North Korea using foreign bases to launch cyberattacks, says HP

There's a reason the DPRK's attacks come through China

The Democratic People's Republic of North Korea (DPRK) is a country with almost no conventional Internet presence and yet it has among the most active cyberwarfare footprints of any nation on earth and appears obsessed with expanding its operations, HP has concluded after reviewing evidence from a range of third-party sources.

It's an apparent paradox: how can a hermit-like country with a population on par with Romania get up to the sort of mischief North Korea has been accused of when satellite images show the country is so lacking of a working electricity grid that at night it advertises itself as a lightless, black expanse?

HP's answer in latest its primer 101 is that North Korea doesn't actually do that much from North Korea, relying instead of cells planted in other parts of the world, particularly China, and even inside sworn enemy South Korea.

Although the country's use of its IP ranges has expanded since 2010, its major Government and education sector websites are hosted elsewhere, while a lot of its cyberwarfare capabilities seem to use external bases to direct attacks.

As the report notes, the DPRK's hacking Unit 121 (accused of hacking the US and South Korea) has a base in Pyongyang but depends on a named command post based in a hotel just over the border in China. This and other units such as Unit 110 (aka 'DarkSeoul') have carried out numerous cyber-operations, which accelerated quite dramatically in number during 2013 using the same Chinese proxies.

Surprisingly, North Korea even maintains a small network of 'Chongryon' schools in Japan of all places, which it allegedly uses to aid the motherland by "raising funds via weapons trafficking, drug trafficking, and other black market activities."

Beyond that, the DPRK has a small network of businesses in countries across the globe, including China, used to lifeline millions of dollars back to the regime, including from curious Western tourists who pay hard Yankee dollars to enjoy the ultimate in totalitarian tourism. Its spies are everywhere.

For a country with no indigenous business culture to speak of, software and technology remains incredibly important, almost a form of social control and job creation for the brightest kids who might otherwise get up to no good.

The country also has its own Linux/Mac OS X-derived operating system, Red Star OS, which sounds much like similar projects in Russia, Iran and China until you realise that unlike those other countries North Korea actually uses Red Star OS. It upholds Linux's egalitarian ideals too - anyone in North Korea can run Red Star OS even if the computer to load it on is, Like Hitler's VW Beetle, far beyond the pocket of any citizen.

The picture drawn by HP is of a state bent on using the Internet not to advance its economy but to fund its precarious economy and thereby simply survive. It happily uses cyber-operations for their nuisance value, setting out primarily to destroy and disrupt rather than steal resources. By turning itself into a problem demanding attention it seeks to gain concessions.

Its lack of infrastructure forces it to use resources beyond its borders, something that makes it incredibly vulnerable should governments and policies change but also quite effective in the short run. Sourcing cyber-attacks to North Korea is difficult and is usually done by drawing inferences form target lists that always include South Korea.

"We should not overestimate the regime's advanced cyber capability, yet we should never underestimate the potential impact of North Korea utilizing less advanced, quick-and-dirty tactics like DDoS to cripple their high-tech targets," concludes the report.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityHewlett-Packard

More about HPLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place