Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



North Korea’s Red Star OS – Government Surveillance at Its Best

North Korea has developed its own computer operating system, dubbed Red Star OS, which represents the dream software for any government looking for the tightest surveillance on individuals, researchers claim.

North Korea has developed its own computer operating system, dubbed Red Star OS, which represents the dream software for any government looking for the tightest surveillance on individuals, researchers claim.

The third version of the operating system leaked online last year, German researchers Florian Grunow and Niklaus Schiess decided to have a closer look at it and to present their findings (PDF) at the recent Chaos Communication Congress. They found that the platform not only limits users to a government approved view of the world, but that it also tracks files placed on USB drives.

The operating system was initially based on the 2009 Linux version Fedora 11, but was updated to Fedora 15 in 2011, and may have received other updates as well, with the publicly leaked build having the feel and look of a Mac OS, the researchers note. Furthermore, the platform has also been developed for servers, and the researchers discovered that it includes significant privacy invading custom code, making it a great tool for the government to spy on users.

In their presentation, available in the video embedded below, the researchers revealed that North Korea has created an operating system that suppresses free speech, and that users cannot make modifications to the platform’s core functions, otherwise the system would display an error or will reboot itself.

The first surveillance capability of the Red Star OS manifests in the form of a watermark applied to all files that are placed on USB drives, regardless of whether they have been created on a machine running the OS or not. All photos, videos, docs, and other files on the drive are marked, which allows the government to track who has them and who opens them, even on other machines.

Files are sometimes marked even if they haven’t been opened, as long as they are on a USB drive that has been attached to a Red Star OS-running computer. Called opprc, the watermarking function also encrypts the hard disk serial number using DES encryption, while also adding a lot of null bytes to different file formats, such as .docx.

Furthermore, the researchers explained that the operating system includes a series of custom applications, such as the Naenara browser, a Bokem crypto tool, Sogwand Office (a version of Open Office), swmng (Software Manager), MusicScore for composing music, and rootsetting for getting root access. Moreover, the researchers discovered that the platform’s KDM is also a modified one.

Advertisement. Scroll to continue reading.

The OS features a daemon that checks the integrity of various files, mostly system related files, and includes signatures for some custom Red Star files. It can perform checks at boot-up or run-time, can log the output, and prints error messages when integrity checks fail.

Additionally, the platform includes a securityd that mimics the one present in Mac OS and which features a function to validate the OS, integrity checking, and hardcoded MD5 checksums. The KDM calls the validate_os() function at startup and reboots if the process fails, which reveals that users are not allowed to make modification to the platform’s core capabilities.

According to the researchers, this also shows that the country is in full control of the platform’s code, and that it was focused on building a platform that was completely independent from any code that could otherwise compromise said control. The platform closely monitors every user actions and was designed to resist any modification attempts.

The Red Star OS, however, also includes its own firewall and antivirus system, scnprc, which features a GUI that looks just as a regular virus scanner, and which can be automatically triggered when opening files. Designed to detect and delete malicious files, the virus scanner keeps signatures in a file that cannot be read even by root, and the researchers suggest that the application’s creators are those who decide what files are marked as malicious.

The researchers suggest that there were no backdoors found in the OS, mainly because they can be implemented via updates and because the ISO could be leaked, which has already happened.

Overall, the two researchers conclude that the Red Star OS was indeed created to oppress free speech, and that the watermarking feature, which tracks both origin and distribution of files, including who opened them, was meant to prevent free distribution. The watermarking was clearly meant to track media file formats, including JPG, PNG, AVI, and more, in addition to Office documents.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.


Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.