Connect with us

Hi, what are you looking for?



North Korea’s Elite More Connected Than Previously Thought

Telecommunications capability in North Korea is three-tiered. The vast majority of people have neither internet nor North Korean intranet connectivity — they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.

Telecommunications capability in North Korea is three-tiered. The vast majority of people have neither internet nor North Korean intranet connectivity — they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.

A small group of others, including university students, scientists and some government officials, can access the state-run North Korean intranet, Kwangmyong, that links libraries, universities and government departments and comprises a limited number of domestic websites.

A much smaller group from the ruling elite does, however, have full access to the internet. From April 1 through July 6, 2017, Recorded Future analyzed internet traffic from this small group of officials, and concluded that the standard view of North Korea is not entirely accurate: its leadership at least is not isolated from the rest of the world.

North Korea FlagIn a report and analysis conducted in partnership with Team Cymru and published today, Recorded Future notes that North Korean leadership’s internet activity is little different to the rest of the world’s internet activity: “North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba,” notes the report. “Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016.”

The researchers looked for any proof of the hypothesis that there may be a correlation between North Korean internet activity and North Korean missile tests; but could find none. While noting that the research data was too small to be conclusive, the report says, “if there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior.”

What is clear, however, is that there is virtually nil malicious cyber activity directly from the North Korean mainland, and that “most state-sponsored activity is perpetrated from abroad.” While this has some advantages, it also demonstrates an operational weakness that Recorded Future suggests could be exploited to apply asymmetric pressure on the Kim regime. By operating outside of national boundaries state actors should, in theory, be more easily detected and held accountable for their actions.

Most of the extra-territorial malicious activity is likely to come from the countries that have a significant North Korean presence: India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. China is excluded from this because of the unique nature of the North Korean/China relationship and the lower likelihood of direct cooperation with the West — even though 10% of all North Korean cyber activity is with China.

This figure, however, is dwarfed by that of India. “Nearly one-fifth [20%] of all activity observed during this time period involved India,” says the report. This supports reports of an increasingly close diplomatic and trade relationship between North Korea and India.

Advertisement. Scroll to continue reading.

With little malicious activity coming from the North Korean mainland, the report is unable to draw conclusions about the associated cyber threat. Nevertheless, it says, “there was a smaller, but significant, amount of activity that was highly suspect. One instance was the start of Bitcoin mining by users in North Korea on May 17.”

The temporal relationship to WannaCry is clear. “It began,” says Recorded Future, “very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea’s intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime. By this point (May 17) actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack.” 

The implication is that bitcoin mining was chosen to replace the missing funds from the WannaCry ransomware — however, it is also worth considering this in conjunction with Joe Carson’s consideration of WannaCry as a bitcoin manipulation method.

“Team Cymru’s intelligence and Recorded Future’s analysis have revealed two separate realities,” concludes the report. The first is that attempts to completely isolate North Korea simply have not worked. The second, however, is more positive: “new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime.” This could be achieved partnering with the countries that currently have internet activity with North Korea, such as India, Malaysia, Indonesia, and New Zealand.

Meanwhile, it says, “We continue to recommend that financial services firms and those supporting U.S. and South Korean military THAAD [Terminal High Altitude Area Defense] deployment as well as on-peninsula operations maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations on the Korean peninsula.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.