Cyber threat analysis from Recorded Future’s Insikt Group shows how North Korea’s ruling elite is changing its Internet behaviour.
This is the third report from the Insikt Group looking at North Korea. A year ago it reported that: “We discovered that North Korea’s ruling elite were plugged into contemporary internet society, were technologically savvy, and had patterns of internet use that were very similar to users in the West.”
Given the sophistication that this group of users was displaying, why the sudden shift? More importantly, where have they gone?
These two questions are simply answered: China and the Dark Web. This makes sense. Western social media companies are under pressure and intense scrutiny at the moment. Fake ads, fake stories, fake accounts and attempts to influence elections have caused this. Ironically this is not North Korea’s doing but that of Russia. However, it has driven a change of behaviour by this group of users.
The move to China-based social media raises eyebrows. These are strictly controlled environments where access to a lot of the Internet is restricted. The main sites that are being used are Alibaba, Tencent and Baidu. To get around restrictions the reports says the group has: “adopted Virtual Private Networks (VPN), Virtual Private Servers (VPS), Transport Layer Security (TLS), and The Onion Router (Tor).”
Insikt Group also unmasked other activities. This included expanding their cryptocurrency mining operations. As Bitcoin became more volatile and attracted increasing amounts of attention, Monero was added to the mining operations. North Korea also started to run revenue-generating businesses in Thailand and Bangladesh. This is on top of the eight nations previously named by the research team.
What are the North Korea elite accessing?
It seems that use of the Internet by North Korea’s elite is, in broad terms, the same as users everywhere. It consists of:
- 70% – Internet video or online gaming
- 17% – web browsing, email and data downloads
- 13% – VPN use or obfuscated through other means such as the TOR browser
While there is consistency in the same broad areas of access, there has been a significant shift in the use of social media. Facebook and Instagram usage has diminished almost to the point of disappearing. Alibaba and Tencent are now the two leading sites with over 60% of usage going to them.
The Insikt Group posit that there are three possible reasons for this change:
- Increasing foreign research into and attention to North Korean’s media consumption
- New enforcement of the official ban on Western social media
- Increased operational security by North Korean elite
Cyber operations expected to generate foreign currency
Much of the attention on North Korea’s foreign currency programmes has been focused on cyber attacks. The use of malware, specifically ransomware and crypto hijacking, is believed to have generated large sums for the regime. They are not the only ways in which it earns money.
Security vendors and intelligence agencies often point the finger at North Korea for hacks. This is generally based on where attacks originated. However, it seems that North Korea has an active cyber operations programme outside of the country. Hackers are sent out to other countries where they are expected to craft and execute attacks. These attacks are aimed at generating revenue.
Many of these are based on counterfeiting and using online games. The hackers create copies of games which are sold cheaply on the Internet. Those buying them know that they are rip-offs but few realise that they are sending funds that will end up in North Korea. Hackers have a target of $100,000 per year with 80% being sent back home.
Another goal of these external groups is to setup torrent services that provide content for consumption in North Korea. This spans media and gaming.
Cryptocurrency mining and theft
The anonymous nature of cryptocurrency has made it attractive to numerous groups and individuals. North Korea has been an active miner of Bitcoin for some time. However, as the power and processing requirements have become more expensive it has turned to other currencies, specifically Monero. It is believed to be behind several of the crypto-jacking attacks that have taken place over the last year. These attacks hijack computers and use them to mine cryptocurrencies.
Despite popular belief it is possible to track Bitcoin usage and movement. However, Monero is very different. It is believed to be impossible to effectively track. In addition, the technology requirements to mine Monero are much lower than those of other currencies. For a country where computer resources are limited this is good news. It also means that it can build bigger botnets that harness a wider range of devices when carrying out crypto-jacking attacks.
There is also an increasing belief that North Korea is behind several of the attacks on crypto exchanges. Several of the high profile attacks have been against exchanges in Asia. Recorded Future is one of several vendors who has blamed North Korea for these attacks.
What does this mean
Despite its isolation North Korea has a highly developed cyber operations programme. That operation is believe to generate between $500m and $1 billion in revenue for the country. It has dispersed its hackers around the world and runs effective money and intelligence gathering networks.
What is important about this report is the change of behaviour that has been seen. The use of three different access points to the Internet mean that it has been possible to track a lot of behaviour. The use of Western social media and gaming sites has also been well documented.
However, the sophisticated elite is now changing its behaviour. Part of that is down to greater attention being paid to the services it uses. It is also aware that scrutiny of its activities has increased. Part of the goal of the increased scrutiny is to reduce the regime’s access to foreign exchange and crypto currencies. This has caused a migration to China-based social media and increased the use of VPNs and other obfuscating technologies.
The question is whether this change to the way North Korea uses the Internet will hamper the ability of Western nations to contain its cyber operations.
