Events for North Korean Subnet – 175.45.176.

175.45.176.1 = North Korea off button.

DDoS attack on DNS including 175.45.176.8 - 175.45.176.9 - 175.45.176.10 seems to have knocked off North Korea off the Internet.

#opnorthkorea North Korean hosted target list: name: http://t.co/z6Egn3JOSK address: 175.45.177.74 name: http://t.co/z6Egn3JOSK.

RT @livein_china: 何度か書いたこと 北朝鮮に正式に割り当てられてるIP 175.45.176.0/22 の1,024個しか で、これが中国聯通のバックボーン ってるけど、これ以外に中国に割り るIPアドレスが朝鮮国内で....

Jan 2013 Jan

North Korea's Ruling Elite Are Not Isolated

Executive Summary

This is part two of our series on North Korea. In part one entitled “North Korea Is Not Crazy,” we revealed that North Korean cyber actors are not crazy or irrational: they just have a wider operational scope than most other intelligence services.

Here we enrich our analysis via our intelligence partner, Team Cymru, and conduct a comprehensive study revealing unique insights into how North Korean leadership and ruling elite use the internet and what that can tell us about their plans and intentions.

Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are actively engaged in Western and popular social media, regularly read international news, use many of the same services such as video streaming and online gaming, and above all, are not disconnected from the world at large or the impact North Korea's actions have on the community of nations. Further, we have concluded that:

› Attempts to isolate North Korean elite and leadership from the international community are failing. In fact, their internet activity is in many ways not that different from most Westerners. › The data set reviewed suggests that general internet activity in North Korea may not provide early warning of a strategic military action, contrary to conventional hypotheses. If there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior. › North Korea is not using territorial resources to conduct cyber operations and most North Korean state-sponsored activity is likely perpetrated from abroad, which presents an opportunity to apply asymmetric pressure on the Kim regime.

This analysis, together with part one of our blog series, demonstrates that there are likely other regime pressure points, and as a result, other tools, techniques, and partners that could be explored toward a path for North Korean denuclearization.

Background

South Korean media assesses that there may be as many as 4 million mobile devices in North Korea. So while mobile devices are widespread in North Korea, the vast majority of North Koreans do not have access to the internet. Mobile devices (see image of a North Korea-made device below) sold to ordinary North Koreans are enabled with minimal 3G services, including voice, text messaging, and picture/video messaging, and are restricted to operating only on North Korea's domestic provider network, Koryolink.

About phone Status Phone number, signal, etc. Model number Arirang Android version 4.2.2 (J0.01) Baseband version MOC-L9300.W1246.M3.MG.MP.V6.P6.BD 100.REL-2014/08/13 10:33 Kernel version 3.4.5 Arirang@arirang #1 Wed Aug 27 22:57:38 KST 2014 Build number Arirang V12.3.R0727.KOM.G06L.BP04.LATTEB8 T.BSC-REL.S.CARROM Build date 2014/8/27 Standard DPRK 3G

Recorded Future 2

North Korea's Ruling Elite Are Not Isolated

A small minority of users, such as university students, scientists, and select government officials, are allowed access to North Korea's domestic, state-run intranet via common-use computers at universities and internet cafes. Slate described the domestic intranet this way:

"The network, called Kwangmyong, currently connects libraries, universities, and government departments and is slowly making its way into homes of better-off citizens. It houses a number of domestic websites, an online learning system, and email. The sites themselves aren't much to get excited about: They belong to the national news service, universities, government IT service centers, and a handful of other official organizations. There's also apparently a cooking site with recipes for Korean dishes."

Computer lab at Kim Il Sung University. Source: Sophie Schmidt, https://sites.google.com/site/sophieinnorthkorea/

Among the select few with permission to use the country's intranet are an even slimmer group of the most senior leaders and ruling elite who are granted access to the worldwide internet directly. While there are no reliable numbers of North Korean internet users, reporters estimate anywhere from "only a very small number" to "the inner circle of North Korean leadership" to "just a few dozen families." Regardless of the exact number, the profile of a North Korean internet user is clear; trusted member or family member of the ruling class.

There are three primary ways North Korean elites access the internet.

› First is via their allocated .kp range, 175.45.176.0/22, which also hosts the nation's only internet-accessible websites. These include nine top-level domains (such as co.kp, gov.kp, and edu.kp) and approximately 25 subdomains for various North Korean state-run media, travel, and education-related sites (these sites do not always resolve).

