A new report offers fascinating insight into Internet activity from North Korea, suggesting that average North Koreans and the upper echelons of the Workers’ Party and military aren’t nearly as cut off as commonly portrayed. However, no definitive conclusions can be drawn from the report about the source, frequency and range of this access because it doesn’t provide hard numbers for many of its conclusions and the raw data isn’t available. That is unfortunate because the findings are counter-intuitive to what we have assumed about North Korean online behavior. Opening the data to peer review may help us better understand the nature and scale of this activity and, if confirmed, could change the way the world deals with North Korea.
The report was published in July by the Insikt Group, the research arm of Massachusetts-based Recorded Future. The company utilizes machine learning to deliver online security threat intelligence to businesses. The basis for the report was Internet traffic captured outside of North Korea by Team Cymru, a computer security-focused non-profit that acts as Insikt’s “intelligence partner.”
In the report, researcher Priscilla Moriuchi, the director of strategic threat development at Recorded Future and a 12-year veteran of the US intelligence community, writes that users in North Korea spend much of their time online checking social media. Facebook was the most often accessed site with Google, Baidu and Instagram all attracting significant numbers of views. Alibaba, Amazon, Tencent and Apple rounded out the top eight social networking sites over the period of the data, which spanned April 1 to July 6 this year.
Just on April 1, for example, the report notes users accessed 163.com email accounts, streamed Chinese-language video from Youku and checked news on Xinhua and People’s Daily.
Team Cymru was vague about how it captured the data and exactly what it consisted of, but it has previously said it works with “data donors and sources.” It also declined to provide a copy of the North Korean data without subscription to its commercial service. But the report did provide details of how it decided what was “North Korean” traffic and it comes down to three blocks of Internet addresses.
- The first was a block of 1,024 Internet addresses from 220.127.116.11 to 18.104.22.168. Those are addresses allocated to Star JV, North Korea’s sole Internet provider. All of the country’s websites sit within this range and it’s also used by the Koryolink 3G service for Internet access offered to resident foreigners and tourists.
- The second was a smaller block of 256 addresses from 22.214.171.124 to 126.96.36.199. These are Chinese addresses but have been allocated to North Korea’s state-run telecom provider through China Netcom since before Star JV existed. North Korean websites sat in these addresses about 15 years ago.
- The third group was another 256 addresses from 188.8.131.52 to 184.108.40.206. These are allocated to SatNet, a Russian satellite Internet provider and are currently registered as being used in Lebanon. In the past, these were registered as being used by North Korea, but information in the Internet address registration database isn’t verified so it’s unproven whether these were or are legitimate North Korean addresses.
Moriuchi feels sure the SatNet addresses were in use by North Korea during the time the data was collected and points to the similarity in access patterns between the SatNet addresses and the Star JV addresses; she didn’t see any traffic targeted at Lebanese websites, as might be expected. Again, the baseline data wasn’t available to illustrate or support that assertion. Moriuchi told me, however, that the SatNet traffic made up about 40 percent of the data with just 1 percent coming from the China Netcom block. The rest came from the North Korean IP range and that, if taken alone, would still support the general findings of the report.
Among Moriuchi’s research, she found a larger-than-expected amount of traffic from North Korea to India, Malaysia, New Zealand, Nepal, Kenya and Mozambique. She said the amount of access was higher than would typically be expected and directed at sites such as a local news outlets and governments—the kind of sites only someone living there or with a link to the country might access.
In fact, one fifth of all activity observed in the data involved India—a surprising amount. According to the report, the traffic suggests North Korea has students at least seven universities and might be working with several research institutions in the country.
Of the countries mentioned, Malaysia and Indonesia also maintain diplomatic missions in North Korea, although Malaysia brought diplomats home as relations with Pyongyang broke down in the wake of the murder of Kim Jong Nam in Kuala Lumpur.
Perhaps most intriguingly, on May 17, Bitcoin mining traffic was observed. There had been none since the beginning of April but it suddenly spiked. The report notes the close timing with the release of the “WannaCry” malware that hit computers between May 12 and 15. WannaCry demanded a ransom in Bitcoin and was linked to North Korea by computer security companies.
The report also noted the use of at least seven different western VPN (virtual private network) services in traffic among the data. Such services require a credit card subscription, which isn’t impossible for a North Korean to arrange through overseas contacts, but again raises the question of who is behind the traffic.
The report notes, “one VPN was used by an iPad to check a Gmail account, access Google Cloud, check Facebook and MSN accounts, and view adult content. Other VPN and VPS (virtual private server) were used to run Metasploit (security software), make purchases using Bitcoin, check Twitter, play video games, stream videos, post documents to Dropbox, and browse Amazon.”
An important caveat to many of the findings in the report is that it’s unclear how many people were covered and who they are. The report refers to those with Internet access as a “limited number,” but it didn’t acknowledge that several hundred foreigners might be present in Pyongyang at any one time, accessing the Internet and connecting to overseas sites. For them, using VPNs, accessing Facebook and Google and checking 163.com email accounts would be expected.
Moriuchi later told me she did see traffic that appeared to be foreign residents but it was just a small sliver of the overall data. But it’s impossible to know how much because the report doesn’t provide those numbers and Moriuchi wouldn’t disclose them.
Take the Indian traffic, for example. From the data provider, it’s impossible to determine whether the increased activity to India is just bored diplomats at India’s embassy Pyongyang. We also don’t know the amount of data analyzed, the number of websites accessed or even an estimate as to the number of Internet users in Pyongyang.
In a phone conversation, Moriuchi told me the traffic collected represented a significant number of records—it wasn’t just a handful of web sessions each day—but wouldn’t put numbers on it. When I asked her what it might compare to, she said it was about what you might expect from a medium-sized company—which is about 50 to 250 people according to most definitions.
Just like almost everywhere else, Facebook is king for the people inside North Korea that have Internet access, and they also spend a fair amount of time on Google, Baidu and other major sites. If the traffic is really coming from North Koreans rather than resident or visiting foreigners, then they really are very much like us—more than we ever imagined.
However, while the report adds insight into the largely opaque area of access to the Internet from inside North Korea, it’s far from clear exactly what was captured and whether all of it was really from North Koreans.
I’ve spoken to several North Korea and Internet experts about the report and they all draw the same conclusion: that something is not quite right with the numbers. Perhaps a lot more of it is from foreigners than estimated or perhaps there’s an unknown Internet connection that wasn’t taken into account.
Or, perhaps we are all wrong and North Koreans really are going online and checking Amazon and Alibaba. Without more information, it’s impossible to know and that’s unfortunate because of the surprising nature of some of the findings.
Moriuchi says she’s sure about the results reached from the data set—the sites accessed, the traffic patterns, the activity—and I’m sure that’s true. Nonetheless, I’d love to do a deeper dive into the data to gain much greater granularity and insight into some of its conclusions.
To hear more, Moriuchi just appeared on Recorded Future’s podcast to discuss the findings: https://www.recordedfuture.com/podcast-episode-18/.