In-depth analysis of North Korean internet activity reveals an informed, modern, and technologically savvy ruling elite.

Executive Summary

Il s'agit de la deuxième partie de notre série consacrée à la Corée du Nord. Dans la première partie intitulée «La Corée du Nord n'est pas folle », nous avons démontré que les cyberacteurs nord-coréens ne sont ni fous ni irrationnels : ils disposent simplement d'un champ d'action plus vaste que la plupart des autres services de renseignement.

Nous enrichissons ici notre analyse grâce à notre partenaire en matière de renseignement, Team Cymru, et menons une étude approfondie qui révèle des informations uniques sur la manière dont les dirigeants et l'élite au pouvoir en Corée du Nord utilisent Internet et ce que cela peut nous apprendre sur leurs plans et leurs intentions.

Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are actively engaged in Western and popular social media, regularly read international news, use many of the same services such as video streaming and online gaming, and above all, are not disconnected from the world at large or the impact North Korea’s actions have on the community of nations. Further, we have concluded that:

• Attempts to isolate North Korean elite and leadership from the international community are failing. In fact, their internet activity is in many ways not that different from most Westerners.
• The data set reviewed suggests that general internet activity in North Korea may not provide early warning of a strategic military action, contrary to conventional hypotheses. If there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior.
• North Korea is not using territorial resources to conduct cyber operations and most North Korean state-sponsored activity is likely perpetrated from abroad, which presents an opportunity to apply asymmetric pressure on the Kim regime.

This analysis, together with part one of our blog series, demonstrates that there are likely other regime pressure points, and as a result, other tools, techniques, and partners that could be explored toward a path for North Korean denuclearization.

Background

Les médias sud-coréens estiment qu'il pourrait y avoir jusqu'à 4 millions d'appareils mobiles en Corée du Nord. Ainsi, bien que les appareils mobiles soient très répandus en Corée du Nord, la grande majorité des Nord-Coréens n'ont pas accès à Internet. Les appareils mobiles (voir l'image d'un appareil fabriqué en Corée du Nord ci-dessous) vendus aux citoyens nord-coréens ordinaires sont équipés de services 3G minimaux, notamment la voix, la messagerie texte et la messagerie photo/vidéo, et sont limités au réseau national nord-coréen Koryolink.

Une petite minorité d'utilisateurs, tels que les étudiants universitaires, les scientifiques et certains fonctionnaires, sont autorisés à accéder à l'intranet national nord-coréen géré par l'État via des ordinateurs communs dans les universités et les cybercafés. Slate a décrit l'intranet domestique de la manière suivante:

Laboratoire informatique à l'université Kim Il Sung. Source : Sophie Schmidt.

Parmi les rares personnes autorisées à utiliser l'intranet du pays, un groupe encore plus restreint, composé des plus hauts dirigeants et de l'élite au pouvoir, bénéficie d'un accès direct à l'internet mondial. Bien qu'il n'existe pas de chiffres fiables concernant le nombre d'utilisateurs d'Internet en Corée du Nord, les journalistes estiment qu'il s'agit «d'un nombre très restreint », « du cercle restreint des dirigeants nord-coréens » ou « de quelques dizaines de familles seulement ». Quel que soit leur nombre exact, le profil type d'un internaute nord-coréen est clair : il s'agit d'un membre de confiance ou d'un membre de la famille de la classe dirigeante.

There are three primary ways North Korean elites access the internet.

Tout d'abord, via leur extension .kp qui leur est attribuée. plage, 175.45.176.0/22, qui héberge également les seuls sites Web accessibles depuis Internet dans le pays. Il s'agit notamment de neuf domaines de premier niveau (tels que co.kp, gov.kp et edu.kp) et d'environ 25 sous-domaines destinés à divers médias d'État nord-coréens, à l'>, au tourisme et à l'éducation.

La deuxième méthode consiste à utiliser une plage attribuée par China Netcom, 210.52.109.0/24. Le nom de réseau « KPTC » est l'abréviation de Korea Posts and Telecommunications, Co, la société nationale de télécommunications.

The third method is through an assigned range, 77.94.35.0/24, provided by a Russian satellite company, which currently resolves to SatGate in Lebanon.