Recorded Future 3

North Korea's Ruling Elite Are Not Isolated

Events for North Korean Subnet – 175.45.176.0/22

175.45.176.1 = North Korea off button.

DDoS attack on DNS including 175.45.176.8 - 175.45.176.9 - 175.45.176.10 seems to have knocked off North Korea off the Internet.

#opnorthkorea North Korean hosted target list: name: http://t.co/z6Egn3jOSK address: 175.45.177.74 name: http://t.co/z6Egn3jOSK.

RT @livein_china: 何度か書いたことあるけど、北朝鮮に正式に割り当てられてるIPアドレスは 175.45.176.0/22 の 1,024個しか無くて、で、これが中国聯通のバックボーンにぶら下がってるけど、これ以外に中国に割り当てられてるIPアドレスが朝鮮国内で....

Colors English Japanese Total references Event Marker Size 1 reference 102 references

Jan 2013 Jan 2014 Jan 2015 Jan 2016 Jan 2017 Jan 2018

Jul 19 2013 5 years Jul 19 2018 Recorded Future

Source: https://app.recordedfuture.com/live/sc/3mj7WHQ5PPvU

The second method is via a range assigned by China Netcom, 210.52.109.0/24. The netname "KPTC" is the abbreviation for Korea Posts and Telecommunications, Co, the state-run telecommunications company.

Events for North Korean Subnet – 210.52.109.0/24

INPUT -s 175.45.176.0/22 -j DROP INPUT -s 210.52.109.0/24 -j DROP Is that seriously all it takes to black hole North Korea?

Anyone bored enough to even bother, #NorthKorea is: 175.45.176.0 / 175.45.179.255 - with China back porch: 210.52.109.0 / 210.52.109.255.

到2014年为止，朝鲜只有175.45.176.0 - 175.45.179.255 1024个公网IP地址，还向广东联通租用了210.52.109.0 - 210.52.109.255 256个IP地址。

North Korea:210.52.109.0-210.52.109.255

The two IP addresses at the top of the C&C infrastructure were found to 210.52.109.22, assigned to China Netcom, but believed to have been assigned to North Korea at the time of the attacks.

Colors English Chinese (Simplified) Russian Arabic Total references Event Marker Size 1 reference 80 references

Jan 2013 Jan 2014 Jan 2015 Jan 2016 Jan 2017 Jan 2018

Jul 19 2013 5 years Jul 19 2018 Recorded Future

Source: https://app.recordedfuture.com/live/sc/5NjGxYtQWgiL

Recorded Future 4

North Korea's Ruling Elite Are Not Isolated

The third method is through an assigned range, 77.94.35.0/24, provided by a Russian satellite company, which currently resolves to SatGate in Lebanon.

Events for North Korean Subnet – 77.94.35.0/24

which is its external address from China Unicom and 77.94.35.0/24, which is assigned to North Korea by SatGate, a Russian satellite company.

North Korea also has two more blocks that are assigned to it, which means that another network has ultimate control over the addresses, but North Korea's computers are allowed to use them: 210.52.109.0/24 (block assigned to North Korea through China Unicom) and 77.94.35.0/24 (block assigned to North Korea by SatGate, a Russian Satellite company, and the only block of known North Korea IPs under the European RIPE Registry as opposed to APNIC, the registry for the Asian Pacific region)," continues niknetobserve in that post.

North Korea's other additional assigned network block at 77.94.35.0 - 77.94.35.255 does not currently appear to be used for hosting websites.

Antivirus scan for a3738c6b64ad52820a2c794cd2658d5db3ad9 2beef364ee0db66f337ce95f468

Colors Indicators and Observables List Location Corporate Organization Technology Person Other Total references Event Marker Size 1 reference 2 references

Jan 2013 Jan 2014 Jan 2015 Jan 2016 Jan 2017 Jan 2018

Jul 19 2013 5 years Jul 19 2018 Recorded Future

Source: https://app.recordedfuture.com/live/sc/4Rx8tsaRgYp3

Two important notes: One, from this point on when we refer to "North Korean internet activity" or "behavior," we are referring to use of the internet (not the North Korean domestic intranet Kwangmyong) by the select few leaders and ruling elite that are permitted access. This data does not give us any insight into intranet activity or behavior by the larger group of privileged North Koreans permitted access to Kwangmyong or diplomatic and foreign establishments that are located in North Korea.

