global WannaCry ransomware attacks in 2017, and targeting pharmaceutical companies and cryptocurrency firms.
“When it comes to national security, South Korea is still the target, yet in regards to cybercrime and stealing funds, they’re doing that all over the world,” says Bruce Bechtol Jr., a professor of political science at Angelo State University who’s written several books on North Korea.
While most of Kwak’s colleagues stroll in after lunch, North Korea’s hackers clock in at 9 a.m. Seoul time, then work on a more rigid schedule, taking a break for lunch, a two-hour dinner, and finally wrapping up at 11 p.m., Kwak says. The US Army estimates there are about 6,000 North Korean hackers in operation.
Some of them work domestically, but North Korea has also developed an infrastructure dedicated to North Korean hackers, according to the United Nations and the US Army. They operate from “nests” in places like Malaysia, China, and Russia, where cyber experts say the governments tolerate their presence. North Korean hackers abroad are assigned a quota in dollars they have to procure through their illicit work before they can consider going home, says Kwak. “They have a mission to get $100,000 to go back to North Korea,” he says. “So they will take anything that can be monetized.”
Read More: North Korean defector reveals hacker army’s money-making methods
North Korean hackers had a banner year in 2021, stealing $400 million in cryptocurrency, according to a January 2022 report from the blockchain analysis firm Chainalysis. That haul was eclipsed by the $600 million they allegedly lifted from a cryptocurrency gaming startup in a single attack in March.
The North Koreans have managed to do this in a country with a shrinking economy that’s under punishing international sanctions, where modern technology, including phones and computers, is especially rare. “These are the most innovative people. They are so used to working in a sanctioned environment,” says Michael Barnhat, an analyst at the cybersecurity firm Mandiant Inc., of the country’s digital spies. “They only know what it’s like to run with ankle weights on, so when they have access to something that would seem to be a basic tool to us, to them it’s incredibly useful.”
A hockey-playing father of two, Kwak first got interested in cybersecurity while he was a freshman at Sungkyunkwan University studying computer science. He joined the campus information security club, which doubled as the university’s IT department. The students discovered hackers trying to take over the university servers and distribute malware.
He joined S2W, which stands for Safe and Secure World, two years ago. Kwak now works out of the company’s headquarters in Pangyo Techno Valley, South Korea’s version of Silicon Valley, in an office outfitted with standard-issue startup gear: beanbag chairs, a Jenga set, a Nintendo Switch system, and an oversize video monitor. The analysts sit in cubicles outfitted with two screens: one for scanning the web, another for code analysis. (There’s often an extra keyboard or laptop for messaging team members.) After figuring out ways to decrypt malicious code, they study and compare it to known North Korean code.
In 2016, Kwak discovered the group he named Andariel trying to hack a South Korean financial company. Kwak noticed that the codes and tactics differed slightly from malware typically associated with Lazarus, the Pyongyang-backed hacking organization tied to breaches at Sony Pictures and the Bangladesh Bank heist. He took apart the malware samples from previous hacks attributed to the group. Ultimately, he said, it became clear that Andariel is different, though related to the larger Lazarus Group. He submitted his findings to the South Korean government.
US officials later said Andariel was a subgroup of Lazarus. Then, in 2019, the US issued sanctions against Andariel, saying it hacked into online poker and other gambling sites to steal cash and infiltrated the personal computer of South Korea’s then-defense minister.
As amusing as Kwak finds the pop culture references embedded in North Korean malware, he says he’s resisted the urge to respond in kind. But one day he hopes to communicate more directly with the people he’s spent his career stalking from behind a keyboard. “The government says we’re enemies,” he says. “But one day, if we unify, I want to meet them. I want to say, ‘Hey, I named one of your groups, did you see that?’”
©2022 Bloomberg L.P.