Who Disrupted Internet in North Korea?

Service Cut Off in Wake of Sony Breach; Cause Unknown
Who Disrupted Internet in North Korea?

Companies that monitor Internet traffic say the Internet went dark in North Korea on Dec. 22, days after President Obama pledged there would be a "proportionate response" to the cyber-attack on Sony Pictures Entertainment that the FBI blames on the North Koreans.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

"I haven't seen such a steady beat of routing instability and outages in KP before," Doug Madory, director of Internet analysis at Dyn Research, tells the website North Korea Tech, referring to North Korea's Internet domain abbreviation. "Usually there are isolated blips, not continuous connectivity problems. I wouldn't be surprised if they are absorbing some sort of attack presently."

North Korea lost connectivity around 11 a.m. EST, according to CloudFlare, a provider of performance and security services for websites. Twelve hours later, the Associated Press reported the service had been restored.

Small Internet Footprint

CloudFlare chief executive Matthew Prince says if North Korea was victimized by a DDoS attack, it wasn't necessarily conducted by the United States or another nation state. Prince estimates that the capacity of North Korea's Internet is no greater than tens of gigabits per second. "Given the largest DDoS attacks are an order of magnitude larger than that," he says, "it is conceivable that an attack saturated the connection and knocked the site offline."

Prince says groups much smaller than a nation-state - even an individual - could pull off such a DDoS attack, pointing out that a British teenager pleaded guilty a few weeks ago to launching an attack generating 300 Gbps against Spamhaus, an organization that tracks e-mail spammers.

"That, again, is likely at least an order of magnitude larger than the total capacity of North Korea's link to the public Internet," he says. "In other words, if it turns out it was an attack, I'd be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask." The Guy Fawkes mask is a symbol used by the hacktivist group Anonymous.

Who's Responsible?

Dan Holden, director of security research at Arbor Networks, told Bloomberg News that it was unlikely the U.S. was behind the outage. "If the U.S. government was going to do something, it would not be so blatant and it would be way worse," he said. "This could just be someone in the U.S. who is ticked off because they're unable to see the movie," he said, referring to "The Interview," the film that Sony yanked after receiving threats from hackers.

State Department spokeswoman Marie Harf wouldn't comment on whether the United States was behind a cyber-attack on North Korea. "We aren't going to discuss publicly operational details about the possible response options," she said at a Dec. 22 briefing, adding that "as we implement our responses, some will be seen, some may not be seen."

The impact of an Internet outage in North Korea would be negligible because so few individuals and businesses in North Korea have access to the Internet. "It might cause short-term pain for the elites that have access to Internet, but it's not going to have a long-term effect," says Adam Segal, director of the program on digital and cyberspace policy at the Council of Foreign Relations, a think tank.

According to the New York Times, North Korea does very little commercial or government business over the Internet, officially registering only 1,024 Internet protocol addresses, though the actual number may be somewhat higher. The United States, by comparison, has billions of addresses.

Other Possible Causes

CloudFlare's Prince offered three other potential causes for the outage, including the North Korean government removing itself from the Internet. "We've seen this before when other countries with low levels of connectivity and governments with high degrees of power over telecommunications have terminated Internet access," Prince says, citing Syria as an example.

North Korea's Internet service provider, China Unicom, might have terminated service. "Since North Korea relies on a single provider upstream of the country, if China Unicom terminated access, it would effectively eliminate North Korea's Internet access," he says.

Prince also says that North Korea might have fallen victim to an "unfortunately timed" hardware failure or cable cut. "It's unlikely that North Korea has an up-to-date Cisco support contract, and a critical resource may have failed for innocuous reasons."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network