Two, we chose this date range, April 1 through July 6, 2017, because it represented one of the periods of highest missile launching and testing activity, and also because it was the period of time during which the data had the greatest depth and fidelity. While we have data stretching back to January 1, 2017, that dataset (January 1 to March 31) is much less robust.

Analysis

In the early hours of April 1, 2017, as many in the West were just waking up, checking email and social media, a small group of North Korean elites began the day in much the same manner. Some checked the news on Xinhua or the People's Daily, others logged into their 163.com email accounts, while still others streamed Chinese-language videos on Youku and searched Baidu and Amazon.

Recorded Future's analysis of this limited-duration data set has given us new insight into this isolated country and ruling regime. Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are much more active and engaged in the world, popular culture, international news, and with contemporary services and technologies than many outside North Korea had previously thought. North Korean leaders are not disconnected from the world and the consequences of their actions.

Recorded Future 5

North Korea's Ruling Elite Are Not Isolated

While this data source is not absolute, it gives us a detailed picture of North Korean internet use and activity during the April – July 2017 timeframe, and as a result, we are able to reach a number of unique new insights.

The data reveals that North Korea's leadership and ruling elite are plugged into modern internet society and are likely aware of the impact that their decisions regarding missile tests, suppression of their population, criminal activities, and more have on the international community. These decisions are not made in isolation nor are they ill-informed as many would believe.

Patterns of Use Mirror Western Users

North Korean elite and leadership internet activity is in many ways not that different from most Westerners, despite the extremely limited number of people who can access the internet; the relatively few numbers of both computers and IP space from which to reach it; the linguistic, cultural, social, and legal barriers; and sheer hostility to the rest of the world.

For example, similar to users in the developed world, North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba.

Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016.

Hourly Activity by Provider

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00

facebook google baidu instagram alibaba amazon tencent apple

Hourly activity on eight social networking, shopping, and search sites for April 1 through July 6, 2017 (actual). Providers are listed by popularity, from Facebook (highest) to Apple (lowest).

Recorded Future 6

North Korea's Ruling Elite Are Not Isolated

Additionally, North Koreans have distinct patterns of daily usage over this period as well. On weekdays, times of highest activity are from approximately 9:00 AM through 8:00 or 9:00 PM, with Mondays and Tuesdays being the days of consistently highest activity.

Activity By Hour Per Day

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 Monday Tuesday Wednesday Thursday Friday Saturday Sunday

Daily internet usage by hour (not an average).

Not an Early Warning for Missile Activity

Many researchers and scholars have hypothesized that there may be a connection between North Korean cyber activity and missile launches or tests. In particular, that we may be able to forecast or anticipate a missile test based on North Korean cyber or internet activity. While we were not able to examine levels of North Korean malicious cyber activity, for this limited time period using this data set, there does not appear to be a correlation between North Korean internet activity at large and missile tests or launches.

Recorded Future 7

North Korea's Ruling Elite Are Not Isolated

Daily Activity

4/1/17 4/3/17 4/5/17 4/7/17 4/9/17 4/11/17 4/13/17 4/15/17 4/17/17 4/19/17 4/21/17 4/23/17 4/25/17 4/27/17 4/29/17 5/1/17 5/3/17 5/5/17 5/7/17 5/9/17 5/11/17 5/13/17 5/15/17 5/17/17 5/19/17 5/21/17 5/23/17 5/25/17 5/27/17 5/29/17 5/31/17 6/2/17 6/4/17 6/6/17 6/8/17 6/10/17 6/12/17 6/14/17 6/16/17 6/18/17 6/20/17 6/22/17 6/24/17 6/26/17 6/28/17 6/30/17 7/2/17 7/4/17 7/6/17

Caption: Daily actual internet activity for April 1 through July 6, 2017. Red bars are dates of North Korean missile tests or launches.

This current data set is too short a duration of time to apply any long-term conclusions about the utility of internet activity as a warning device for missile tests. However, our analysis does suggest that if there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior.

Presence in Foreign Countries

The near absence of malicious cyber activity from the North Korean mainland from April to July 2017 likely indicates that, for the most part, they are not using territorial resources to conduct cyber operations and that most state-sponsored activity is perpetrated from abroad. This is a significant operational weakness which could be exploited to apply asymmetric pressure on the Kim regime, limit current North Korean cyber operational freedom and flexibility, and reduce the degree at which they are able to operate with impunity.

