North Korea Goes Offline
It was reported earlier today that North Korea was having Internet connectivity issues.
Given recent events involving Sony Pictures Entertainment (SPE), these reports are of particular interest. The first question when you see this type of report is whether it’s purely a connectivity issue or whether an attack is behind it. While visibility into North Korean Internet is quite difficult, we are able to see quite a few attacks over the last few days.
1.) All targets are in this netblock:
inetnum: 126.96.36.199 – 188.8.131.52
descr: Potong-gang District
status: ALLOCATED PORTABLE
2.) pDNS Data on the specific targets
184.108.40.206 – This appears to be authoritative DNS servers
220.127.116.11 – This appears to be authoritative DNS servers
18.104.22.168 – smtp.star-co.net.kp
22.214.171.124 – naenara.com.kp
126.96.36.199 – Unknown
188.8.131.52 – www.ryongnamsan.edu.kp
3.) Port Analysis
– All attacks on the 18th, 19th and 20th target port 80
– All attacks (except for one) on the 21st and 22nd target port 53 (DNS) from either port 123 or 1900 (indicating NTP or SSDP reflection amplification).
– – The one exception, the first attack on the 21st, was from 1900 to 80.
Peak Attack Size (bps) = 5.97 Gbps on 12/20/14
Peak Attack Size (pps) = 1.70 Mpps on 12/20/14 (same attack)
Peak Duration: 55m 53s 12/22/14 and still ongoing
Two questions generally come to mind at this point. What are they attacking and who is behind these attacks?
Given the above, it looks as if the targets are government owned and operated sites. Given that this is North Korea and Naenara is the official Web site for the DPRK, this makes perfect sense. The .edu target is Kim II Sung University which was the first University Web site ever hosted by North Korea.
The next question is who might be behind such an attack. The “who done it” is great fun, especially when it involves North Korea, given the events of last week. The real answer is that it would be easier to say who is NOT doing this.
I’m quite sure that this is not the work of the U.S. government. Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work.
Below you will see a recent post on pastebin of a port scan of several of the IP’s mentioned above. This is typical of hacktivism information sharing and would match up very well with recent online chatter.
.8 and .9 listening on 53.
.10 listening on 25.
Nothing for .11.
.67 and .77 listening on 80 and 110.
Nothing for .79 (the .edu site)
Anonymous has been tweeting about not only releasing the movie, The Interview, but taking revenge on North Korea for the movie being taken out of theaters. A second
hacktivist cyber-terrorist group, Lizard Squad, is also active on Twitter:
Going back to the very beginning, what does this all have to do with the Internet being spotty in North Korea? Well, as you can see, two of the above targets were the primary and secondary DNS for much of the Web sites in North Korea. While these attacks aren’t very large, they don’t necessarily need to be. The Internet infrastructure in North Korea isn’t that impressive so it’s not as if a super sophisticated attack is needed in order to cripple it. Without further information to work from, my informed speculation would lead me to think the traffic dropped intermittently due to not being able to resolve IP’s.
While Stuxnet was a very real thing and countries all over the world have increasingly impressive offensive capability and aren’t shy about stating publicly that they are building further capability every day, there are also instances where its been shown that nation states aren’t always to blame. This is likely to be one of those situations.
Here is a view from the Digital Attack Map, a collaboration between Arbor Networks and Google Ideas: