Blog

Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > Threat Actor Groups of the Korean-language Underground

Threat Actor Groups of the Korean-language Underground

bio
Terrorism

In the 72 years since the division of Korea, the South has evolved into a globalized hub of commerce, technology, and popular culture. Meanwhile, the North has gained notoriety as one of the world’s most secretive and volatile countries. These two divided nations have taken dramatically different approaches to how they embrace new technologies: the North Korean government heavily restricts Internet access, while South Korea has turned Seoul into the world’s most digitally connected city.

Despite their divergent paths over the past century, North and South Korea share thousands of years of history, as well as a common language. In fact, the Korean language is the world’s most widely spoken language isolate—a language with no demonstrable linguistic relationship to any other language. In addition to North and South Korea’s respective populations of 25.4 and 51.3 million, there are 7.2 million Korean emigrants living abroad—mostly in China, the U.S., and Japan.

Embedded in precarious geopolitics, the Korean-language underground has developed the following distinct factions:

South Korean Cybercriminals

The Korean-language underground originated from traditional organized crime in South Korea. As the nation modernized in the late 20th century, criminal groups moved their activities from the physical world to cyberspace. Motivated by fiscal gain, these groups initially focused on operating illegal gambling and pornography websites.

The presence of South Korean cybercriminals on the Deep & Dark Web (DDW) is largely limited to forums and marketplaces where drugs and hacking services are exchanged. South Korean actors also maintain a vibrant yet highly decentralized presence on the open web. The South Korean government’s recent crackdown on cybercrime has led to the shutdown of many DDW forums, creating gaps within the country’s underground ecosystem. Several new forums have sprung up in their place, and South Korean threat actor communities have become more exclusive and wary of outsiders.

North Korean Cyber Actors

Unlike South Korea’s primarily profit-driven underground activity, North Korea’s cyber capabilities have been closely overseen by the government. Deceased supreme leader Kim Jong Il sought to develop cyber warfare capabilities as early as the 1980s, so he established a system of selective secondary and tertiary education institutions to provide specialized training in the STEM disciplines.

After graduating from these institutions, many students were sent to work in China or the Soviet Union. Nowadays, it has become common for STEM-educated North Korean threat actors to move to southeast Asian countries like Cambodia and Malaysia in order to conduct malicious operations while avoiding South Korean surveillance operations.

Ethnic Korean Hackers in China

North Korea and China have historically maintained bilateral diplomatic relationships since 1949. However, these relations have deteriorated markedly in recent years. In contrast, South Korea did not establish diplomatic relations with China until 1992, making it the last country in Asia to do so. The two countries have since grown increasingly interconnected through tourism and trade.

China is home to nearly 2.6 million ethnic Koreans from both North and South Korea. The members of this population who participate in the Korean-language underground function as a proverbial bridge connecting the otherwise separate North and South Korean underground communities. Often facilitated by interactions with ethnic Korean hackers living in China, North and South Korean adversaries have been known to collaborate. The most recent examples include a customer data breach and an ATM malware attack, both of which targeted South Korean companies in March 2017.

Our latest Flash Talk provides a deep dive into the history, geopolitics, and future of the Korean-language underground. I also tell the story behind the separate formations of the North and South Korean undergrounds, unpack the unifying role of ethnic-Korean Chinese hackers, and explain the semi-collapse of the Korean-language underground following high-profile police investigations.

Click here to tune in.

Flash Talks are 10-15 minute video segments led by Flashpoint’s team of subject matter experts, where we discuss emerging and trending topics in today’s cyber threat landscape. For the complete list of video segments published since the program’s inception in January 2017, please visit our content library.

 

About the author: Mitch Haszard

bio

Mitch Haszard is an Intelligence Analyst on the Asia-Pacific team at Flashpoint. His research interests include North Korea’s cyberwarfare program, Korean-speaking threat actors, and emerging threats on the Korean peninsula. Prior to joining Flashpoint, Mitch was a member of the US Air Force where he worked extensively with Geographic Information Systems (GIS). Mitch holds a Master's degree from Yonsei University in Seoul, South Korea, as well as a Bachelor's degree from the University of Maryland.