Analysts at DYN Research, a New Hampshire-based firm that tracks the health of the Internet’s underlying infrastructure, says the firm has monitored some disruptions to the flow of Internet traffic into the country since early Sunday.
Doug Madory, the firm’s lead analyst, told Re/code that connections that are typically solid have experienced ongoing and persistent disruptions, the source of which remains unknown.
“They’re pretty stable networks normally,” Madory said. “In the last 24 hours or so, the networks in North Korea are under some kind of duress, but I can’t tell you exactly what’s causing it.” Possible reasons include an attack by another nation or third-party hackers, he said, but also things like power outages and network maintenance. “There’s no way to confirm that these outages are the result of an attack, but given the timing, it’s something we have to consider,” he said.
The disruption comes on the heels of the accusations by the FBI implicating North Korea for a devastating hacking attack against Sony Pictures Entertainment. The attack first came to light on Nov. 24, and may have been motivated by a Sony-made motion picture comedy, “The Interview,” which concerns a CIA-backed assassination attempt on the life of North Korean leader Kim Jong-un.
On Friday President Obama said that the U.S. would respond to the attack against Sony “at a time and placeof our choosing,” but declined to elaborate.
Madory said that under normal circumstances, the North Korean networks, like those of any other country, steadily announce their availability to the wider Internet. Since Sunday those announcements have been disrupted, consistent with the Internet routers responsible for coordinating the country’s traffic going offline. “It sometimes goes down for a little while and then comes back,” Madory said. “This has been recurring and constant and is definitely outside the norm.”
It was reported earlier today that North Korea was having Internet connectivity issues.
Given recent events involving Sony Pictures Entertainment (SPE), these reports are of particular interest. The first question when you see this type of report is whether it’s purely a connectivity issue or whether an attack is behind it. While visibility into North Korean Internet is quite difficult, we are able to see quite a few attacks over the last few days.
1.) All targets are in this netblock:
inetnum: 18.104.22.168 – 22.214.171.124
descr: Potong-gang District
status: ALLOCATED PORTABLE
2.) pDNS Data on the specific targets
126.96.36.199 – This appears to be authoritative DNS servers
188.8.131.52 – This appears to be authoritative DNS servers
184.108.40.206 – smtp.star-co.net.kp
220.127.116.11 – naenara.com.kp
18.104.22.168 – Unknown
22.214.171.124 – www.ryongnamsan.edu.kp
3.) Port Analysis
– All attacks on the 18th, 19th and 20th target port 80
– All attacks (except for one) on the 21st and 22nd target port 53 (DNS) from either port 123 or 1900 (indicating NTP or SSDP reflection amplification).
– – The one exception, the first attack on the 21st, was from 1900 to 80.
Peak Attack Size (bps) = 5.97 Gbps on 12/20/14
Peak Attack Size (pps) = 1.70 Mpps on 12/20/14 (same attack)
Peak Duration: 55m 53s 12/22/14 and still ongoing
Two questions generally come to mind at this point. What are they attacking and who is behind these attacks?
Given the above, it looks as if the targets are government owned and operated sites. Given that this is North Korea and Naenara is the official Web site for the DPRK, this makes perfect sense. The .edu target is Kim II Sung University which was the first University Web site ever hosted by North Korea.
The next question is who might be behind such an attack. The “who done it” is great fun, especially when it involves North Korea, given the events of last week. The real answer is that it would be easier to say who is NOT doing this.
I’m quite sure that this is not the work of the U.S. government. Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work.
Below you will see a recent post on pastebin of a port scan of several of the IP’s mentioned above. This is typical of hacktivism information sharing and would match up very well with recent online chatter.
.8 and .9 listening on 53.
.10 listening on 25.
Nothing for .11.
.67 and .77 listening on 80 and 110.
Nothing for .79 (the .edu site)
Anonymous has been tweeting about not only releasing the movie, The Interview, but taking revenge on North Korea for the movie being taken out of theaters. A second
hacktivist cyber-terrorist group, Lizard Squad, is also active on Twitter: