In the northeastern Chinese city of Shenyang, you’ll find businesses owned and operated by the North Korean government.
You’ll also find a secret network of North Korean hackers, known as Bureau 121, according to defector Kim Heung-Kwang.
“It’s easy for them to work secretly. It also has great Internet infrastructure,” says Kim Heung-kwang, a former Pyongyang computer science professor who escaped North Korea in 2004. Kim says some of his own students became cyber warriors for the hacker network. “By day, they worked regular jobs. But the rest of the time, they were acting on orders from Pyongyang,” he says.
Kim claims North Korean hackers operated secretly in Shenyang for years, moving from location to location to conceal their whereabouts and activities. “Bureau 121 began its large-scale operation in China in 2005. It was established in the late 90s,” Kim says.
“Team members entered China separately — in smaller groups — 20 members at a time,” he says. “When they entered China, they came under different titles. For example an office worker, an official with a trade company or even as a diplomatic staffer.”
Long before North Korea had its own Internet, it dialed in to servers in Shenyang, in Liaoning Province, in the country’s north. Today, nearly all of North Korea’s Internet traffic is still routed through China.
Kim says the operation in China scaled back considerably a few years ago, when North Korea expanded its high speed Internet access. But he believes hackers are still operating in Shenyang.
“North Korea does have illicit activities in China,” says Steve Sin, a terrorism expert at the University of Maryland and former U.S. military intelligence analyst. Sin wrote a report naming Shenyang as a North Korean hacker hub. “It has the location, security, as well as infrastructure,” Sin says.
“Right now, the best information available to us is that they are still conducting such an operation and they can still conduct such an operation from that location.”