Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.
The leadership’s pattern of global internet usage has shifted. A year ago, it peaked at the weekends, primarily for online gaming and video streaming. Over the last year, weekday usage has increased while weekend use has decreased (although weekend use is still primarily for gaming and streaming). Recorded Future does not know why this shift has occurred, but suggests that it is indicative of the global internet becoming a greater part of the leaders’ every day work.
Concurrent with this pattern change has been the construction of North Korea’s new Internet Communications Bureau headquarters in Pyongyang. The combination of changing usage patterns and the completion of this building could, suggests Recorded Future, “signify a professionalization of internet use across North Korea’s most senior leadership. This would mean that these leaders utilize the internet to a greater extent as part of their jobs, as opposed to for their own entertainment.”
Noticeably, an earlier spike in the use of secure browsing (use of Tor, VPNs, etcetera) has diminished. The report suggests the spike may have been caused by an internal policy requirement, “which then slowly waned over time as the costs in time, money, and accessibility began to outweigh the benefits.”
A move away from the use of Western social media in favor of Chinese equivalents such as Baidu, Alibaba, and Tencent was first detected in late 2017. This has persisted — except for LinkedIn, where usage has increased.
Cryptocurrencies are known to be used by North Korea as a form of foreign exchange. North Korean cybercriminals are thought to be behind numerous raids on cryptocurrency exchanges in recent years. Recorded Future now believes the country has also been involved in at least two cryptocurrency scams.
The first involved the altcoin HOLD. In early 2018 it went through the process of ‘staking’, where users mine an initial number of coins but are not allowed to trade them. The purpose is to build interest, value and a user base — but it’s a risky process since the developers control the staking timeframe and can limit the trades.
“Over the course of 2018,” reports Recorded Future, “HOLD coin was listed and delisted on a series of exchanges, underwent a rebranding, changed its name to HUZU, and as of this publication, has left its investors high and dry. We assess with low confidence that North Korean users were involved in the Interstellar/Stellar/HOLD/HUZU altcoin.”
The second scam that it assesses with high confidence was conducted on behalf of North Korea was a blockchain application called Marine Chain Platform. Recorded Future notes that in April and May 2018, the Marine Chain website was hosted on the same IP address that hosted Binary Tilt. Binary Tilt has been declared fraudulent by the government of Ontario, Canada. Dozens of users have posted testimonials of losses of tens to hundreds of thousands of dollars and scams on this site.
Recorded Future has traced Marine Chain connections to North Korea. In particular, Marine Chain’s CEO, Captain Foong, has been connected to Singaporean companies that have assisted North Korean sanctions circumvention efforts since at least 2013. “Capt. Foong,” claims the report, “is part of a network of enablers throughout the world that assist North Korea in circumventing international sanctions. These connections to Marine Chain Platform mark the first time this vast and illicit network has utilized cryptocurrencies or blockchain technology to raise funds for the Kim regime.”
A heuristic developed by Recorded Future to analyze internet traffic between North Korea and other countries has, in the past, enabled the firm to identify eight nations where North Koreans were physically located or living, including India, China, Nepal, Kenya, Mozambique, Indonesia, Thailand, and Bangladesh. Improvements to the heuristic have enable the firm to gain deeper insight on data from China and India.
In China, this has discovered high volumes of activity involving the Beijing, Shanghai, and Shenyang regions, and also Nanchang, Wuhan, and Guangzhou. It also enables the firm to state with moderate confidence that seven Chinese universities have currently or previously hosted North Korean students, teachers or partners.
In India, Recorded Future detected high volumes of activity involving Delhi, Bangalore, Kolkata, and Hyderabad. It observed suspicious traffic involving the Indian Meteorological Department and National Remote Sensing Centre, but was unable to determine maliciousness.
The heuristic found an overlap with known North Korean illicit financing or logistics networks — but not for Russia. Internet activity with Russia amounts to just 0.5% of that with China. Recorded Future turned to a report published in August by the non-profit organization C4ADS. This includes the comment, that as much as 80% of North Korea’s overseas workforce is located in China and Russia. The implication is that far more North Koreans live and work in Russia than is suggested by the comparison of internet traffic between the two countries.
The C4ADS report also notes, “some estimates suggest that North Korean laborers may generate as much as $1.2 to $2.3 billion USD per year for the Kim regime, which — if true — would be equivalent to as much as 93% of North Koreaís total exports in 2016.” It adds that most worksites exhibit features characteristic of forced labor. The laborers work 12- to 16-hour days and hand over between 70% and 90% to handlers to be sent back to North Korea.
Recorded Future suggests that the difference in North Korea/Russia and North Korea/China internet traffic is that the former work as laborers with no internet requirement, while the latter work in the information economy, buil
ding mobile games, apps, bots, and other IT products for a global customer base. “This type of information economy work,” writes Recorded Future, “creates a different internet fingerprint than exploitative manual labor and likely clarifies the discrepancy between physical presence and internet activity.”
Recorded Future concludes that its research “has demonstrated how adaptable and innovative North Korea’s most senior leadership are. They are quick to embrace new services or technologies when useful and cast them aside when not. The Kim regime has developed a model for using and exploiting the internet that is unique — it is a nation run like a criminal syndicate.”
Related: North Korea’s Elite More Connected Than Previously Thought
Related: North Korea’s New Front: Cyberheists
Related: New North Korea-linked Cyberattacks Target Financial Institutions
