By Vladimir Kropotov, Philippe Z Lin, Fyodor Yarochkin and Feike Hacquebord
North Korea’s presence on the internet is commonly perceived as something that only goes one way: hackers go out, nothing gets in. Incidents like the Sony Pictures hack in 2014 and a couple of global bank heists were reported to be the work of North Korean threat actors. Part of publicly available evidence relies on internet communications that were set up from a North Korean IP address. The internet is thought to be tightly controlled in the country, which could make one think that systems within such a network can’t be compromised. How could spam bots controlled by foreign criminal actors be active in North Korea for over a year? Is it also possible for ordinary malware to infect computers in North Korea? Is the entire IP space assigned to North Korea being used in the country itself? What are the implications of the answers to these questions on the attribution of attacks allegedly done by North Korean actors?
This blog post summarizes our findings from studying internet traffic going in and out of North Korea. It reviews its small IP space of 1024 routable IP addresses. North Korea uses infrastructure abroad too. We learned that some IP space registered for use in North Korea is actually being used by Virtual Private Network (VPN) providers that apparently want to trick Geo IP services into tagging foreign internet infrastructure as North Korean.
We will cover spam waves that originate in part from spambots in the country, DDoS attacks against North Korean websites and their relation to real-world events, as well as recurring watering hole attacks on North Korean websites. Just like in our earlier blog post on targeted attacks previously reported to have originated from North Korea, we aim to demystify some common beliefs.
Internet in North Korea
The North Korean internet space consists of four class C IP ranges (1,024 IP addresses in total) connected to the internet via an upstream provider in China. Since October 1, 2017, a Russian company provides a second route to the same IP range. For historical reasons, North Korea is using one additional class C IP range (256 IP addresses) assigned to China Unicom Telecommunication Company. Access to the internet via satellite is also possible in the country. Several providers offer coverage, but we don’t know who exactly is allowed to use satellite internet.
Several IP ranges are seemingly being used in North Korea if you would believe Geo IP location services and IP address information sourced from Whois registration data.
|IP Network||Number of IP||Whois Country||GeoIP||Real Country||Note|
|18.104.22.168/22||1,024||North Korea||North Korea||North Korea||Allocated for Star Joint Venture Co., Ltd. in Pyongyang|
|22.214.171.124/24||256||China||China||China||Borrowed from China Unicom|
|126.96.36.199/30||4||North Korea||North Korea||Czech Republic||“PoP North Korea” – used by VPN service HMA|
|188.8.131.52/30||4||North Korea||Mongolia||Czech Republic||“PoP North Korea” – used by VPN service HMA|
|184.108.40.206/24||256||North Korea||North Korea||N/A||Manpo ISP (Roya hosting)|
|220.127.116.11||1||North Korea||North Korea||Netherlands||VPN service “IAPS Security Services”|
|18.104.22.168/30||4||North Korea||North Korea||Netherlands||VPN service “IAPS Security Services”|
|22.214.171.124/19||8192||North Korea||North Korea||N/A||SITA-Orange|
|126.96.36.199/24||256||North Korea||Russia||Russia||LLC “Golden Internet”|
|188.8.131.52/25||128||North Korea||North Korea||USA||“North Korea Cloud” – used by VPN service HMA|
|184.108.40.206/28||16||North Korea||North Korea||Luxembourg||VPN service VPNFacile|
Table 1. IP ranges associated with North Korea
Some Virtual Private Network (VPN) providers claim to have exit nodes in North Korea (example 1, example 2). This would mean that customers of these VPN servers could choose to browse via a North Korean exit node. This looks like a rather curious opportunity for adventurous users to experience the internet from a North Korean perspective. However, to our knowledge, the VPN providers’ claims are not true. The “North Korean” exit nodes are actually physically located in Western countries like Luxembourg, the Czech Republic, and the US. The VPN providers make Geo IP services believe that they have a computer server in North Korea, possibly by inserting the country code of North Korea in public Whois data of certain IP address ranges. Though the VPN services might have thought of it as an innocent marketing stunt, a system administrator who depends on Geo IP services might arrive at a wrong conclusion while reviewing log files of an attack that has affected his systems.
