Telecommunications capability in North Korea is three-tiered. The vast majority of people have neither internet nor North Korean intranet connectivity — they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.
A small group of others, including university students, scientists and some government officials, can access the state-run North Korean intranet, Kwangmyong, that links libraries, universities and government departments and comprises a limited number of domestic websites.
A much smaller group from the ruling elite does, however, have full access to the internet. From April 1 through July 6, 2017, Recorded Future analyzed internet traffic from this small group of officials, and concluded that the standard view of North Korea is not entirely accurate: its leadership at least is not isolated from the rest of the world.
In a report and analysis conducted in partnership with Team Cymru and published today, Recorded Future notes that North Korean leadership’s internet activity is little different to the rest of the world’s internet activity: “North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba,” notes the report. “Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016.”
The researchers looked for any proof of the hypothesis that there may be a correlation between North Korean internet activity and North Korean missile tests; but could find none. While noting that the research data was too small to be conclusive, the report says, “if there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior.”
What is clear, however, is that there is virtually nil malicious cyber activity directly from the North Korean mainland, and that “most state-sponsored activity is perpetrated from abroad.” While this has some advantages, it also demonstrates an operational weakness that Recorded Future suggests could be exploited to apply asymmetric pressure on the Kim regime. By operating outside of national boundaries state actors should, in theory, be more easily detected and held accountable for their actions.
Most of the extra-territorial malicious activity is likely to come from the countries that have a significant North Korean presence: India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. China is excluded from this because of the unique nature of the North Korean/China relationship and the lower likelihood of direct cooperation with the West — even though 10% of all North Korean cyber activity is with China.
This figure, however, is dwarfed by that of India. “Nearly one-fifth [20%] of all activity observed during this time period involved India,” says the report. This supports reports of an increasingly close diplomatic and trade relationship between North Korea and India.
With little malicious activity coming from the North Korean mainland, the report is unable to draw conclusions about the associated cyber threat. Nevertheless, it says, “there was a smaller, but significant, amount of activity that was highly suspect. One instance was the start of Bitcoin mining by users in North Korea on May 17.”
The temporal relationship to WannaCry is clear. “It began,” says Recorded Future, “very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea’s intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime. By this point (May 17) actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack.”
The implication is that bitcoin mining was chosen to replace the missing funds from the WannaCry ransomware — however, it is also worth considering this in conjunction with Joe Carson’s consideration of WannaCry as a bitcoin manipulation method.
“Team Cymru’s intelligence and Recorded Future’s analysis have revealed two separate realities,” concludes the report. The first is that attempts to completely isolate North Korea simply have not worked. The second, however, is more positive: “new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime.” This could be achieved partnering with the countries that currently have internet activity with North Korea, such as India, Malaysia, Indonesia, and New Zealand.
Meanwhile, it says, “We continue to recommend that financial services firms and those supporting U.S. and South Korean military THAAD [Terminal High Altitude Area Defense] deployment as well as on-peninsula operations maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations on the Korean peninsula.”
