North Korea’s Not So Crazy After All

August 7, 2017 • Amanda McKeon

When it comes to North Korea, there are a variety of images that may come to mind. Eccentric, erratic leadership, suffering citizens, isolation from the rest of the global community, and lately, of course, the testing of nuclear weapons and long-range missiles. When it comes to cybersecurity and threat intelligence, North Korea is known for cybercrime, perhaps most notably the WannaCry ransomware and the Sony hack.

Our guest today is Priscilla Moriuchi, director of strategic threat development at Recorded Future and former enduring threat manager for East Asia and Pacific at NSA. Her team is responsible for a pair of research reports recently posted to the Recorded Future website, “North Korea Is Not Crazy,” and, “North Korea’s Ruling Elite Are Not Isolated.”

The reports reveal that North Korean threat actors are not crazy or irrational: they just have a wider operational scope than most other intelligence services, along with unique insights into how North Korean leadership and ruling elite use the internet and what that can tell us about their plans and intentions.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 18 of the Recorded Future podcast. When it comes to North Korea, there are a variety of images that may come to mind. Eccentric, erratic leadership, suffering citizens, isolation from the rest of the global community, and lately, of course, the testing of nuclear weapons and long-range missiles. When it comes to cybersecurity and threat intelligence, North Korea is known for cybercrime, perhaps most notably, the WannaCry ransomware and the Sony hack.

Our guest today is Priscilla Moriuchi, director of strategic threat development at Recorded Future. Her team is responsible for a pair of research reports recently posted to the Recorded Future website, “North Korea Is Not Crazy” and “North Korea’s Ruling Elite Are Not Isolated.” Stay with us.

Priscilla Moriuchi:

I think there’s two threats to the crazy narrative. The first that we emphasized was that North Korea, strategically, how they approach their relationship with the global community, how they conduct intelligence operations, how they sustain the regime in light of the sanctions, what they do to support their missile program … all of that is very much in line with this asymmetric warfare strategy that they have, which plays them off as a weak state, and the nontraditional methods that they can use to both support their own goals and gain some leverage in the international community. That’s the first threat, that threat that they’re not crazy and they have a strategy and they follow it.

The second threat that tends to intertwine with that is the narrative that the Kim family has created internal to North Korea to support their own continued leadership and their dynasty, and I think that’s where a lot of the “crazy,” quotation marks, comes from. It’s this narrative they’ve developed since the founding in Kim Il-sung that sort of lays out a destiny narrative that the Kims saved North Korea and they’re destined to lead it, and there are all these things that they create. Perfect golf games, born on the top of Mount Baekdu, which is this kind of famous mountain in North Korea. There’s a narrative to support their leadership that does have some of that crazy in it, but that is not necessarily the same as how they interact with the rest of the global community.

Dave Bittner:

Give us an overview of how they do interact with the rest of the global community, when it comes to cyber.

Priscilla Moriuchi:

When it comes to cyber, they have realized that the cyber realm is an area in which they can exercise a degree of power and influence that they don’t have in other more conventional areas. They don’t have a huge and powerful standing military that can project force abroad. They don’t have great economy; they don’t have popular culture. A lot of things that larger countries have, they don’t have, so they’ve realized in their approach to the rest of the world that the cybersphere and space is an area in which they can achieve some influence and impact on the world.

The way they interact in cyberspace is in line with a lot of the other things they do in the real world to support the regime, in terms of the criminal component to North Korea. We kind of go through, in the piece, a lot about how their primary intelligence service called the Reconnaissance General Bureau, operates in a much more broad sense than most other intelligence services. They do things like assassination attempts, they do bombing attempts, they conduct, essentially, a broad criminal enterprise in which they engage in illegal drug smuggling, and manufacturing, and counterfeiting U.S. dollars, and also, criminal cyberactivity like the WannaCry attack, for example, like the Sony incident, like a number of other attacks against South Korean entities from about 2009 to 2013. All that is in line with their asymmetric strategy of playing off the few strengths that they have as a small country and really using that to influence and create chaos in the international sphere.

Dave Bittner:

One of the points that your research makes is that this notion that North Koreans are completely cut off from the rest of the internet, may not be the case.

Priscilla Moriuchi:

That’s right. We went in-depth to a dataset that we had, and we found a couple things. One, if we’re talking about North Koreans and internet access, there are two separate internets in North Korea. There’s this first — an internal domestic intranet that slightly more people are allowed to have access to. Students, scientists, government officials, etcetera, are allowed to access this domestic state-run internet. They have computer labs at universities and things like that, where they can access that. That’s not connected to the global internet. Our data was on the usage of the global internet, and among North Koreans, there are a very, very small number of people in the upper ranks of leadership — most trusted leaders and their families who are allowed access, pretty much unfettered, it looks like, to the global internet at large. And that’s what we were able to look at and profile in this second report.

Dave Bittner:

And their use of the internet, for those handful of people who have unfettered access, their usage pretty much mirrors people from around the rest of the world.

Priscilla Moriuchi:

Yeah, in a lot of ways it does. They’re actively engaged in many of the same Western and popular social media sites that we use, like Facebook and Twitter, for example, Instagram. They regularly read international news. They stream videos and do online gaming. We were able to see that for these few people, anyway, they’re really not disconnected, and most likely they are able to understand how the world at large views them and their actions.

Dave Bittner:

Take me through some of the relationships that North Korea has with some of the other nations around the world.