Figure 1. HMA VPN service says it has an exit node in North Korea, but in reality the exit node is in Czech Republic.
As external observers, we have little knowledge of how a typical North Korean resident uses the internet. According to previous studies, a minority of its citizens are allowed to use Kwangmyong, which is a nation-wide intranet only available in North Korea. This allows them to use on-demand video, read online books, and take online courses of the Kim Chaek University of Technology using mobile phones with a data plan provided by Koryolink, a major service provider in the country, offering a mobile connection with a data plan to citizens as well as to foreigners. Since 2016, the price is 2,850 KPW (around 23 USD at official rate) for domestic subscribers. Several people also use Kwangmyong at school and in administrations. For users that are allowed to browse the internet, traffic goes through a nation-wide proxy (the internal proxy IP is 10.76.1.11) that is hardcoded in the default web browser Naenara of Red Star OS. According to a talk delivered at the 31st Chaos Communication Congress, however, people were also running Windows XP on laptops imported from China.
International Visitors using North Korean Internet
Before January 2013, all international visitors to North Korea had to surrender their mobile phones. The rules were later changed to allow visitors to hold on to their mobile phones and tablets while in the country.
The price of internet access has varied over time and was not so affordable until 2016. The price for mobile internet access for international visitors in 2013 went as high as 75€ for activation and 10€ per month for 50MB of data, according to tourist travel notes. Since 2016, the price for foreigners was reduced to 2.15 USD for installation, plus $3.23 per month with a 1GB data plan. A USB modem for laptops starts at 150€.
To our knowledge, foreign internet users are allowed to visit popular social networking websites such as VK, Facebook, Instagram, Google+, as well as other international sites from their laptops and mobile devices. Posting on social media from inside North Korea was still considered novel in 2013. Associated Press photographer David Guttenfelder published pictures on Instagram, and journalist Jean H. Lee posted a tweet from Pyongyang when she worked for Associated Press.
Figure 2: Social Media post using North Korean internet
It shows that North Korea’s internet has opened up a bit, at least to foreigners visiting the country. Internet traffic of tourists and long-term residential foreigners is NAT’ed over external IP addresses. We have seen web traffic coming from the following IP addresses:
North Korean Public Websites
There are a number of public websites hosted in the country. We used data from Trend Micro’s Smart Protection Network (SPN) to plot the number of visits to North Korean websites in the table below. A website about Korean food recipes is fairly popular. The website of the Korean Central News Agency (KCNA) is the most popular site and provides international news in six languages. Naenara (“Our Country”) is a multi-lingual web portal, and the name of the default web browser in the North Korean operating system “Red Star OS”. Voice of Korea, an international broadcasting service, provides Korean language lectures and touristic information online. The national airline Air Koryo has a website too. While some of these websites use dedicated hosting, others are hosted on a shared IP address 175[.]45[.]176[.]81. It is no surprise that DDoS attacks often target these servers.
Figure 3. Naenara, a multi-lingual web portal of North Korea
Some North Korean websites are hosted in other countries. KCNA has a Japanese version, whose access is restricted to Japanese internet users. This website provides content for the service known as the Korea News Service (KNS). KNS also provides a photo service selling premium pictures from North Korea and elsewhere at a price between 6,000 – 45,000 JPY (54 – 400 USD). The Uri minzokkiri (“Our Nation”) website is hosted in China and is a propaganda site that translates select news articles into six foreign languages. Although one of North Korea’s major accounts on YouTube was terminated in 2016, there is still a YouTube channel (KCTV, Korea Central TV) with official video clips.
The chart below ranks the websites in North Korea, according to their popularity. Blue bars refer to dedicated web servers; orange bars refer to websites hosted on shared servers.
Figure 4. Popularity chart of websites in North Korea as of July 2017. Source: Trend Micro’s Smart Protection Network.