Editor's Note

Two important notes: One, from this point on when we refer to “North Korean internet activity” or “behavior,” we are referring to use of the internet (not the North Korean domestic intranet Kwangmyong) by the select few leaders and ruling elite that are permitted access. This data does not give us any insight into intranet activity or behavior by the larger group of privileged North Koreans permitted access to Kwangmyong or diplomatic and foreign establishments that are located in North Korea.

Two, we chose this date range, April 1 through July 6, 2017, because it represented one of the periods of highest missile launching and testing activity, and also because it was the time period during which the data had the greatest depth and fidelity. While we have data stretching back to January 1, 2017, that dataset (January 1 to March 31) is much less robust.

Analysis

In the early hours of April 1, 2017, as many in the West were just waking up, checking email and social media, a small group of North Korean elites began the day in much the same manner. Some checked the news on Xinhua or the People’s Daily, others logged into their 163.com email accounts, while still others streamed Chinese-language videos on Youku and searched Baidu and Amazon.

Recorded Future’s analysis of this limited-duration data set has given us new insight into this isolated country and ruling regime. Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are much more active and engaged in the world, popular culture, international news, and with contemporary services and technologies than many outside North Korea had previously thought. North Korean leaders are not disconnected from the world and the consequences of their actions.

While this data source is not absolute, it gives us a detailed picture of North Korean internet use and activity during the April to July 2017 timeframe, and as a result, we are able to reach a number of unique new insights.

The data reveals that North Korea’s leadership and ruling elite are plugged into modern internet society and are likely aware of the impact that their decisions regarding missile tests, suppression of their population, criminal activities, and more have on the international community. These decisions are not made in isolation nor are they ill-informed as many would believe.

Patterns of Use Mirror Western Users

North Korean elite and leadership internet activity is in many ways not that different from most Westerners, despite the extremely limited number of people who can access the internet; the relatively few numbers of both computers and IP space from which to reach it; the linguistic, cultural, social, and legal barriers; and sheer hostility to the rest of the world.

Par exemple, à l'instar des utilisateurs des pays développés, les Nord-Coréens passent une grande partie de leur temps en ligne à consulter leurs comptes sur les réseaux sociaux, à effectuer des recherches sur le Web et à naviguer sur Amazon et Alibaba.

Facebook est le réseau social le plus utilisé par les Nord-Coréens, malgré des informations selon lesquelles Facebook, Twitter, YouTube et plusieurs autres sites auraient été bloqués par la censure nord-coréenne en avril 2016.

Hourly activity on eight social networking, shopping, and search sites for April 1 through July 6, 2017 (actual). Providers are listed by popularity, from Facebook (highest) to Apple (lowest).

Additionally, North Koreans have distinct patterns of daily usage over this period as well. On weekdays, times of highest activity are from approximately 9:00 AM through 8:00 or 9:00 PM, with Mondays and Tuesdays being the days of consistently highest activity.

Daily internet usage by hour (not an average).

Not an Early Warning for Missile Activity

Many researchers and scholars have hypothesized that there may be a connection between North Korean cyber activity and missile launches or tests. In particular, that we may be able to forecast or anticipate a missile test based on North Korean cyber or internet activity. While we were not able to examine levels of North Korean malicious cyber activity, for this limited time period using this data set, there does not appear to be a correlation between North Korean internet activity at large and missile tests or launches.

Daily actual internet activity for April 1 through July 6, 2017. Red bars are dates of North Korean missile tests or launches.

This current data set is too short a duration of time to apply any long-term conclusions about the utility of internet activity as a warning device for missile tests. However, our analysis does suggest that if there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior.

Presence in Foreign Countries

The near absence of malicious cyber activity from the North Korean mainland from April to July 2017 likely indicates that, for the most part, they are not using territorial resources to conduct cyber operations and that most state-sponsored activity is perpetrated from abroad. This is a significant operational weakness which could be exploited to apply asymmetric pressure on the Kim regime, limit current North Korean cyber operational freedom and flexibility, and reduce the degree at which they are able to operate with impunity.

Ces données et analyses démontrent qu'il existe une présence physique et virtuelle significative de la Corée du Nord dans plusieurs pays à travers le monde, où des ressortissants nord-coréens sont susceptibles de se livrer à des activités cybercriminelles et malveillantes (comme démontré dans la première partie). Ces pays comprennent l'Inde, la Malaisie, la Nouvelle-Zélande, le Népal, le Kenya, le Mozambique et l'Indonésie.

