Earlier this year, two hackers breached a computer and quickly realized the significance of their discovery. They had infiltrated a machine belonging to an individual who allegedly works for the North Korean government. The hackers, identifying themselves as Saber and cyb0rg, decided to investigate further. They uncovered evidence linking the user to cyberespionage operations, including exploits, hacking tools, and infrastructure used by North Korea.
Saber told reporters they had access to the government worker’s computer for approximately four months. Once they understood the nature of the data, they realized they had to leak it to expose their findings. Saber stated that these nation-state hackers operate for all the wrong reasons and expressed a hope that more would be exposed for their actions.
There are countless cybersecurity companies and researchers who closely track the activities of the North Korean government and its many hacking groups. Their operations include espionage and increasingly large cryptocurrency heists, as well as wide-ranging campaigns where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program.
In this case, Saber and cyb0rg went a step further by actually hacking the hackers. This type of operation can provide more, or at least different, insights into how these government-backed groups work on a daily basis. The two hackers wish to be known only by their handles due to potential retaliation from the North Korean government or others. They consider themselves hacktivists and cited legendary hacktivist Phineas Fisher as an inspiration.
The hackers understand that their actions are illegal but believed it was important to make the information public. Saber explained that keeping the data would not have been helpful, and by leaking it, they hope to give researchers new ways to detect these threats. They also hope it will lead to current victims being discovered and the North Korean hackers losing access. Cyb0rg added that despite the legality, the action brought concrete artifacts to the community, which is more important.
Based on their findings, Saber is convinced the hacker, whom they call “Kim,” works for North Korea but may actually be Chinese and work for both governments. This belief is based on evidence that Kim did not work during Chinese holidays and translated Korean documents into simplified Chinese using Google Translate.
Saber said he never tried to contact Kim, believing it would be futile. He expressed that Kim likely lives in a constant state of propaganda, cut off from the outside world since birth, making any attempt to reason with him meaningless.
Saber declined to disclose how they gained access to Kim’s computer, as they believe they can use the same techniques to obtain access to other systems. During their operation, they found evidence of active hacks against South Korean and Taiwanese companies, which they claim to have contacted and alerted.
North Korean hackers have a history of targeting people in the cybersecurity industry. Saber said he is aware of the risk but is not overly worried, though he is being more careful.