Plausible Denial
Countries / North Korea (DPRK)

Reconnaissance General Bureau

RGB

The Democratic People's Republic of Korea's principal foreign intelligence and special-operations service, established in 2009 by consolidation of multiple predecessor agencies and the principal organization to which Western governments attribute substantial DPRK cyber operations.

0:00 / 0:00

Audio readout of this profile.

Overview

The Reconnaissance General Bureau (Chŏngch'al Ch'ongguk, RGB) is the principal foreign intelligence and special-operations service of the Democratic People's Republic of Korea. It is responsible for foreign intelligence collection, particularly with respect to South Korea, Japan, and the United States; for special-operations capability including the conduct of clandestine operations abroad; for substantial cyber operations including the cyber units widely identified by Western governments as the Lazarus Group / Advanced Persistent Threat 38; and for operations relating to North Korean diaspora communities and overseas dissidents.1

The Bureau reports through the Korean People's Army General Staff to the Supreme Leader, who under the DPRK Constitution is the Commander-in-Chief of the Armed Forces. It is led by a Director who has consistently held the rank of General in the Korean People's Army. Its budget and personnel are classified; published Western analytical estimates place its cyber workforce at approximately 6,000 personnel.2

The Bureau is headquartered in Pyongyang.

History & Origins

The Reconnaissance General Bureau was established in April 2009 by consolidation of multiple predecessor agencies under the Korean People's Army General Staff. The principal predecessor bodies absorbed were the Operations Department (Chakjŏn Pu) of the Korean Workers' Party Central Committee, the Reconnaissance Bureau (Chŏngch'al Pu) of the Ministry of People's Armed Forces, and Office No. 35 (intelligence and overseas operations).3

The institutional context of the 2009 consolidation was a substantial reorganisation of the DPRK security architecture under Kim Jong-il in the period immediately before his December 2011 death and the succession of Kim Jong-un. The reorganisation centralised foreign-operations and special-operations functions under the General Staff, producing a more coherent institutional structure than the prior dispersed arrangement. The post-2011 succession period under Kim Jong-un — including the December 2013 execution of his uncle Jang Song-thaek (a senior figure of the prior security architecture) — produced further institutional consolidation.4

The post-2011 period has produced the most operationally intense decade in the Bureau's history, particularly with respect to cyber operations. The 2014 Sony Pictures intrusion, the 2016 Bangladesh Bank Heist, the 2017 WannaCry ransomware attack, successive cryptocurrency exchange targeting, and the 2017 killing of Kim Jong-nam at Kuala Lumpur International Airport have together produced the public-record characterisation of the contemporary RGB.5

Mandate & Jurisdiction

The Bureau's authorities derive from Korean Workers' Party directives and from successive General Staff orders. Its core functions are:

  • foreign intelligence collection in support of DPRK national-security and foreign-policy interests, with particular focus on the Republic of Korea, Japan, and the United States;
  • special-operations and clandestine-operations capability abroad;
  • cyber operations, both for intelligence collection and for offensive purposes including cryptocurrency targeting;
  • intelligence and operations relating to North Korean diaspora communities and overseas defectors;
  • support to Korean People's Army operations and contingency planning;
  • liaison with allied intelligence services where relationships exist.6

The Bureau is widely identified as comprising at least six bureaus, including operations bureaus directed at South Korea, technical bureaus including the cyber-warfare components, and counter-intelligence elements. Specific subordinate-unit naming has varied across sources; the Lazarus Group / APT38 / TEMP.Hermit cyber-intrusion sets attributed by Western governments to the DPRK have been associated with the RGB.

Notable Operations

Alleged Sony Pictures Entertainment intrusion (2014). The November 2014 cyber intrusion into Sony Pictures Entertainment, which produced the destruction and theft of corporate data, the cancellation of a planned theatrical release of The Interview (a comedy film depicting the assassination of Kim Jong-un), and substantial subsequent public-record disclosures. The US Federal Bureau of Investigation publicly attributed the operation to the DPRK in December 2014, an attribution subsequently characterised by US officials as supported by signals-intelligence and forensic analysis. The DPRK has denied the attribution.7

Alleged Bangladesh Bank Heist (2016). The February 2016 cyber intrusion into the Bangladesh Bank's SWIFT messaging-system credentials, through which approximately US$81 million was successfully transferred from the Bank's Federal Reserve Bank of New York account to accounts in the Philippines (with approximately US$850 million in further blocked transfers). US Department of Justice indictments in 2018 named DPRK national Park Jin-hyok in connection with the operation; Park was identified as an RGB-affiliated computer programmer.8

Alleged WannaCry ransomware attack (2017). The May 2017 WannaCry ransomware operation, which infected approximately 230,000 computers across 150 countries — including a substantial part of the UK National Health Service — and produced approximately US$4 billion in global damages. The 2018 US Department of Justice indictment of Park Jin-hyok specifically attributed the operation to RGB-affiliated cyber operators. The UK National Cyber Security Centre and US Government attribution statements concur.9

Alleged Cryptocurrency targeting operations (post-2017). Sustained DPRK-attributed operations against cryptocurrency exchanges, decentralised-finance platforms, and individual cryptocurrency holders. Successive UN Panel of Experts reports and private-sector analytics firms have attributed an estimated US$3 billion or more in cryptocurrency theft to DPRK-affiliated operators across the post-2017 period, with some private-sector estimates placing the cumulative total above US$3.6 billion. Specific high-value operations include the March 2022 theft of approximately US$620 million from the Ronin Network blockchain bridge (subsequently attributed by US Treasury to RGB-affiliated Lazarus Group), and the June 2022 Harmony Horizon Bridge theft of approximately US$100 million.10

Alleged Killing of Kim Jong-nam (2017). On 13 February 2017, Kim Jong-nam — the elder half-brother of Kim Jong-un, who had been living in exile principally in Macao — was killed at Kuala Lumpur International Airport when two women applied VX nerve agent to his face. The two women were arrested and prosecuted by Malaysian authorities. The Malaysian post-mortem and subsequent forensic analysis established the use of VX, a Schedule 1 chemical-weapons-convention substance. The Royal Malaysia Police identified four DPRK suspects who had departed Malaysia immediately after the killing; the DPRK has denied responsibility. The Malaysian women were ultimately released after one was convicted of a lesser charge and the other was released after charges were withdrawn. South Korea's National Intelligence Service attributed the operation to the Ministry of State Security (MSS) rather than the RGB specifically; the RGB-specific attribution is not established in the public record.11

Controversies & Abuses

Confirmed Sustained sanctions violations. Successive UN Panel of Experts reports established under DPRK sanctions have documented sustained violations of UN Security Council sanctions, including through cyber operations attributed to the RGB. The reports characterise the cyber operations as substantial generators of foreign currency for the DPRK regime in the context of comprehensive sanctions on conventional trade.12

Alleged Operations against South Korean targets. Multiple South Korean Government attributions across the post-2010 period have identified RGB operations against South Korean targets, including the 2010 sinking of the South Korean naval corvette ROKS Cheonan (in which 46 South Korean sailors died, attributed by South Korean and international investigative findings to a DPRK midget submarine torpedo attack), the 2014 Korea Hydro and Nuclear Power cyber intrusion, and successive operations against South Korean defectors and human-rights organisations. The DPRK has denied responsibility for the Cheonan sinking specifically; the South Korea-led joint civilian-military investigation team's May 2010 findings remain the principal public-record account.13

Alleged Operations against North Korean defectors abroad. Multiple South Korean and Western reports have documented attempted RGB operations against North Korean defectors living in South Korea, the United States, and other Western countries. Specific publicly documented cases have included the April 2010 attempted assassination of Hwang Jang-yop, the highest-ranking North Korean defector at that time; the operatives were arrested and prosecuted by South Korean authorities.14