Based on our analysis, we were able to determine the following:

• Il est évident que la Corée du Nord dispose d'une présence physique et virtuelle importante en Inde. Qualifiées par le ministère indien des Affaires étrangères de « relationsd'amitié, de coopération et de compréhension », les données que nous avons analysées corroborent les rapports faisant état d'un rapprochement diplomatique et commercial croissant entre l'Inde et la Corée du Nord.
• Patterns of activity suggest that North Korea may have students at least seven universities around the country and may be working with several research institutes and government departments.
• Nearly one-fifth of all activity observed during this time period involved India.

Ambassade de Corée du Nord en Inde. (Source)

North Korea also has large and active presences in New Zealand, Malaysia, Nepal, Kenya, Mozambique, and Indonesia. Our source revealed not only above-average levels of activity to and from these nations, but to many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations.

Il a été largement rapporté que la Corée du Nord dispose d'une présence physique en Chine pour mener des cyberopérations, notamment en co-propriété avec des Chinois d'un hôtel à Shenyang, d'où elle mène des activités cybermalveillantes. Près de 10 % de l'ensemble des activités observées au cours de cette période concernaient la Chine, sans compter les points d'accès à Internet fournis par les entreprises de télécommunications chinoises.

Our analysis finds that the profile of activity for China was different than the seven nations identified above, mainly because North Korean leadership users utilized so many Chinese services, such as Taobao, Aliyun, and Youku, which skewed the data. After accounting for use of Chinese internet services, which of course do not signify either physical or virtual presence in China, the pattern of activity to local Chinese resources, news outlets, and government departments mirrored the seven previously identified nations.

This Chinese example, where the distinct pattern of activity we discovered combined with the already known facilities for cyber operations, provides us with a model we can apply to the other seven nations.

Together with the fact that North Korea has a significant physical and virtual presence in several nations around the world, and our previous research in part one, it is highly likely that North Korea is conducting cyber operations from third-party countries. Therefore, an alternative avenue to explore would be whether malicious cyber activity from these nations correlates with missile launches or tests, as opposed to activity from territorial North Korea.

Poor Security Leads to New Intelligence

Moins d'un pour cent de l'activité Internet nord-coréenne pendant cette période a été dissimulée ou protégée de quelque manière que ce soit. Parmi les activités répondant à ces critères, les techniques utilisées variaient considérablement, allant d'une mise en œuvre incorrecte du protocole TLS/SSL à l'utilisation de chaînes quasi indétectables de plusieurs réseaux privés virtuels (VPN) et serveurs privés virtuels (VPS) pour transférer de grandes quantités de données.

À titre d'exemple de mauvaise utilisation, un utilisateur nord-coréen a pris la peine d'utiliser Tor (The Onion Router) pour dissimuler son activité, mais a ensuite utilisé un service de partage de fichiers torrent et quitté le réseau Tor depuis le même nœud tous les jours pendant plus de trois mois.

Of the users that employed obfuscation technologies, a wide range of VPN and VPS services and providers were utilized. Almost all VPN and VPS consumed by North Koreans are monthly subscriptions, likely managed by an individual or government department.

It is not clear how these services are purchased and many of the providers are large and well-known Western companies. These include Sharktech, iWeb, Digital Ocean, Linode, Leaseweb USA, Telemax, Touch VPN, and others.

Many VPN and VPS were used to obfuscate or facilitate browsing, either from passive internet monitoring or domestic censors.

One U.S. VPN was used by an iPad to check a Gmail account, access Google Cloud, check Facebook and MSN accounts, and view adult content. Other VPN and VPS were used to run Metasploit, make purchases using bitcoin, check Twitter, play video games, stream videos, post documents to Dropbox, and browse Amazon.

As a result of this generally poor obfuscation, this data afforded us insight into North Korean leadership and elite interests that we have never had before. For example, many users utilized VoIP services to talk and message others overseas; others still had AOL accounts and checked them regularly; some users frequented beauty and health sites; others purchased expensive sneakers online; many users investigated industrial hardware and technology optimization services; others used iPhones, iPads, and Blackberries to communicate.

