Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

ASSESSMENT: DPRK Networks and CNO Capacities

leave a comment »

Screenshot from 2014-01-17 13:14:57

DPRK INTERNET AND INTRANET:

As the DPRK under Kim Jung Un has been poking the global bear lately with threatening faxes I thought it was time to re-approach the CNE/CNO/CNA capabilities that they have and gut check against the hype in the news cycle. As there has been talk of cyber attacks allegedly carried out by the DPRK against at least the South, one has to wonder just what kind of connection the North actually has to the global internet. As it turns out the DPRK has a class B  (175.45.176.0 – 175.45.179.255) address space that is ostensibly outwardly facing to the global internet. Inside the country though the fiber intranet is closed off to the external internet for the most part save for those eleets deemed important enough to have it. The gateways for this internet connection are sourced out to the Chinese mainland (China Unicom/ Star JV/ Loxley Pac) and are most likely located in southern China. This however has not stopped certain people actually downloading from Bittorrent  this last year so we know that a certain amount of people actually do have access that goes to the internet directly from Pyonyang which was a bit of a surprise for me at first but then you look at the small area from which they are coming from and you see it is a very small subset of people accessing the net to pirate movies. The masses though who have access to a computer are relegated to the Kwangmyong network that they can only access through the “Red Star OS” that the DPRK has special made for them to use. This intranet is from all reports, more like a BBS than the internet and consists of very little content and certainly not anything revolutionary (both technically and literally) I have downloaded a copy of Red Star and will be putting it in a sandbox to play with and report on at a later date.

 

Screenshot from 2014-01-22 14:28:49

Pirating:

Screenshot from 2014-01-22 14:41:14WHOIS for DPRK

 

DPRK Internet Accessible sites:

Root Zone File

Root Hint File

Screenshot from 2014-01-22 15:06:02http://pust.kr/

Screenshot from 2014-01-22 15:07:35

Uriminzokkiri a facebook like service located outside of the DPRK zone

Screenshot from 2014-01-22 15:11:46

uriminzokkiri.com WHOIS

DPRK CNO, CNA & CNE:

There seems to be some cognitive dissonance concerning the capabilities of the DPRK where network warfare is concerned. As seen below in the two snippets of articles either they have nothing much in place because they are focusing more on nuclear technologies or they are creating a master group of hackers to attack the US and South Korea. I for one think that the truth lies somewhere in the middle in that I know that fiber has been laid and that the eleet and the military both have access to the internet for their own purposes. That the connection is routed through a satellite ostensibly (mostly) shows just how disconnected the regime wants to be to insure their power consolidation. Though there is a single “internet cafe” in Pyongyang, it must be noted that it only serves network traffic to the intranet that they have created. I have to wonder though if perhaps somewhere within that infrastructure lies unknown dark spots where the government may not have as much control as they would like.

On the topic of cyber capabilities, the report said North Korea probably has a military computer network operations capability. North Korea may view computer network operations as an appealing platform from which to collect intelligence, the report added, and the nation has been implicated since 2009 in cyberattacks ranging from computer network exploitation to distributed denial of service attacks.

In assessing North Korea’s security situation, the report said, “North Korea continues to fall behind the rising power of its regional neighbors, creating a widening military disparity and fueling its commitment to improving asymmetric and strategic deterrent capabilities as the primary guarantor of regime survival.”

Tensions on the Korean Peninsula have grown as relations between North and South Korea worsen, the report noted. North Korea has portrayed South Korea and the United States as constant threats to North Korea’s sovereignty in a probable attempt to legitimize the Kim family rule, its draconian internal control mechanisms and existing strategies, the report said.

“The regime’s greatest security concern is opposition from within,” the report added, “and outside forces taking advantage of internal instability to topple the regime and achieve unification of the Korean Peninsula.”

North Korea seeks recognition as an equal and legitimate international player and recognized nuclear power and seeks to normalize its diplomatic relations with the Western world and pursue economic recovery and prosperity, the report said.

“[North Korea’s] rhetoric suggests the regime at this time is unlikely to pursue this second goal at the expense of the primary goal of pursuing its nuclear and missile capabilities,” the report added.

DOD Report: North Korea Still Critical U.S. Security Threat

North Korea has the highest percentage of military personnel in relation to population than any other nation in the world, with approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budge of the country.  Don’t forget also that North Korea has capabilities that also include chemical and biological weapons.  A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.

