Names of Units & Key Cyber Activities

RGB

  • Green Pine Associated Corporation (KPe.010)

  • Moranbong University

  • 110 Research Institute (110 호 연구소)

    Below cyber actors are often referred to as “Lazarus Group”

    • Temp.Hermit

      • Sony Pictures hack (2014), Bangladesh Bank heist ($81M, 2016), WannaCry outbreak (2017)

    • Citrine Sleet (aka: AppleJeus, Gleaming Pisces)

      • Malware embedding ‘Jeus’ was distributed via the fake app Celas Trade Pro.

    • TraderTraitor (aka: Jade Sleet, UNC4899)

      • Crypto-theft cybercrime units

    • CryptoCore (aka: Sapphire Sleet, Alluring Pisces)

      • Crypto-theft cybercrime units

 

  • 63 Research Center (63 연구소)

    • Kimsuky (aka: APT43)

      • Spear-phishing targets ROK and US officials, journalists, and policy researchers

    • TA408 (aka: Cerium)

      • Targeting global aerospace, defense, and pharma sectors, and US and ROK militaries

    • Konni (aka: TA406)

      • Targeting Russian officials since 2012, with financially motivated activity emerging in recent years

 

  • Office 970 (970 소)

    • Andariel (aka: Onyx Sleet, Silent Chollima, and APT45)

      • DarkSeoul incident (2013): disruption of ROK media and banking networks

      • Ransomware attacks against the healthcare sector, including US hospitals

      • Targeting global defense, aerospace, nuclear, and engineering sectors for DPRK WMD programs

 

  • 722 Liaison Office (722 연락소)

    Involved in IT freelancing and hacking activities.

    • Devices have been linked to IP ranges 175.45.178.11–175.45.178.19, with overlapping activity across 210.52.109.0–210.52.109.255.

 

  • Chosun Expo Joint Venture Corporation (Korea Expo Joint Venture, 조선엑스포합영회사)

    • RGB front company linked to the 110 Research Institute and the 722 Liaison Office.

      • The 2014 Sony Pictures hack and the 2017 WannaCry attack

      • The May 2017 WannaCry ransomware attack infected over 300,000 computers in 150+ countries, disrupting FedEx, Nissan, Renault, and the UK’s National Health Service

  •  414 Liaison Office (414 연락소)

    • Targeting ROK government entities, including the Office of the President and the Ministry of Unification, for technical reconnaissance and intelligence collection.

RGB Cyber Actor Park Jin Hyok

Source: FBI.

Wannacry ransom note on the screen of an infected computer

Source: Kaspersky.

Ministry of State Security

  • Scarcruft (APT37)

  • Pyongyang Information Technology Bureau (PITB, 평양정보기술국)

  • As of 2023, at least one suspected MSS unit had set up an office in Pyongyang’s Potong-gang district, near or possibly inside the Ryugyong Hotel.

Satellite imagery of the Ministry of State Security

Source: MSMT.

Ministry of National Defense

  • Bureau 53 (Department 53, 53 국)

    • Osong Shipping Company (aka: Osong Shipping Corporation) (오성선박회사)

      • Deployed DPRK IT worker teams in Laos since at least 2022, using aliases under on-site supervision to conduct IT projects (including crypto exchanges, websites, and mobile apps) to generate revenue

    • Chonsurim Trading Company (aka: Chonsurim Trading Corporation, 천수림무역회사)

      • Directed additional DPRK IT worker teams in Laos to use falsified identification credentials to carry out software development and other IT work for companies worldwide, generating revenue

    • Liaoning China Trade Industry Co

      • Supplied IT and network equipment—including computers, graphics cards, HDMI cables, and networking gear—enabling DPRK IT worker operations abroad

    • Junggongchon Trading Corporation (중공천무역회사)

      • Deploys IT worker teams in Tanzania and likely other African countries

  • Bureau 61 (Department 61, 61 국)

    • Chinyong Information Technology Cooperation Company:

      • in Vladivostok, Russia (Alias LLC / Alis LLC)

      • in Vientiane, Laos (Pioneer Bencont Star Real Estate). These delegations were formerly based in Dubai, United Arab Emirates

      • in Shenyang, China (Shenyang GeumpungRi Network Technology Company Limited (aka: Shenyang GeumpungRi Network Technology Co. Ltd., 선양 금풍리 네트워크 과학기술 유한공사).

Munitions Industry Department

  • State Information Technology Bureau (국가정보기술국) (aka: Informatization Bureau (정보화국), Informatization Guidance Bureau (정보화지도국))

  • 313 General Bureau (313 총국)

    Maintains the largest number of IT worker companies, such as known front companies:

    • Yanbian Silverstar Network Technology Company Limited

    • Volasys Silver Star

    • Sinhung Information Technology Trading Corporation (신흥정보기술무역회사)

  • 75 Guidance Bureau (75 지도국)

    • Ryugyong Technology Company (류경프로그램개발회사)

      • Directly involved in procurement in China of materials for the DPRK’s UN-sanctioned weapons programs, including UAV-related components.

  • Second Academy of Natural Sciences (KPe.018, 제 2 자연과학원) Foreign Affairs Bureau

    Actively engaged in deploying IT workers to Laos

Ministry of Atomic Energy and Industry

  • MAEI 607 Management Office

  • Korea Mangyongdae Computer Technology Corporation (KMCTC, 조선만경대컴퓨터기술회사)

Office 39

  • Kyonghung IT Exchange Company

Ministry of Public Security/Ministry of Social Safety

  • Amnokgang Technology Development Corporation (Yalu River Technology Development Company, 압록강기술개발회사)