North Korea’s internet spikes after the country embraced cryptocurrency to circumvent sanctions by the US according to a report by Insikt Group. Insikt Group is a team of veteran threat researchers that back up the intelligence analysts, engineers, and data scientists.
Executive Summary
Over the past three years, Recorded Future has published a series of research pieces revealing unique insight into the behavior of North Korea’s most senior leadership. Their observations and findings during 2019 expand on these observations and point to broader conclusions about the way that North Korean leaders use the internet. For the North Korean political and military elite, the 2019 data show that the internet is not simply a fascination or leisure activity, but is a critical tool for revenue generation, gaining access to prohibited technologies and knowledge, and operational coordination.
Further, they assess that North Korea has developed an internet-based model for circumventing international financial controls and sanctions regimes imposed on it by multinational organizations and the West. This includes not only using the internet as a mechanism for revenue generation, but as an instrument for acquiring prohibited knowledge and skills, such as those enabling the development of North Korea’s nuclear and ballistic missile programs, and cyber operations. This model uses three primary tactics for generating revenue — internet-enabled bank theft; use and exploitation of cryptocurrencies and blockchain technology; and low-level information technology (IT) work and financial crime.
At its most basic, North Korea has developed a model that leverages the internet as a mechanism for sanctions circumvention that is distinctive, but not exceptional. This model is unique but repeatable, and most concerningly can serve as an example for other financially isolated nations, such as Venezuela, Iran, or Syria, for how to use the internet to circumvent sanctions.
Key Judgments from the Report
We have observed a 300% increase in the volume of activity to and from North Korean networks since 2017. We assess this is due to a number of factors, including the increased use of the Russian-routed TransTelekom infrastructure, the use of some of North Korea’s previously unresolved IP space, and the stand-up of new mail servers, FTP servers, and DNS name servers to support an increased traffic load.
Continued pattern-of-life and content shifts indicate that the internet has likely become a professional tool for North Korea’s most senior leadership. The highest levels of internet use are now on weekdays during North Korean work hours, a shift from 2017, when activity was highest on the weekends and during late afternoons and evenings.
We assess that when combined with the 300% increase in volume of activity, the increased bandwidth and capacity provided by routing an additional /24 subnet through TransTelekom infrastructure, and the recent utilization of some previously unresolved IP space, that the internet is no longer simply a fascination or leisure activity, but has become a critical tool for North Korean leaders.
We have discovered that North Korea has created its own unique virtual private network (VPN) by exploiting domain name service (DNS). This VPN uses a technique called DNS tunneling, which refers to when the DNS process is used not for a domain resolution, but to transfer data or tunnel inside of a closed network. We assess that this technique could be used by North Korean users to exfiltrate data from the networks of unsuspecting targets, or as a means of circumventing government-imposed content controls.
We believe that the apparent focus by the Kim regime on increasing the accessibility of its remaining four state-run insurers over the course of 2019 could be an attempt to both revitalize insurance fraud as a means of revenue generation after the sanctioning of KNIC in 2017, and to reassure potential investors in North Korea.
We have observed an at least tenfold increase in Monero mining activity from North Korean IP ranges since May 2019. We believe that Monero’s anonymity and lower processing power requirements likely make Monero more attractive than Bitcoin to North Korean users.
North Korea’s Internet spikes show how the illegal use of cryptocurrency can sully its image in the general. However, almost every currency is misused by criminals and blockchain is only the most recent victim.