An in-depth analysis of North Korean internet activity reveals an informed, modern, and technologically savvy ruling elite, according to threat intelligence firm Recorded Future.
North Korean leaders and the ruling elite with access to the internet are actively engaged in Western and popular social media, regularly read international news, use many of the same services such as video streaming and online gaming, and above all, are not disconnected from the world at large or the impact North Korea's actions have on the community of nations.
Keeping the North Korean elite and leadership away from the international community are failing, says Recorded Future, which, in partnership with intelligence experts Team Cymru, said in a release that “North Korean cyber-actors are not crazy or irrational: they just have a wider operational scope than most other intelligence services.”
North Korea online
Recorded Future cites South Korean media to have assessed that there potentially as many as four million mobile devices in North Korea. For context, the World Bank says there were 25.37 million North Koreans in 2016.
The firm notes however, “the vast majority of North Koreans do not have access to the internet.” North Koreans are buying mobiles devices enabled with few 3G services, and are restricted to operating only on North Korea's partly state-run network, Koryolink, also part-owned by Dutch firm Global Telecom Holding.
Only a small select group of university students, scientists, and select government officials, are allowed access to North Korea's domestic, state-run intranet via common-use computers at universities and internet cafes, says Recorded Future.
Slate described the domestic intranet this way: “The network, called Kwangmyong, currently connects libraries, universities, and government departments and is slowly making its way into homes of better-off citizens. It houses a number of domestic websites, an online learning system, and email. The sites themselves aren't much to get excited about: They belong to the national news service, universities, government IT service centres, and a handful of other official organisations. There's also apparently a cooking site with recipes for Korean dishes.”
“Among the select few with permission to use the country's intranet are an even slimmer group of the most senior leaders and ruling elite who are granted access to the worldwide internet directly,” says Recorded Future.
How are the select few using the internet?
Speaking of the period in which it collected data, Recorded Future says 65 percent of all internet activity in North Korea was either from gaming and content streaming.
In general terms, the content consumed by readers came mostly from the Chinese video hosting service Youku, iTunes, and various BitTorrent and peer-to-peer streaming services.
North Korean users, says Recorded Future, seem to prefer games hosted by Valve and a massively multiplayer online game called World of Tanks.
Less than one percent of North Korean internet activity during this period was encrypted or protected in any way. Among the activity that met this criteria, methods of protecting information varied broadly from incorrect implementations of TLS/SSL, and utilising nearly untraceable chains of multiple virtual private networks (VPNs) and virtual private servers (VPS) to transfer large amounts of data.
As an example of incorrect implementation, Recorded Future says it observed a North Korean user who went to the trouble of using Tor to cover their track but then used torrent file sharing and exited the Tor network from the same node every day for over three months.
This generally poor level of encryption is, according to Recorded Future, what has given such insight into the North Korean leadership and elite interests that the West never had before.
The firm notes that some users, who were using high-end technology such as iPhones, iPads, and Blackberries to communicate, were utilising VoIP services to talk and message others overseas.
Others, who regularly checked their AOL accounts, also might have frequented health and beauty sites or bought designer clothes online.
North Korea on the world stage
The data collected by Recorded Future reveals that North Korea's leadership and ruling elite are likely aware of the impact that their country's missile tests, suppression of the population, and criminal activities have on the international community.
“These decisions are not made in isolation nor are they ill-informed as many would believe,” according to the firm.
“Researchers and scholars have hypothesised that there may be a connection between North Korean cyber-activity and missile launches or tests,” says Recorded Future, claiming “we may be able to forecast or anticipate a missile test based on North Korean cyber or internet activity.”
They report however that there does not appear to be a correlation between North Korean internet activity at large and missile tests or launches.
“This current data set is too short a duration of time to apply any long-term conclusions about the utility of internet activity as a warning device for missile tests”, says Recorded Future, however, it said its analysis does suggest that if there is a correlation between North Korean activity and missile tests, it is not telegraphed by the leadership and ruling elite internet behaviour.
While the majority of activity from North Korea during the timeframe Recorded Future analysed was not malicious, the firms note the start of Bitcoin mining in North Korea on 17 May. Before that day, there was very little to no activity on Bitcoin-related sites or nodes, or even the use of Bitcoin-specific ports or protocols.
Beginning on 17 May, that activity shot from nothing to hundreds per day. The timing of this mining is important because it began very soon after the May Wanna Cry ransomware attacks, which the NSA has attributed to North Korea's intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime.
By this point (17 May) actors within the government would have realised that moving the Bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack.
It is not clear who is running the North Korean Bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, “it is not likely this computationally intensive activity is occurring outside of state control,” says Recorded Future.
Other countries in the mix
According to Recorded Future, North Korea is not using territorial resources to conduct cyber-operations and most North Korean state-sponsored activity is likely perpetrated from abroad, which presents an opportunity to apply asymmetric pressure on the Kim regime.
“This analysis demonstrates that there are likely other regime pressure points, and as a result, other tools, techniques, and partners that could be explored toward a path for North Korean denuclearisation,” says Recorded Future.
This data and analysis from Recorded Future demonstrates that there are significant physical and virtual North Korean presences in several nations around the world — nations where North Koreans are possibly engaging in malicious cyber and criminal activities. These nations include India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.
It has been widely reported that North Korea has a physical presence to conduct cyber-operations in China, including co-owning a hotel in Shenyang with the Chinese from which North Korea conducted malicious cyber-activity. Nearly ten percent of all activity observed during this time frame involved China, not including the internet access points provided by Chinese telecommunications companies.
Recorded Future's analysis finds that the profile of activity for China was different than the seven nations identified above, mainly because North Korean leadership user's utilised so many Chinese services, such as Taobao, Aliyun, and Youku, which skewed the data. After accounting for use of Chinese internet services, which of course do not signify either physical or virtual presence in China, the pattern of activity to local Chinese resources, news outlets, and government departments mirrored the seven previously identified nations.
This Chinese example, where the distinct pattern of activity discovered combined with the already known facilities for cyber-operations, provides a model that can be applied to the other seven nations.
Recorded Future notes: “We are not implying that the governments of these seven nations identified above (excluding China) are complicit with, supportive, or even knowledgeable of the North Korean presence in their country.”
The international policy and engagement strategy toward North Korea has struggled to be impactful for decades because it has relied on the same set of tools (sanctions, increasing international isolation) and engaged the same nations (China, Russia, UN Security Council Permanent Five) as partners, says Recorded Future. There are likely other pressure points on the regime and as a result, other tools, techniques, and partners that should be explored.
Team Cymru's intelligence and Recorded Future's analysis have revealed two separate realities.
First, “despite the sanctions and massive international pressure, North Korea's leaders are not isolated from the outside world. They are active and engaged participants in the contemporary internet society and economy; meaning that attempts to shut North Korean leadership off from the global economy have largely failed.”
Second, “new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime. The researchers have identified other nations with which the West could partner and alternate tools and techniques that could be utilised to apply asymmetric pressure on North Korea. Partnering with nations such as India, Malaysia, Indonesia, or others identified above, would enable the US and other Western nations to circumvent uncooperative partners in China and Russia and exert pressure on the broad North Korean operational diaspora, which, because of the regime's dependency, would likely impose larger real costs on leadership.”