Recorded Future 8

North Korea's Ruling Elite Are Not Isolated

This data and analysis demonstrate that there are significant physical and virtual North Korean presences in several nations around the world — nations where North Koreans are possibly engaging in malicious cyber and criminal activities (as demonstrated in part one). These nations include India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.

Based on our analysis, we were able to determine the following:

› It is clear that North Korea has a broad physical and virtual presence in India. Characterized by the Indian Ministry of External Affairs as a relationship of "friendship, cooperation, and understanding," the data we analyzed supports the reports of increasingly close diplomatic and trade relationship between India and North Korea. › Patterns of activity suggest that North Korea may have students at least seven universities around the country and may be working with several research institutes and government departments. › Nearly one-fifth of all activity observed during this time period involved India.

North Korean embassy in India. Source: https://www.quora.com/How-are-the-relations-between-India-North-Korea

North Korea also has substantial and active presences in New Zealand, Malaysia, Nepal, Kenya, Mozambique, and Indonesia. Our source revealed not only above-average levels of activity to and from these nations, but to many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations.

It has been widely reported that North Korea has a physical presence to conduct cyber operations in China, including co-owning a hotel in Shenyang with the Chinese from which North Korea conducted malicious cyber activity. Nearly ten percent of all activity observed during this timeframe involved China, not including the internet access points provided by Chinese telecommunications companies.

Our analysis finds that the profile of activity for China was different than the seven nations identified above, mainly because North Korean leadership users utilized so many Chinese services, such as Taobao, Aliyun, and Youku, which skewed the data. After accounting for use of Chinese internet services, which of course do not signify either physical or virtual presence in China, the pattern of activity to local Chinese resources, news outlets, and government departments mirrored the seven previously identified nations.

Recorded Future 9

North Korea's Ruling Elite Are Not Isolated

This Chinese example, where the distinct pattern of activity we discovered combined with the already known facilities for cyber operations, provides us with a model we can apply to the other seven nations.

Together with the fact that North Korea has a meaningful physical and virtual presence in several nations around the world, and our previous research in part one, it is highly likely that North Korea is conducting cyber operations from third-party countries. Therefore, an alternative avenue to explore would be whether malicious cyber activity from these nations correlates with missile launches or tests, as opposed to activity from territorial North Korea.

Note: We are not implying that the governments of these seven nations identified above (excluding China) are complicit with, supportive, or even knowledgeable of the North Korean presence in their country.

Poor Security Leads to New Intelligence

Less than one percent of North Korean internet activity during this period was obfuscated or protected in any way. Among the activity that met this criteria, tradecraft varied broadly from incorrect implementation of TLS/SSL, to utilizing nearly untraceable chains of multiple virtual private networks (VPN) and virtual private servers (VPS) to transfer large amounts of data.

As an example of incorrect implementation, one North Korean user went to the trouble of using Tor (The Onion Router) to obfuscate their activity but then proceeded to use torrent file sharing and exited the Tor network from the same node every day for over three months.

Of the users that employed obfuscation technologies, a wide range of VPN and VPS services and providers were utilized. Almost all VPN and VPS consumed by North Koreans are monthly subscriptions, likely managed by an individual or government department.

It is not clear how these services are purchased and many of the providers are large and well-known Western companies. These include Sharktech, iWeb, Digital Ocean, Linode, Leaseweb USA, Telemax, Touch VPN, and others.

Many VPN and VPS were used to obfuscate or facilitate browsing, either from passive internet monitoring or domestic censors.

One U.S. VPN was used by an iPad to check a Gmail account, access Google Cloud, check Facebook and MSN accounts, and view adult content. Other VPN and VPS were used to run Metasploit, make purchases using bitcoin, check Twitter, play video games, stream videos, post documents to Dropbox, and browse Amazon.

As a result of this generally poor obfuscation, this data afforded us insight into North Korean leadership and elite interests that we have never had before. For example, many users utilized VoIP services to talk and message others overseas; others still had AOL accounts and checked them regularly; some users frequented beauty and health sites; others purchased expensive sneakers online; many users investigated industrial hardware and technology optimization services; others used iPhones, iPads, and Blackberries to communicate.

