SSilver - Fotolia
The North Korean elite regularly use foreign video streaming services such as YouTube, check mainstream media websites to keep themselves informed, log on to Amazon and Instagram, are heavy users of Facebook, and particularly enjoy games hosted on Valve’s Steam platform.
This is one of several findings in a new report on how the top tier of North Korean society is using the worldwide web, produced by threat intelligence specialists at Recorded Future and intelligence partner Team Cymru.
If correct, the information appears to suggest that the North Korean regime is not nearly as isolated as it is perceived in the west, and is well aware of the impact it has on global geopolitics. Other findings suggest that western intelligence agencies may be missing vital clues to how North Korea perpetrates state-sponsored cyber attacks and plans its missile tests.
Use of the worldwide web is virtually impossible in the hardline communist state, with those people who do have access to the internet restricted either to a single mobile network operator (MNO) called Koryolink, or a state-run intranet called Kwangmyong.
But Recorded Future’s data shows that a slim majority of the ruling elite are granted access to the wider internet through three main methods: via North Korea’s allocated .kp range of IP addresses, which host the country’s only internet-accessible websites; via a range assigned by China Netcom; and via a range assigned by a Russian satellite company.
Analysis conducted between April and June this year saw North Koreans checking news websites, with China’s Xinhua and People’s Daily favoured, logging into webmail accounts, streaming videos and searching Amazon and Baidu.
“North Korean elite and leadership internet activity is, in many ways, not that different from most westerners,” wrote the report’s authors. “For example, similar to users in the developed world, North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba.”
Despite reports that most mainstream social networking sites are blocked in Twitter, the report reveals particularly heavy usage of Facebook, and even Twitter, emanating from North Korean IP addresses.
Read more about state-sponsored cyber attacks
- At the 2017 Cloud Identity Summit, former covert CIA officer Valerie Plame discussed the increasing risks of nation-state cyber attacks focused on geopolitical influence.
- US-Cert puts out an alert on DeltaCharlie, a distributed denial of service tool from North Korean hacker group Lazarus.
- Evidence points to Chinese hacking group APT10 conducting economic espionage in the breach of a trade policy group prior to US-China trade summit talks in Florida.
“North Korea’s leadership and ruling elite are plugged into modern internet society and are likely aware of the impact that their decisions regarding missile tests, suppression of their population, criminal activities and more, have on the international community,” said the report. “These decisions are not made in isolation, nor are they ill-informed as many would believe.”
However, the North Korean elite proved less than adept when it came to securing their activity, with less than 1% of activity obfuscated or protected, with multiple incorrect implementations of transport layer and secure socket layer security (TLS/SSL) observed. One user went to the trouble of using Tor, but then used torrent file sharing and exited the Tor network from the same node on every day their activity was observed.
Lax attitudes to security revealed further insight into the regime’s interests, with many using voice over IP (VoIP), investigating industrial hardware and technology optimisation services, researching companies such as Kaspersky, McAfee and Symantec. One user was observed accessing online training on the use of mobile satellite communications, and others conducted extensive research into physics and engineering departments at US universities.
The researchers also observed people still using old AOL accounts, buying expensive trainers, and playing a massive multiplayer online game called World of Tanks.
In the past, many researchers have suggested there may be a connection between North Korean internet activity and planned missile launches, and hypothesised that one could forecast or anticipate a test using this data.
Although the three-month dataset was too limited to imply a firm connection, Recorded Future suggested that there were no clear spikes in general North Korean internet activity on dates when the regime launched missiles in that timeframe, suggesting that if a correlation exists, it is not being telegraphed by the behaviour of the elite.
However, the analysts also spotted that there was virtually no malicious online activity coming from North Korea, and suggested that the regime is using people based outside the country to perpetrate state-sponsored hacking and cyber attacks.
Higher-than-average activity between North Korea and a number of countries around the world pointed to substantial and active physical and virtual presences in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique and Indonesia, although the report stressed this was not an indicator of government-level collaboration.
The report’s findings suggest that the strategy of shutting North Korean leadership off from the global economy with sanctions and massive international pressure has essentially failed.
However, it suggested a number of pressure points that could be applied by western governments, such as partnering with the named host countries to target the so-called “operational diaspora”. This, it suggested, was likely to impose larger real costs on the North Korean regime.