Internet usage is changing among the elites of Pyongyang, North Korea – with those in military intelligence circles now exhibiting stronger security chops, as well as using the internet as a tool to boost skills, and drive revenue through cyber attacks and online fraud.

That is according to Recorded Future, the open source intelligence group initially backed by the CIA's startup fund and Google, and which recently was sold to private equity firm Insight Partners for $780 million.

Getty Images / Photo: Narvikk
Getty Images / Photo: Narvikk

The open-source intelligence (OSINT) firm first began monitoring the few who were trusted with global internet access in the DPRK – the official title for the divided country above the 38th parallel, as drawn up by American military forces – back in 2017. However, at that time much of the network traffic revolved around consumer applications such as streaming, playing video games, and searching for products to buy online. This latest report suggests a strong shift towards the internet being perceived as a utility and a tool for revenue generation.

The DPRK has recovered somewhat from the era of famine often associated with the country and its leadership has been keen to stress the benefits of science, technology, research and development.

The republic now also views the internet as a tool for skills acquisition around energy and weaponry. Recorded Future notes that North Koreans are using the internet for cyber attack operations, paying particular attention to bank theft, cryptocurrencies, and low-level financial crime – and legitimate freelance IT work.

Additionally, leaders in the country are now accessing the internet more frequently during working hours and on working days than at the time of the first report in 2017, suggesting that the global internet has become more a part of everyday life for those users.

Nonetheless, this is still an extremely small group. "Very few North Koreans, the 0.1 percent of North Korean society, the very most senior military intelligence leaders and their families – they're the only ones allowed to access the global internet," Priscilla Moriuchi, director of strategic threat development at Recorded Future tells Techworld in a recent phone discussion.

"I think estimates are from 50 to 200 people who can access the global internet on a regular basis. North Korea at this point also only has two access points to the global internet, and a relatively small IP footprint, so those are things that we can relatively easily keep track of, to and from North Korean IP estates."

In its latest report on the country, released February 2020, the firm outlined the typical access route of trusted members of North Korean society that accessed the global internet, but noted that this does not cover the country's more widely used domestic intranet, Kwangmyong.

The major access routes to the web are:

  • The allocated .kp range, found at 175.45.176.0/22, where the country's globally accessible websites are hosted – with top-level domains including co.kp, gov.kp, and edu.kp, as well as a series of 25 subdomains for media, travel, and education websites.
  • The second is through a range assigned by China Netcom, at 210.52.109.0/24.
  • The third is through what Recorded Future claims is a Russian satellite company resolving to SatGate in Lebanon, through the range 77.94.35.0/24.

Since Recorded Future's 2017 report the organisation recorded a 300 percent spike in online activity from the country with the global internet, which it attributes to an increase in bandwidth and capacity, routing more of its traffic from China Unicom to infrastructure provided by Russia's TransTelekom.

It's also started using previously unresolved IP space, the firm said, with some IP addresses now being used for SMTP for email and FTP services for file transfer.

Recorded Future puts these changes down to a "response to increased demand from North Korean users both at home and abroad" – for example, that setting up an internet accessible mail server indicates a desire for users to access their email remotely.

Better opsec

More recently, the operational security of these leaders has also undergone a shift, from practically nothing – foregoing enabling HTTPS, for example – to the now "widespread" use of VPN technologies, SSL, and Tor, according to Moriuchi.

"They've designed their own VPN using DNS tunnelling for example," says Moriuchi, "so we see a completely different usage fingerprint today than we did three years ago."

Moriuchi believes that the greater attention focused on the leadership of Kim Jong Un and North Korea's place on the international stage in recent years also opened the country up to greater scrutiny online, leading to more robust security measures.

But another reason is internet trends in general. She adds: "Over the past three years I think most internet users have become more savvy and understand more about the pitfalls and the security issues that come with using the internet – so again, because for the most part some of these senior North Koreans perform a lot of the same activities that we do online every day, they also have increased their security."

Much of the country's critical infrastructure (and weaponry) will be pre-'legacy' IT and thus disconnected from the internet, and so is potentially more secure against interference from outside the country.

However, ironically, the network traffic from the monitored senior figures tends to originate from technology that's typical of usage in the west – iPhones, Samsung devices, Microsoft Windows operating systems, and Apple Macs, thus potentially opening them up to closer observance.

A potential route around relying on proprietary American technology (and so technology that may be subject to US espionage laws) is in open source, however, Moriuchi says that she has not observed much of this. That might be a marked difference to the domestic consumer technology market, however, as it has been known for some time that the DPRK has its own Linux distro and more recently, it is thought that most domestic smartphone consumers are using a modified form of Android.

On the revenue-generation front, Recorded Future says that its research has led it to believe the DPRK focuses on:

- Banking operations, for example, attacks on the SWIFT network

These, Recorded Future says, are well-researched and well-executed – in the case of SWIFT with attackers likely spending anywhere from between nine to 18 months inside a target network, to conduct reconnaissance, move laterally, escalating privileges, and disabling security procedures.

- Cryptocurrencies

As of late 2019, says the firm, small-scale Bitcoin mining had still been observed but is most likely limited to a few machines. But, Monero mining activity spiked tenfold from 2018 into May 2019 – this is proxied through one IP address which the company thinks hosts "several" machines behind it. Monero may be a more alluring option for the country, as it is closer to being fully anonymous, as opposed to Bitcoin, which isn't completely anonymous. More cryptojacking attempts have been alleged to originate from the country, too.

- Low-level IT work and financial crime

This covers operations like counterfeiting video games and scamming users of video games. Record Future's research here is based on defector interviews, one of whom claimed that they and others had been forced to work from a house in China to reach a yearly salary of $100,000 a year, and turned to online scams to achieve this. Another route around sanctions and generating cash, says the group, is in insurance fraud.

But the firm also mentioned a Wall Street Journal article that claimed that some North Koreans had been using gig economy platforms like UpWork and Freelancer to perform legitimate work from the sites' global userbase, commissioned by unsuspecting users.