Confirmed Use of forced-labour networks abroad. Successive UN Panel of Experts and UN Special Rapporteur reports have documented DPRK forced-labour networks operating in foreign countries, with substantial earnings remitted to the DPRK regime through state channels. The boundary between RGB direction and other DPRK state-organ direction of these networks has been administratively defined; the broader pattern has been comprehensively documented.15

Notable Figures

  • General Kim Yong-chol — Long-serving senior figure of the RGB and its predecessor bodies. Subsequently Director of the United Front Department; senior-level interlocutor in 2018–2019 US-DPRK negotiations.
  • General Jang Kil-song — Identified by South Korean intelligence as RGB Director; replaced by Rim Kwang Il in December 2019.
  • Col. Gen. Ri Chang Ho — RGB Director, appointed approximately 2022; sanctioned by South Korea (December 2023) and the US Treasury (December 2024).
  • Park Jin-hyok — Cyber operator identified by US Department of Justice indictment in 2018; sanctioned by the US Treasury and named in successive Western government attribution statements.

Oversight & Accountability

There is no civilian or external public-record oversight of the RGB. The Bureau operates under the authority of the Supreme Leader and the Korean People's Army General Staff, with internal Korean Workers' Party discipline-inspection mechanisms providing the principal accountability route within the regime.

External public-record accountability for RGB-attributed activity has come principally from UN Panel of Experts reports, US Department of Justice indictments and Treasury sanctions designations, UK and other Five Eyes Government attribution statements, and South Korean Government statements. The DPRK has consistently denied attribution in essentially all public cases.16

Sources & Further Reading

  1. Ken E. Gause, North Korea's Cyber Espionage Capabilities (Naval Postgraduate School, 2017); Andy Greenberg, "The North Korean Hacker Threat," Wired, multiple years.
  2. Joseph S. Bermudez, North Korean Special Forces (Naval Institute Press, 1998 / 2003); Office of the Director of National Intelligence, Annual Threat Assessments.
  3. Gause, op. cit.; Mark Bowden, "The Worst Problem on Earth," Atlantic, 2017.
  4. Ralph Hassig and Kongdan Oh, The Hidden People of North Korea: Everyday Life in the Hermit Kingdom (Rowman & Littlefield, 2009).
  5. Anna Fifield, The Great Successor: The Divinely Perfect Destiny of Brilliant Comrade Kim Jong Un (PublicAffairs, 2019).
  6. Gause, North Korea's Cyber Espionage; Office of the Director of National Intelligence statements.
  7. FBI Statement on the Sony Pictures Entertainment Intrusion, 19 December 2014; David E. Sanger and Martin Fackler, "U.S. Penetrated North Korean Computers Before Sony Attack," New York Times, 18 January 2015.
  8. United States v. Park Jin-hyok, criminal complaint, C.D. Cal., 8 June 2018, unsealed 6 September 2018.
  9. UK National Cyber Security Centre and US National Security Agency joint advisory on WannaCry, 2017–2018; United States v. Park Jin-hyok, op. cit.
  10. UN Security Council Panel of Experts established pursuant to resolution 1874 (2009), Final Reports, successive editions; US Department of the Treasury, sanctions designations relating to Lazarus Group, 14 April 2022 and successive editions; Chainalysis, Crypto Crime Reports, annual editions.
  11. Royal Malaysia Police statement on Kim Jong-nam case, February 2017; Malaysian High Court proceedings in Public Prosecutor v. Aisyah and Huong, 2017–2019.
  12. UN Security Council Panel of Experts, Final Reports, op. cit.
  13. Joint Civilian-Military Investigation Group, Investigation Result on the Sinking of ROKS Cheonan, May 2010; subsequent UN Security Council statement and contested international reception.
  14. South Korean Ministry of National Defence statements on the 2011 Hwang Jang-yop case.
  15. UN Special Rapporteur on the situation of human rights in the Democratic People's Republic of Korea, Annual Reports; Human Rights Watch, "Worker's Paradise Lost: A Closer Look at North Korean Workers Abroad."
  16. UN Panel of Experts, Final Reports; US Department of Justice indictments; Five Eyes joint attribution statements.