[Feature] North Korean hacking: the JML virus

The recent computer attacks on South Korea’s banks and media organizations have pushed the possibilities of North Korean hacking into the news. In this piece, we draw from our sources within North Korea to present a summary of one North Korean hacking export in particular: the ‘JML’ virus.

The ‘JML’ Virus

One of the first virus developers in North Korea was Cho Myung-rae (alternatively, Jo Myung-lae). Born in 1964, he graduated around 1997 from Mirim University, which is the leading school for military technology in North Korea. Before this period, Cho worked as a graphic designer for the April 26th Children’s Film Studio, and as a researcher at the Chosun Computer Centre. Currently, he is a high-ranking military officer and works for the Computer Technology Institute.

A centre for hacking activities and falling under the remit of the General Political Bureau, the institute is situated behind Chosun Central TV Broadcasting HQ, in Munsu-dong of Daedong river district in Pyongyang. At one time, the Party’s strategic director Oh Geuk-ryul tried to recruit Cho Myung-rae into Office 4.14 for intelligence related hacking, but the KPA Political Division did not allow it.

The ‘JML’ virus is so-called based on Cho-Myung-rae’s initials. This was allegedly done in order to avoid associations with North Korea.

The JML virus was developed around 1997: as his graduation thesis, Cho had written about the militarization capabilities of the computer virus. The value of his proposal was recognized, and a research group centered around Cho was duly established at Mirim University. This research group was the first incarnation of the Computer Technology Institute under the General Political Bureau.

Beginning its life on Visual C++5.0 and MASM 6.0, the JML virus was soon fixed as a North Korean military standard. Mutations have continued to be developed ever since.

Traces of the JML virus in South Korea
Around 2003, South Korea’s largest anti-virus software company, Ahn Cheol-soo Institute, recognised the JML virus.
North Korean hacking
In the diagram below, it can be seen how the JML virus originated from regions outside of North Korea in early March, 2003.
North Korean hacking
North Korean hacking successes?

Around 2001, Cho Myung-rae was awarded a Hero’s Medal, allegedly for successfully hacking into the US Department of Defense. In addition, Kim Jong-il presented him with a gold watch for his deed. Saying how Cho had taught him the true value of computing, Kim Jong-il issued an order for concentrated efforts to be given to promoting research in the IT field.

Other sources say that Cho did not actually accomplish the publicized feats. Instead, he had merely hacked into personal emails of some staff associated with the US Department of Defense. According to this theory, the KPA General Staff Department exaggerated Cho’s achievements in order to bolster the hitherto inactive Reconnaissance Section.

The virus situation within North Korea

It is said that the computer virus began to spread throughout North Korea’s computer networks when children of the elite began to see hacking as a desirable career path.

Most North Koreans do not have access to the internet. Instead, they connect to an intranet, which has email and chatting capabilities, as well as  the ability to transmit viruses. The bulk of these viruses are JML mutations, and are proving to be a headache for the North Korean authorities.

Just like the production of drugs for foreign export, the computer virus intended for foreign export has become an increasing nuisance for North Koreans.

Links of Interest

Malware that hit South Korea wasn’t so sophisticated – North Korea Tech 

Expert opinions on the issue of South Korea’s recent infections – CBR Online

Like this article? Sign up for our daily or weekly newsletter!