Spambots in North Korea
North Korea has a number of mail servers that send out emails (see table 2). To our knowledge, government organizations and ministries do not use gov.kp email addresses. Instead, they have their email hosted by internet service providers like star-co.net.kp and silibank.net.kp. For example, the Copyright Office of the Democratic People’s Republic of Korea uses email address firstname.lastname@example.org, the General Department of Atomic Energy uses email@example.com, the National Tourism Administration uses firstname.lastname@example.org, and visa requirements may be handled by the Korean Taekwon-Do Committee at email@example.com. Foreign embassies, tourist agencies, banks and foreign establishments that need to communicate across the border either use their own servers or public email services such as Gmail and Hotmail. Mail sent from 220.127.116.11 and 18.104.22.168 are usually legitimate. Email from other North Korean IP addresses are more likely to be gray or malicious.
|star.net.kp||smtp.star.net.kp||22.214.171.124 / 126.96.36.199|
Table 2. Mail servers in North Korea
We have detected several spam campaigns involving relatively small amounts of spam coming out of North Korea, even when internet access is strictly regulated for its citizens. Data from Trend Micro’s Smart Protection Network (SPN) shows that spam campaigns originating from the North Korean IP range are part of unsolicited email campaigns sent by larger spam botnets. This shows that computers connected to the internet in North Korea are susceptible to malware and botnet infections, just like in any other country. There are computers in the country that communicate with Command and Control (C&C) servers of actors that most likely operate from overseas. This also means that massive port scans or hack attempts originating from North Korean IP space could be the work of actors located elsewhere.
The table below lists spam emails sent from the North Korean IP space. From August to December 2016, IP address 188.8.131.52 participated in a massive spam campaign, being one of the 80,000 unique spam-sending nodes worldwide. The campaign distributed JS_NEMUCOD, which is a downloader that distributes ransomware such as Locky and possibly other malware, as an attachment. We also saw common spam mail, such as those connected to pharmaceuticals and dating.
|Date||Sender IP address||Email Subject||Type||Source|
|2016-08-23||184.108.40.206||Audit Report||Ransomware Downloader||spam bot network|
|2016-08-24||220.127.116.11||Cancellation||Ransomware Downloader||spam bot network|
|2016-08-25||18.104.22.168||Contract||Ransomware Downloader||spam bot network|
|2016-08-26||22.214.171.124||office equipment||Ransomware Downloader||spam bot network|
|2016-08-27||126.96.36.199||monthly report||Ransomware Downloader||spam bot network|
|2016-08-30||188.8.131.52||mortgage documents||Ransomware Downloader||spam bot network|
|2016-08-31||184.108.40.206||paycheck||Ransomware Downloader||spam bot network|
|2016-09-14||220.127.116.11||Account report||Ransomware Downloader||spam bot network|
|2016-09-22||18.104.22.168||Payment approved||Ransomware Downloader||spam bot network|
|2016-09-30||22.214.171.124||Transaction details||Ransomware Downloader||spam bot network|
|2016-10-05||126.96.36.199||Pleasure is what you need||Erectile med spam||spam bot network|
|2016-10-06||188.8.131.52||Always good loving attack||Erectile med spam||spam bot network|
|2016-10-11||184.108.40.206||Achieve tips to intensify your intimate life||Erectile med spam||spam bot network|
|2016-10-12||220.127.116.11||Increase your loving life||Erectile med spam||spam bot network|
|2016-10-26||18.104.22.168||Scrivimi me||Erectile med spam||spam bot network|
|2016-10-27||22.214.171.124||Come stai?||Erectile med spam||spam bot network|
|2016-11-22||126.96.36.199||Please Note||Ransomware Downloader||spam bot network|
|2016-11-23||188.8.131.52||Please note||Ransomware Downloader||spam bot network|
|2016-12-13||184.108.40.206||Payment Confirmation||Ransomware Downloader||spam bot network|
|2017-02-07||220.127.116.11||You received a new eFax from 516-9515481||Ransomware Downloader||spam bot network|
|2017-03-03||18.104.22.168||Keep your girl happy every night||Erectile med spam||spam bot network|