The large cyber force responds directly to the command of the country’s top intelligence agency, the General Reconnaissance Bureau. Last year in internet have been published satellite photos of the area that is suspected to host  North Korea’s ‘No. 91 Office’, a unit based in the Mangkyungdae-district of Pyongyang dedicated to computer hacking, its existence was revealed in a seminar on cyber terror in Seoul.

According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming high skilled team of hackers to be engaged in offensive cyber operations against hostile government and in cyber espionage activities.

In more than one occasion the North Korea has threatened the South promising waves of attacks, and the cyber offensive option is the most plausible considering the advantage in terms of efficiency, noise and political impact.

North Korea’s electronic warfare capabilities are second only to Russia and the United States…

Increasing concerns on cyber warfare capabilities of the North Korea

So when the question of CNO/CNA/CNE comes up with many here in the rest of the world it is all pretty much a guess as to what the answer truly is. Of course I would love to know what the NSA knows about that internal infrastructure. I suppose that the NSA, with all of the revelations of late, probably has(d) entre into the intranet from hardware that had been spiked with surveillance tech. Overall the picture from using nmap and other technologies shows that the infrastructure outside looking in, without backdoor access to China Netcom systems, is pretty blank from an information warfare perspective. The sites that are sitting out there that are live are flat but if one were to r00t one what would the acl’s be like one wonders. DPRK has spent a lot of time hardening and walling themselves off but nothing ever is 100% secure. With all the talk about their DD0S attacks against S. Korea though and the bank hack (2013) there have been some leaks that lead us to believe that they do use that .kp IP space for access to their malware C&C’s. In the case of the bank hack this last year the malware was beaconing to an IP within their internet facing space surprisingly. For the most part though the attacks that have been perpetrated by the DPRK have been through proxy addresses (S. China etc) so as to have some plausible deniability.So short of some leaking of intelligence on DPRK and their internal fiber networks it’s pretty much still a black hole or maybe more apropos a giant darknet of their own and we cannot see inside.

中国黑马: 

Speaking of Darknets I just wanted to touch on this idea for a bit. One wonders just what CNA/CNO the DPRK might be carrying on with regard to TOR nodes and the use of the darknet. I should think an interesting study might be tracking IP’s from Southern China to see where much of that traffic is being routed through TOR nodes. I think that this could be a real untapped subject for study to date. If the eleets have access to not only the internet through INTELSAT/Chinacom and MAC OSX boxes then perhaps some of them are actually routing traffic through proxies like TOR to cover their own censorship arcology? Can you imagine that Un doesn’t have high speed SAT connection through INTELSAT so he can surf unencumbered? What about certain high ranking intelligence and military people as well? It surprises me that I am not seeing more in the darknet from the DPRK itself as well. Of course this would, even with it being on TOR or in a proxied hosted system, a dangerous game to have any kind of truth telling coming directly out of Pyongyang. Still though, I would love to see this happen as well as perhaps some incursion into the intranet by someone adding a rogue SAT feed and a router. Presently I have seen reports about how former DPRK escapee’s have been smuggling in DVD’s, Net-Top PC’s and Netbooks over the Chinese border and giving them to people. The thrust of this idea is to bring Western movies and media to the DPRK as a subtle form of mental malware. I would push that further and create a new darknet within their dark fiber network.

ANALYSIS:

When one sIn the final analysis, the DPRK has connectivity that is very limited in scope and in actual use. The eleet few have access to the outside world while the rest have a very controlled intranet that is full of propaganda and surveillance. When one starts talking about their capabilities for cyber warfare you have to take what is usually said with a grain of salt or a whole shaker. The fact of the matter is that much is still not known about their capabilities outside of perhaps the NSA and certain people in the IC. From the attacks seen to date we have seen much activity out of China that could also be dual purpose attacks for DPRK as well. Since much of their CNA/CNE capabilities and training has come out of (literally) China one has to assume that not every China hack is just for China or originating from them. For that matter, it is entirely possible that traffic we have all seen coming from S. Korea could in fact be proxy attacks from the DPRK as well for plausible deniability. My feeling though is that the DPRK is still getting it’s unit’s together and building capacities and is not a clear and present danger to the world from any kind of cyber warfare scenarios. DPRK uses the aggrieved and angry squeaky wheel approach to diplomacy cum bullying on the world stage and is not suited for sneaky cyber war just yet. Also cite the fact that if you poll the likes of Crowdstrike or Mandiant you will not see too many (if any at all) attacks or campaigns being designated to DPRK actions. Now why would that be?

K.

 

 

Written by Krypt3ia

2014/01/22 at 21:41

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: