North Korean internet users are historically secretive, but new research sheds some light on trends in the country.
North Korea has been synonymous with cyber activity for years.
New insights from Recorded Future and Insikt Group show how the country’s ruling elite is adapting how it uses the internet due to foreign scrutiny, among other reasons. Only a select few in the country are allowed access the global internet.
A massive change from North Korean internet users
Report author Priscilla Moriuchi explained that the change in how the 1pc elite of North Korean internet users interacted with certain platforms was a dramatic one. July 2017 saw a ruling elite plugged into digital society, with major technological savvy and similar internet usage patterns to Western contemporaries.
Revisiting the analysis in December 2017 was a markedly different story. Western social media use was found to have plummeted in just six months, while operational security measures among elite North Korean internet users had increased.
The social media drop-off could be down to any one of a combination of three key factors: increased foreign research and attention on the country’s media consumption; possible new enforcement of a Western social media ban, which has been in place since April 2016; or increased operational security.
There are three primary ways these North Koreans access the global internet. The first is via their allocated ‘.kp’ range, which hosts the country’s only internet-accessible websites, with state-run media sites and travel pages among these. The second is via a range assigned by China Netcom and the third is through an assigned range provided by a Russian satellite company, which currently resolves to SatGate in Lebanon.
In July, the research showed North Korean leadership consuming a diet of Western social media such as Instagram and Facebook, with the latter having more than double the daily usage than any of its Chinese-language counterparts.
In the data from December 2017 to March of this year, it was clear something had changed. Facebook and Instagram were almost absent in terms of activity levels and Chinese services were being increasingly favoured. Alibaba, Tencent and Baidu look to have become the social media channels of choice. The remaining top Western services were used for content streaming as opposed to digital social interactions.
Gaming for profit
The research also found a series of online games that North Korean hackers overseas may be exploiting to generate revenue for the country’s regime. North Korea has a history of sending citizens overseas to conduct cyber operations.
The report stated: “One defector, who had worked in a house in China with dozens of other North Korean hackers, reported that these men were required to earn nearly $100,000 a year, with 80pc being sent back to the Kim regime. To meet this requirement, the men created counterfeit video games – bots that stole digital items such as weapons, points and gear – resold them for profit, and discovered and sold new vulnerabilities in gaming software.”
By examining the web traffic from the elite in the country itself, researchers could draw conclusions about which titles were used to earn money. World of Warcraft, League of Legends and Steam accounts and games were popular, likely meaning that overseas operators have been developing bots or hacks for such familiar titles.
North Korean cyber activity from abroad
The researchers identified eight nations where North Koreans were living using a heuristic, which included above-average internet activity to and from these nations, but also browsing and use of many local resources, such as news outlets, district or municipal governments, local educational institutions and more. India, Malaysia, New Zealand, Nepal, Kenya, Mozambique and China were included. Thailand and Bangladesh emerged in this second round of research.
According to Moriuchi, North Korea has been mining bitcoin since at least May of 2017 and has recently moved on to Monero. “The traffic volume and rate of communication with peers was the same as last summer, but we were still unable to determine hash rate or build. This mining effort appears small-scale and limited to just a few machines, similar to the activity from last summer.”
The breadth of North Korea’s embrace of the internet, from leadership browsing to revenue generation and tactical cyber operations, indicates how indispensable this medium is to the Kim regime. International efforts to restrict the activities and operational scope of this rogue nation must include sanctions or punitive measures on North Korean cyber operations.
The report outlined the need for cybersecurity professionals to prepare to defend against malicious activity from the country. It also warned energy and media companies, particularly those located in or that support these sectors in South Korea, to be on alert to a wide range of cyber activity from North Korea, including DDoS attacks, destructive malware and ransomware attacks.
“This is such a period of transition that it is impossible to predict North Korean behaviour over the next six months. If anything, our research has highlighted how adaptable North Korea’s leadership really are. We often think of authoritarian regimes as static and regressive; however, time after time, North Korea’s cyber operations and embrace of the internet have demonstrated how quickly they adapt to international pressure,” Moriuchi told Siliconrepublic.com.
“Our only prediction is that North Korea will continue to create innovative ways to adapt to restrictions, sanctions and pressure that the international community places on them.”