North Korea’s elite ratchets up online anonymity
“What can he possibly be thinking, standing there in his pear-shaped polyester pantsuit, pointy-toed elevator shoes, oversize sunglasses of malevolent tint, an arrogant curl to his feminine lips, an immodest potbelly, a perpetual bad hair day? He’s thinking, get me out of here.” So begins a chapter in Bruce Cumings’ classic 2003 book on North Korea.
Fifteen years later, the subject of this unflattering pen portrait, Kim Jong-Il, may be dead and buried, but his son Kim Jong-un has kept up some of the family sartorial trends.
Get me out of here?
North Korean citizens with internet access, meanwhile, are increasingly exiting the totalitarian states network for friendlier cyber climes via anonymisation services like VPNs and Tor; the use of which are up by 1,200 percent in the past 12 months, a new report from threat intelligence company Recorded Future reveals today.
Authored by former NSA analyst Priscilla Moriuchi, the company’s research team analyzed third-party data, IP geolocation, Border Gateway Protocol routing tables, and open source intelligence using a number of tools between December 1, 2017 through March 15, 208 for insight into North Korea’s senior leadership activity online.
The research – published ahead of a historic summit between North Korea and South Korea scheduled for Friday — also reveals that North Korea’s elite are moving away from using western social media, with those who were using Facebook, Google and Instagram six months ago, having “nearly totally” abandoned the US services for Chinese alternatives Alibaba, Tencent and Baidu.
“It is likely that this dramatic change in behavior is the result of 1) increasing foreign research into and attention to North Koreans’ media consumption, 2) new enforcement of the official ban on these western social media services which has been in place since April 2016, 3) increased operational security by the North Korean elite” Priscilla Moriuchu said in the report.
Three Routes Online
There are three primary ways North Korean elites access the global internet, the report notes. Like with any internet-connected networks, there are occasionally reports of malicious activity from these ranges. However, the majority of North Korean malicious cyber operations are likely conducted from overseas.
“The first is via their allocated .kp range, 220.127.116.11/22, which also hosts the nation’s only internet-accessible websites. These include nine top-level domains such as co.kp, gov.kp, and edu.kp, and approximately 25 subdomains for various North Korean state-run media, travel, and education-related. The second is via a range assigned by China Netcom, 18.104.22.168/24. The third is through an assigned range, 22.214.171.124/24, provided by a Russian satellite company, which currently resolves to SatGate in Lebanon.”
Have Internet, Will Watch Video
A Cisco analysis revealed that 77 percent of global internet traffic in 2017 consisted of internet video and online gaming. For North Korean users, activity looks to be largely similar: 70 percent of activity consisted of internet video or online gaming; 17 percent consisted of web browsing, checking email, and data downloads; and 13 percent was in a Virtual Private Network (VPN), or otherwise obfuscated, Recorded Future said.
From April through July 2017, North Korean leadership obfuscated less than one percent of all of their internet activity — this included TLS-enabled browsing, the use of VPN or VPS, and other tunneling protocols, or even the use of Tor. Just six months later, North Koreans had increasied their use of obfuscation services twelvefold.
… and Mine Monero
“Since our initial reports that North Korea had been mining Bitcoin since at least May 2017, the North’s interest in and exploitation of cryptocurrencies has exploded. North Korea committed numerous thefts from South Korean cryptocurrency exchanges, was linked to the May WannaCry attack, and has begun to mine Monero”, the company said.
It qualified the words by admitting that this was on a tiny scale.
“While our data does not give us insight into the full scope of North Korea’s Bitcoin activity, we saw a continuation of the mining activity we observed in May from January 24 through the end of this dataset on March 15. The traffic volume and rate of communication with peers was the same as last summer, but we were still unable to determine hash rate or build. This mining effort appears small-scale and limited to just a few machines, similar to the activity from last summer.”
The report adds that the regime appears to be continuing to send citizens to Thailand and Bangladesh (as well as China and seven other countries that were revealed in the earlier report, where they study computer science programs at local universities and create counterfeit video games and bots that steal digital gaming items to be resold, and also sell vulnerabilities found in gaming software.