All You Need To Know About Bureau 121

Bureau 121 is North Korea’s premier hacking unit. The elite military unit of hackers works under the Reconnaissance General Bureau, or RGB, the secretive North Korean spy agency.

The belief is that the Bureau’s cyber operations are a cost-effective way for North Korea to maintain an asymmetric military option and a means to gather intelligence. Its primary intelligence targets are South Korea, Japan, and the United States. In addition, North Korea reportedly uses its cyber warfare capabilities for espionage and supports its propaganda.

The Unit targets different sectors, including pharmaceutical manufacturers, research institutions, financial institutions, IT Companies, government organizations, and major biotechnology companies. Its primary purpose is to conduct destructive and espionage activities against target networks and systems worldwide. 

Bureau 121 has four main subordinate units, the Andariel Group, The Bluenoroff Group, an Electronic Warfare Jamming Regiment, and the Lazarus Group.

Brief History of Bureau 121

Since Bureau 121’s creation in the 1980s, it has rapidly expanded since 1998. Part of the unit is sometimes known as the DarkSeoul Gang. Although North Korea remains one of the poorest countries, it invests much in Bureau 121. The unit has an estimated membership base of 6,000 members and is the only North Korean organization that operates outside its borders. Bureau 121 runs operations to extract money from organizations across the world by various tactics.

North Korea’s military cyber force reportedly numbers between 3,000-6,000 personnel working in Bureau 121, within the reclusive nation’s Reconnaissance General Bureau. Its most notable accomplishments are the attacks on South Korean banks and media outlets which forced them offline for several days in 2013. 

The RGB (Reconnaissance General Bureau) is the main military intelligence agency of North Korea. Bureau 121, alongside the RGB, is allegedly responsible for the WannaCry ransomware attack in 2017, the 2014 cyber attack on Sony Pictures Entertainment, and numerous cybercrimes. The RGB is estimated to control over 6,000 hackers supported by more than 1,000 technical staff members.

RGB allegedly handpicked members on the Bureau121 based on aptitude towards hacking and computing. People fear this group of hackers across the globe because of their ability to infiltrate and disable commercial organizations, financial institutions, and military systems.

Bureau 121 specializes in overseas sabotage and espionage. It includes cyberwarfare, physical attacks on key personnel, and even blackmailing defectors who fled North Korea to the West. To wage a ‘secret war,’ Bureau 121 acts to sabotage or spy on enemies of Pyongyang. 

Bureau 121 Allegedly Successful Attacks 

Bureau 121 launched a series of attacks, especially during its active years. It is allegedly responsible for attacks in both private and public sectors in different countries. 

Sony Pictures

In November 2014, a group of hackers attacked Sony Pictures Entertainment. They gained unauthorized entry to the company’s network and hacked people’s private information and hard drives. The hackers demanded that Sony withdraw the film “The Interview.” The data breach had major repercussions. Personal information and salaries, company emails, and unreleased films, plans, and scripts were hacked. In addition, several unreleased films were leaked online, including “Fury,” “Annie,” and “Mr. Turner.” Sony’s computer infrastructure also got destroyed.

The FBI investigated, and the U.S. government pointed its finger at North Korea.

In addition to stealing sensitive information from the movie studio and posting it for public consumption, the hackers also forced many of SPE’s computer systems offline — including email.  

During the hack, the organization requested that Sony drop its then-upcoming film “The Interview”—a comedy about an assassination plot against North Korean leader Kim Jong-un—and threatened terrorist strikes on theatres playing the picture. After many major U.S. theater chains opted not to screen “The Interview” in response to these threats, Sony canceled the film’s formal premiere and mainstream release, opting to skip directly to a downloadable digital release followed by a limited theatrical release the next day.

Sony’s decision to pull the plug on “The Interview’s” theatrical distribution resulted in enormous financial penalties. However, the movie studio’s reputation had already taken a major hit. 

The U.S. government concluded the North Korean government was behind the attack, but they’ve never publicly provided any evidence to back up such allegations. Still, private security companies have uncovered clues that point to the Bureau 121 

SWIFT Banking 

In 2015/2016, a series of cyberattacks exploiting the SWIFT banking network was revealed, successfully stealing millions of dollars. It was attributed to the North Korean government, and if it were confirmed, it would have been the first known case of state-sponsored cybercrime.