Other users spent time every day researching cybersecurity companies and their research, including Kaspersky, McAfee, Qihoo360, and Symantec; and DDoS prevention companies and technologies such as DoSArrest and Sharktech. One user received training on the use of THURAYA and satellite communications equipment and others researched the physics and engineering departments at several Malaysian, U.S., and Canadian universities.

Recorded Future 10

North Korea's Ruling Elite Are Not Isolated

Gaming and content streaming accounted for sixty-five percent of all internet activity in North Korea. Broadly, users consume content mostly from the Chinese video hosting service Youku, iTunes, and various BitTorrent and peer-to-peer streaming services. For games, North Korean users seem to prefer games hosted by Valve and a massively multiplayer online game called World of Tanks.

Suspect Activity

While the majority of activity from North Korea during this timeframe was not malicious, there was a smaller, but significant, amount of activity that was highly suspect. One instance was the start of Bitcoin mining by users in North Korea on May 17.

According to the Bitcoin wiki, bitcoin mining is "the process of adding transaction records to Bitcoin's public ledger of past transactions (or block chain)." Bitcoin mining is difficult because it is a computationally complex task and can require up to 90% of a machine's power.

The benefit to using all of this energy and adding the transaction records to the blockchain is that each miner is awarded not only the fees paid by the users sending the transaction, but 25 bitcoins once they discover a new block.

Before that day, there had been virtually no activity to Bitcoin-related sites or nodes, or utilizing Bitcoin-specific ports or protocols. Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day. The timing of this mining is important because it began very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea's intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime.

By this point (May 17) actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack.

It is not clear who is running the North Korean bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control.

Additionally, during this time frame it appeared that some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers.

In particular, activity targeting the Indian Space Research Organization's National Remote Sensing Centre, the Indian National Metallurgical Laboratory, and the Philippines Department of Science and Technology Advanced Science and Technology Research Institutes raised flags of suspicion, but we could not confirm malicious behavior.

Recorded Future 11

Impact

The international policy and engagement strategy toward North Korea has struggled to be impactful for decades because it has relied on the same set of tools (sanctions, increasing international isolation) and engaged the same nations (China, Russia, UN Security Council Permanent Five) as partners. This two-part series demonstrates that there are likely other pressure points on the regime and as a result, other tools, techniques, and partners that should be explored.

Team Cymru’s intelligence and Recorded Future’s analysis have revealed two separate realities.

First, in spite of the sanctions and massive international pressure, North Korea’s leaders are not isolated from the outside world. They are active and engaged participants in the contemporary internet society and economy; meaning that attempts to shut North Korean leadership off from the global economy have largely failed.

Second, new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime. We have identified other nations with which the West could partner and alternate tools and techniques that could be utilized to apply asymmetric pressure on North Korea. Partnering with nations such as India, Malaysia, Indonesia, or others identified above, would enable the U.S. and other Western nations to circumvent uncooperative partners in China and Russia and exert pressure on the broad North Korean operational diaspora, which, because of the regime’s dependency, would likely impose larger real costs on leadership.

For cybersecurity professionals and network defenders, this two-part series reveals just how complex defending from North Korean malicious cyber activity can be. We continue to recommend that financial services firms and those supporting U.S. and South Korean military THAAD deployment as well as on-penninsula operations maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations on the Korean peninsula.

Similarly, energy and media companies, particularly those located in or that support these sectors in South Korea, should be alert to a wide range of cyber activity from North Korea, including DDoS, destructive malware, and ransomware attacks. Broadly, organizations in all sectors should continue to be aware of the adaptability of ransomware and modify their cyber security strategies as the threat evolves.

About Recorded Future

Recorded Future delivers threat intelligence powered by machine learning, arming you to significantly lower risk. We enable you to connect the dots to rapidly reveal unknown threats before they impact your business, and empower you to respond to security alerts 10 times faster. Our patented technology automatically collects and analyzes intelligence from technical, open, and dark web sources to deliver radically more context than ever before, updates in real time so intelligence stays relevant, and packages information ready for human analysis or instant integration with your existing security systems.

Recorded Future, 363 Highland Avenue, Somerville, MA 02144 USA | © Recorded Future, Inc. All rights reserved. All trademarks remain property of their respective owners. | 07/17

Recorded Future @RecordedFuture | www.recordedfuture.com REQUEST A DEMO

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu