Most North Korean state-sponsored cyber activity is likely launched from outside the country, offering western governments an opportunity to put pressure on the Kim regime, according to new data from Recorded Future.
The threat intelligence company partnered with US non-profit Team Cymru to analyze data from April to July flowing through three key IP ranges.
These are: .kp range, 175.45.176.0/22, which hosts the nation’s only internet-accessible websites and nine TLDs; the China Netcom-assigned 210.52.109.0/24, used by the state-run Korea Posts and Telecommunications Co; and 77.94.35.0/24, provided by a Russian satellite company which currently resolves to SatGate in Lebanon.
The study found virtually no sign of malicious activity coming from the mainland during the period, leaving researchers to deduce that the country launches such attacks from countries North Korea has a significant physical and virtual presence in, specifically: India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.
Nearly one-fifth of North Korean internet activity during the report period involved India, and this data also suggests the nation may have students in at least seven Indian universities, and could be working with several research institutes and government departments.
The report continued:
“North Korea also has substantial and active presences in New Zealand, Malaysia, Nepal, Kenya, Mozambique, and Indonesia. Our source revealed not only above-average levels of activity to and from these nations, but to many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations.”
China is a nation often accused of harboring North Korean spies and providing a base from which to launch global cyber-attacks like WannaCry.
Not including the internet access points provided by Chinese telecommunications companies, the report found 10% of all North Korean internet activity over the period involved its larger neighbor.
The report claimed:
“Together with the fact that North Korea has a meaningful physical and virtual presence in several nations around the world, and our previous research in part one, it is highly likely that North Korea is conducting cyber operations from third-party countries. Therefore, an alternative avenue to explore would be whether malicious cyber activity from these nations correlates with missile launches or tests, as opposed to activity from territorial North Korea.”
However, despite the vast majority of North Korean traffic judged to be non-malicious, there was a small amount of suspect activity, the report found.
For example, it revealed a flurry of Bitcoin mining activity on 17 May, soon after the WannaCry attacks which have been blamed on the autocratic state.
The data also picked up signs of possible reconnaissance work on foreign laboratories and research centers such as the Indian Space Research Organization’s National Remote Sensing Centre, the Indian National Metallurgical Laboratory, and the Philippines Department of Science and Technology Advanced Science and Technology Research Institutes.
Recorded Future recommended that any financial services and other firms supporting US/South Korean military THAAD deployments and on-peninsula operations “maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations” in the region.
It added:
“Similarly, energy and media companies, particularly those located in or that support these sectors in South Korea, should be alert to a wide range of cyber activity from North Korea, including DDoS, destructive malware, and ransomware attacks. Broadly, organizations in all sectors should continue to be aware of the adaptability of ransomware and modify their cyber security strategies as the threat evolves.”
The report’s wider findings indicated that the country’s elite, which may number just scores of people, uses the unfettered internet regularly to keep up on international affairs, monitor social networks and browse online stores like Taobao – mirroring activity in the West.
However, less than 1% of activity was obfuscated by VPNs and the like.