However, experts suspect that the hacking outfit Lazarus Group (a subsidiary of Bureau 121) is responsible for high-profile crimes such as the Sony Pictures hack, the Bangladesh Bank theft, and several other cyber attacks worldwide.

The hackers used malware and phishing emails to infiltrate the bank systems and hijack the high-value target accounts. If North Korea’s attribution were confirmed, it would have been the first instance of a state entity utilizing cyber attacks to steal funds. The hackers used sophisticated malware and spear-phishing messages to gain access to bank networks. They then manipulated SWIFT messages to transfer funds.

The North Korean government reportedly instructed its cyber hackers to target banks in some 18 countries. It was in an attempt to raise funds to circumvent international sanctions.

The international community sanctioned North Korea for its ballistic missile and nuclear tests. This, of course, means that the hermit nation is cut off from international banks. To get around this, experts believe that North Korean officials dispatched hackers to target banks in some 18 countries. The hackers were instructed to steal as much money as possible through fraudulent means so that the North Korean government could use it to fund its military programs.

The attackers exploited numerous vulnerabilities in the banking systems of member banks. It allowed them to gain control of the banks’ swift credentials. The thieves subsequently used those credentials to send SWIFT money transfer requests to other banks. From there, they transferred the money to accounts controlled by the hackers, trusting the messages to be authentic.

WannaCry Ransomware Attack

In May 2017, computers around the world were attacked by ransomware known as WannaCry. The cyberattack used a software vulnerability allegedly identified by the US National Security Agency (NSA) and published by the hacker organization The Shadow Brokers one month prior.

The cyber attackers encrypted data and demanded ransom payments in the Bitcoin cryptocurrency. The WannaCry ransomware cyberattack was a major digital “wake-up call” that targeted computers and networks running on the Windows operating system. Additionally, the malware preyed upon older systems still running an exploit developed by the United States NSA, which The Shadow Brokers had stolen and leaked.

The ransomware spread across the globe, infiltrating computers with older Windows operating systems and encrypting files. It wreaked havoc on hospitals in the UK, FedEx in the US, and many more victims globally. Many users lost access to their files during these attacks and could only regain access after paying the ransom in bitcoin.

However, many of the patches had been available for six months before the attack. By mid-2016, all supported versions patched the vulnerabilities. Regardless, it was still a threat to those running unpatched or non-supported systems such as Windows XP. It suggests that there was a lack of “reverse engineering” to inspect the unknown malware by scanning through its decryptors and looking into its malware codes upon initial discovery.

The attack began in May 2017 and was not a one-off occurrence. It infected more than 230,000 computers in over 150 countries, with losses of more than $4 billion in its first day alone. United States federal prosecutors stated that North Korea was behind the attack by the next day.

South Korea Attack 

On or around 20 March 2013, a suspected North Korean cyberattack caused three South Korean television stations and a bank to lose their computer terminals in a suspected act of cyberwarfare.

Some 19,000 computers and servers at major South Korean broadcasters and banks were affected. 

KBS, MBC, and YTN aired a blank screen for about 15 minutes. The banks—Shinhan, Nonghyup, and Jeju Bank—were also unable to operate after the attack severely compromised their computer networks. In addition, many ATMs were left out of order serving as a reminder that critical infrastructure such as banking systems are susceptible to cyber-attacks.

All affected organizations were connected to one common network, which implies that the hackers likely targeted a weakness in that network. The attackers apparently focused on wiping files clean rather than demanding a ransom. It is currently unclear how the group carried it out or who was behind it. The attacks occurred at around 8 pm on 20 March and were brought under control after 17 hours.

Malicious codes were released into user computers through browser or web page vulnerabilities. The code was activated only when certain websites were accessed. It carried out the attack by deleting files on hard drives.

The computer hard drives of major broadcast stations and banks in South Korea were systematically erased, which affected 32,000 computers. The attackers deleted the most critical files from three KBS, MBC, and YTN. It also affected two banks — Shinhan Bank and Jeju Bank. The attack is thought to have been a state-sponsored synthetic attack that used several different malware strains. Although North Korea was widely suspected as the aggressor, no official determination has been made.


Bureau 121 is a top-secret North Korean organization of expert computer hackers. They have been accused of hacking international banks and various firms in recent years. Bureau 121 seeks out traditional prodigies. The group mostly recruits youngsters and trains them to become outstanding hackers. They dispatch them across the world to wreak havoc on their foes.