North Korea statues
“We wouldn’t be able to do this type of analysis if they didn’t have such restrictive parameters around the internet,” says Priscilla Moriuchi.

Computing / Cybersecurity

North Korea’s ultra-secretive ways can make the regime easier to track online

A regime known for iron-fisted control can’t keep all its secrets on the global internet.

Feb 20, 2020
North Korea statues
“We wouldn’t be able to do this type of analysis if they didn’t have such restrictive parameters around the internet,” says Priscilla Moriuchi.

North Korea is one of the most impenetrable regimes on earth, and sometimes its secrecy backfires.

The Pyongyang government tightly controls all the people and machines inside the country with access to the global internet—even as that technology has become one of the regime’s most important tools for survival. This restrictiveness means that any network activity detected out of North Korea can reveal government strategy.

And this applies to a tenfold increase observed in North Korea’s mining of Monero, the privacy-driven cryptocurrency designed to make tracking somewhere between difficult and impossible. Analysts can see internet traffic so detailed that it reveals Pyongyang’s investment in new higher-end, higher-capacity machines to mine the cryptocurrency, according to a recent report from the American cybersecurity firm Recorded Future.

These are the latest signs that cyber operations are the regime’s key to making money, secretly circumventing sanctions, and ultimately enabling continued survival—but that staying hidden while carrying them out can be a futile task. 

North Korea’s unparalleled restrictiveness and secrecy around internet usage actually make it easier for intelligence analysts to track and understand how the country uses the internet. 

“What we see is internet use by the very privileged, the 0.1%, the North Korean military leadership and their families, who are actually given access to the internet,” says Priscilla Moriuchi, an analyst with Recorded Future who focused on China and North Korea during 13 years at the National Security Agency. “We wouldn’t be able to do this type of analysis if they didn’t have such restrictive parameters around the internet.”

Recorded Future, an intelligence firm launched in 2009 with the backing of Google and In-Q-Tel, the CIA’s venture capital arm, has grown to 650 customers and 475 employees and has just signed a $50 million threat intelligence deal with the US Cyber Command.  

Moriuchi joined the firm three years ago. From a leadership position at NSA’s headquarters in Fort Meade, Maryland, she is now the head of its nation-state research and the chief strategist for Insikt Group, the team of intelligence analysts that recently finished the unprecedented study of North Korean internet use over the last three years. The analysis found that it’s risen 300%. 

In addition to mining and using cryptocurrency to skirt sanctions and fund the regime, North Korea also makes money by hacking cryptocurrency exchanges. For a country that faces unique and even existential challenges, there is no real distinction between criminal hacking and government-backed espionage.

“North Korea is the most bizarre and fascinating country,” says Moriuchi. “The scope of operations is so far outside what other states do. What they do is just so risky, but they literally have nothing to lose, right?”

By effectively sorting through and understanding the mass of network traffic the firm buys from third-party sources to watch much of what happens inside the ultra-secretive dictatorship, Moriuchi’s team put together a vast picture of how the Kim regime is operating online.

There are only three primary ways North Korea connects to the global internet: first, through the allocated .kp IP range; second, through a connection to neighboring China’s telecommunications giant Unicom; and finally, through an increasingly important connection via a Russian satellite company that ultimately resolves to SatGate in Lebanon.

But a number of North Koreans live and hack abroad in countries like China. This gives them better access to the internet as they take the opportunity to blend in, while affording plausible deniability for the regime. 

“They’re outside usual boundaries technologically and geographically,” Moriuchi says. “First and foremost, North Korea sends a lot of their cyber operators overseas, which is insane if you’ve ever been an operator. It sounds like a given at this point, but these are super highly trained people that the regime has invested lots of money, time, and trust in. The US would not do that. We would not send our best operators to some random country to hack from that country.”

Internet-based revenue comes from three main sources, the report details: hacking-enabled bank theft, hacking and mining of cryptocurrencies, and financial cybercrime. The United Nations estimates that North Korean operators have stolen over $2 billion over the last four years, a relatively enormous percentage of the country’s estimated $28 billion gross domestic product. 

“The revenue generation is state directed and state mandated,” Moriuchi says, “These people have to earn a specific amount of money per year in order to support themselves and stay overseas, and so their families aren’t endangered at home. It’s a criminal state up-and-down exploiting the openness of the internet to earn money. It is absolutely insane.”