Priscilla Moriuchi:

The most important relationship for North Korea is China. I believe China is somewhere of 90% of their economic … both import and export, they’re their main supporter in the international community, and we saw that from the intelligence that we analyzed as well, that a lot of the activity that we saw involved Chinese services, like Baidu or Alibaba, or transited China, or involved people most likely physically located in China. So, China would be the main and most important relationship for North Korea.

We saw some other areas where our analysis demonstrated that there was likely a significant physical and virtual North Korean presence. India was another country where we saw a lot of activity, to and from. It was about a fifth of all the activity we observed in one time period of April through July of this year that involved India in some way. There were a number of other countries, we observed similar patterns of activity and North Korean internet behavior to and from and transiting. Those included Malaysia, Nepal, Kenya, Mozambique, Indonesia, and New Zealand.

Dave Bittner:

One of the observations you had was that North Korea wasn’t necessarily on top of security for their own data.

Priscilla Moriuchi:

Right. Initially, I had been surprised that only one percent of the activity that we saw during this whole time period was obfuscated or protected in any way. I think I had expected North Korean users might be more aware of potential monitoring or concerned about that or their security. 99% of the activity was just in the clear, no VPNs or VPS, not even SSL in most cases, so that was pretty interesting. And that allowed us to gain some of the insights that we were able to gain.

Dave Bittner:

Do you have any notion for why more things aren’t encrypted or obfuscated?

Priscilla Moriuchi:

I think it’s most likely that the leaders and their families that are using this access are not concerned about monitoring, either from their own government or from others. It’s possible they don’t know a lot about VPN technologies, but I would think, from what I saw and the level of integration that they have with the modern internet community, I would think they know about the technologies themselves.

Another possibility could be that most VPNs you have to pay for, so they might not have easily accessible means of accessing the international financial system, because most companies will probably not do business with a North Korean banker, something like that. Some theories, but I’m not 100% certain, I guess.

Dave Bittner:

Take us through some of the suspect activities that North Korea is up to.

Priscilla Moriuchi:

Sure. The most suspect activity I found was something I just wasn’t able to follow up on, but it was these chains of VPNs or VPS — virtual private server — use. Some of these chains were multiple, multiple hops that really became untraceable after a certain point. All I could really see was the transit of large amounts of data in some of these chains. But again, that was a really, really small percentage of the total activity that we saw, so, it was a small percent of the one percent of obfuscated activity.

The other suspect activity had to do with — and this in and of itself is not suspect, but — bitcoin mining. On May 17, North Koreans, from their domestic territorial internet, began conducting bitcoin mining. Before May 17, there was not a single instance of mining or much interest in bitcoin at all, and then on the 17th, it just increased exponentially. May 17 was around the time that they might have realized it would’ve been difficult to get the money gained from the WannaCry attacks from their bitcoin wallets, and that it might take a bit longer than they were hoping. Or they had realized, maybe it was another way to generate some cash for the regime. But that was a really interesting start of activity that we saw.

And the last one was, we saw a lot of research into a number of foreign labs and research centers. Large, large, large amounts of data transfers between a number of Indian science and technology research centers and Philippine government research centers. It’s not clear what was happening there, but it certainly looked like the organizations themselves, and maybe their researcher technology is certainly of interest to some North Koreans.

Dave Bittner:

And when you say transfers of large bits of data, did you mean that that data was being taken without the owner’s knowledge of it, or was the data being shared?

Priscilla Moriuchi:

It’s not clear. That’s why I had to just call it suspect, as opposed to malicious.

Dave Bittner:

Right, sure. So, what are the take-homes from this? As you look at the research, what are the things that you’ve learned?

Priscilla Moriuchi:

First, we’ve learned from these two pieces, one: how to place North Korean cyberactivity into the broader North Korean approach to the world. Primarily, North Korean leaders are not crazy, they’re not isolated from the outside world. From a broader perspective, the types of activity that the international community is undertaking — sanctions, and pressure, and stuff, that we’re pushing on North Korea — may not be working to the degree that we would like it to. They’re active and engaged participants in contemporary internet, both society and economy, and that some of our attempts to shut North Korean leadership in particular off from the global economy don’t appear to be successful, from our research.

Second, that there are other tools and techniques that we’ve identified through our research that we could use to pressure North Korea and the Kim regime, and that maybe we should focus our efforts going forward not necessarily on territorial North Korea, but on the larger diaspora that North Korea uses, through the global community, to support their regime, both in terms of the criminal networks, also, the cyberactivity that we’re seeing.

We tested the hypothesis that we had about a possible correlation between North Korean missile launches and tests, and internet activity. That hypothesis had been out there in the scholarly community and the North Korean community at large for a long time. Our dataset was only three months, so it’s quite a small dataset. We didn’t find a correlation necessarily between the levels of activity we saw and the tests, but as a hypothesis, it’s something we’re going to keep testing, and we’re going to keep collecting data and trying to find better ways to develop any type of indication and warning for a missile launch or a missile test.

Dave Bittner:

Our thanks to Priscilla Moriuchi for joining us.

You can find the reports on North Korea in the blog section of the Recorded Future website, at recordedfuture.com/blog.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

Be sure to save the date for RFUN, the sixth annual threat intelligence conference coming up in October in Washington, D.C. Attendees will gain valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts. Details are at recordedfuture.com/rfun.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.