D'autres utilisateurs ont consacré du temps chaque jour à la recherche d'entreprises spécialisées dans la cybersécurité et leurs travaux, notamment Kaspersky, McAfee, Qihoo360 et Symantec, ainsi que des entreprises et technologies de prévention des attaques DDoS telles que DoSarrest et Sharktech. Un utilisateur a reçu une formation sur l'utilisation de THURAYA et des équipements de communication par satellite, tandis que d'autres ont effectué des recherches dans les départements de physique et d'ingénierie de plusieurs universités malaisiennes, américaines et canadiennes.

Les jeux vidéo et le streaming de contenu représentaient 65 % de l'ensemble de l'activité Internet en Corée du Nord. De manière générale, les utilisateurs consomment principalement du contenu provenant du service chinois d'hébergement vidéo Youku, d'iTunes et de divers services de streaming BitTorrent et peer-to-peer. En matière de jeux, les utilisateurs nord-coréens semblent privilégier les jeux hébergés par Valve et un jeu en ligne massivement multijoueur appelé World of Tanks.

Suspect Activity

While the majority of activity from North Korea during this timeframe was not malicious, there was a smaller, but significant, amount of activity that was highly suspect. One instance was the start of Bitcoin mining by users in North Korea on May 17.

Selon le wiki Bitcoin, le minage de bitcoins est « le processus qui consiste à ajouter des enregistrements de transactions au registre public des transactions passées de Bitcoin (ou chaîne de blocs) ». L'extraction de bitcoins est complexe car il s'agit d'une tâche informatique très exigeante qui peut nécessiter jusqu'à 90 % de la puissance d'un ordinateur.

The benefit to using all of this energy and adding the transaction records to the blockchain is that each miner is awarded not only the fees paid by the users sending the transaction, but 25 bitcoins once they discover a new block.

Avant cette date, il n'y avait pratiquement aucune activité sur les sites ou les nœuds liés au Bitcoin, ni aucune utilisation des ports ou protocoles spécifiques au Bitcoin. À partir du 17 mai, cette activité a augmenté de manière exponentielle, passant de zéro à plusieurs centaines par jour. Le moment choisi pour cette exploitation est important, car elle a débuté peu après les attaques du ransomware WannaCry en mai, que la NSA a attribuées aux services de renseignement nord-coréens, le Reconnaissance General Bureau (RGB), dans le but de lever des fonds pour le régime de Kim.

By this point (May 17) actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack.

It is not clear who is running the North Korean bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control.

Additionally, during this time frame it appeared that some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers.

En particulier, les activités visant le Centre national de télédétection de l'Organisation indienne de recherche spatiale, le Laboratoire national indien de métallurgie et les instituts de recherche scientifique et technologique avancée du ministère des Sciences et Technologies des Philippines ont éveillé nos soupçons, mais nous n'avons pas pu confirmer l'existence d'un comportement malveillant.

Impact

The international policy and engagement strategy toward North Korea has struggled to be impactful for decades because it has relied on the same set of tools (sanctions, increasing international isolation) and engaged the same nations (China, Russia, UN Security Council Permanent Five) as partners. This two-part series demonstrates that there are likely other pressure points on the regime and as a result, other tools, techniques, and partners that should be explored.

Team Cymru’s intelligence and Recorded Future’s analysis have revealed two separate realities.

First, in spite of the sanctions and massive international pressure, North Korea’s leaders are not isolated from the outside world. They are active and engaged participants in the contemporary internet society and economy; meaning that attempts to shut North Korean leadership off from the global economy have largely failed.

Second, new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime. We have identified other nations with which the West could partner and alternate tools and techniques that could be utilized to apply asymmetric pressure on North Korea. Partnering with nations such as India, Malaysia, Indonesia, or others identified above, would enable the U.S. and other Western nations to circumvent uncooperative partners in China and Russia and exert pressure on the broad North Korean operational diaspora, which, because of the regime’s dependency, would likely impose larger real costs on leadership.

For cybersecurity professionals and network defenders, this two-part series reveals just how complex defending from North Korean malicious cyber activity can be. We continue to recommend that financial services firms and those supporting U.S. and South Korean military THAAD deployment as well as on-penninsula operations maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations on the Korean peninsula.

Similarly, energy and media companies, particularly those located in or that support these sectors in South Korea, should be alert to a wide range of cyber activity from North Korea, including DDoS, destructive malware, and ransomware attacks. Broadly, organizations in all sectors should continue to be aware of the adaptability of ransomware and modify their cybersecurity strategies as the threat evolves.