|2017-06-13||22.214.171.124||Here’s why this company’s shares are about to go up tenfold next week.||Stocks spam||spam bot network|
|2017-06-16||126.96.36.199||You can make more than ten times your principle with just this 1 stock||Stocks spam||spam bot network|
|2017-06-20||188.8.131.52||This company just found a huge cure and no one knows about it yet!||Stocks spam||spam bot network|
|2017-06-21||184.108.40.206||Here’s an idea that could make you a small fortune…||Stocks spam||spam bot network|
|2017-07-03||220.127.116.11||Hi||Dating spam||spam bot network|
|2017-09-10||18.104.22.168||Oh, I forgot…, Best for treating EDFix||Med spam||spam bot network|
|2017-09-14||22.214.171.124||Copy of Invoice 561878||Ransomware Downloader||spam bot network|
|2017-09-22||126.96.36.199||Your Invoice # 177122||Ransomware Downloader||spam bot network|
Table 3. Examples of spam emails sent from North Korea. This list is not exhaustive.
Malware Hosted on North Korean Servers
North Korean websites are a frequent target of watering hole attacks. For instance, the KCNA web portal and some other public-facing sites have been periodically used to serve malicious content to its visitors. We observed one such incident in 2015 that involved a website used by an unknown actor to deliver PE_WINDEX.A-O, a fake flash player that drops a main infector. Two years later, a similar payload (PE_WINDEX.A) was found on a USB flash drive that preloads IBM’s Storwize Initialization Tool. In May 2017, the KCNA Japan branch and the General Association of Korean Residents in Japan (Chongryon) was observed hosting an embedded VB script with a browser exploit code targeting the CVE-2016-0189 vulnerability and downloading a malicious payload. As of this time, we don’t know whether these websites were compromised or actually used to host malware.
Figure 5: Japanese KCNA website
Figure 5. Korean Central News Agency hosted an exploit kit.
Observations from Honeypot Systems
We have observed attack traffic related to North Korean IP segments from our honeypots, such as 188.8.131.52, a shared host that serves multiple public North Korean websites, being frequently targeted with Distributed Denial of Service (DDoS) attacks. A number of services on our honeypot network were scanned and hit by frequent attempts for DDoS amplification. This gives us some visibility on attacks originating from and targeting North Korean IP space. For example, spikes in UDP (SSDP, NTP) traffic with a spoofed source IP of 184.108.40.206 indicates that someone is performing a Denial of Service (DoS) attack against that IP address. We have also observed TCP SYN flood attacks against North Korean IP addresses. Interestingly, several of these attacks correlate to public events or geopolitical incidents. An SSDP flood attack against one of the main hosting IP in North Korea happened on April 16, 2017, one day after the North Korean government demonstrated some advanced weapons in a military parade.
On the other hand, a number of rogue TCP or UDP traffic hitting the honeypots originated from North Korean IP space. Most of these attacks are coming from the same Class C that also hosts the proxy exit nodes for international visitors, such as 220.127.116.11 and 18.104.22.168. Attribution of these attacks is extremely difficult, as the scans could either be from real North Korean actors or compromised computers that get their orders from Command and Control servers overseas.
This leads us to an interesting conclusion. A number of public reports used the appearance of a North Korean IP address in a log file as one of the key factors that links certain operations to North Korean hackers. We have demonstrated with a number of findings that this may not always be sufficient evidence as the North Korean network does have compromised machines just like any other network connected to the internet. The North Korean internet is not as strictly controlled as many assume it to be and some internet traffic coming out of North Korea is, in fact, caused by botmasters overseas. Attribution may be hard and can be a slippery slope, as we have shown here and in our previous blog, where OnionDog was proven not to be a targeted attack coming from North Korean actors, but a cybersecurity drill.