Understanding the 'How' and 'When'
The first month of 2022 saw the return of North Korean ballistic missile testing. Reports of several launches coincided with news of internet outages.
This sequence of outages should peak interest due to the apparent impact on a variety of internet-facing assets of the Democratic People’s Republic of Korea (DPRK). Whilst we can speculate about the motive, it seems clear that the goal was to disrupt communications and media-related services behind the DPRK’s fiercely private domain.
In this blog we will assess these ‘internet outages’ in further detail, using Team Cymru’s Pure Signal™ Recon platform to examine network telemetry data for the IPv4 netblock publicly assigned to the DPRK – 220.127.116.11/22 (STAR-KP, KP).
Figure 1: Source - Reuters (Article Dated 26 January 2022)
ATTACK TARGETING THE KOREAN CENTRAL NEWS AGENCY; 14-15 JANUARY 2022
Between 23:00 (UTC) on 14 January and 02:00 (UTC) on 15 January, a large volume of outbound UDP sessions to remote port 3283 were observed, sourced from 18.104.22.168.
Figure 2: Threat Telemetry Data for 14/15 January 2022
Passive DNS data for 22.214.171.124 shows that this IP address hosts web infrastructure related to the Korean Central News Agency (KCNA) – the state news agency of the DPRK.
The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting the KCNA. This type of DDoS attack is designed to cause disruption by magnifying traffic to/from the victim, whilst also enabling the attacker to obscure the original source.
It was noted when reviewing the data for this attack that it lasted almost exactly three hours. This may be indicative of a service for hire – i.e., the ultimate perpetrator paid for three hours of access to a DDoS framework.
UDP port 3283 is commonly associated with Apple Remote Desktop. Research undertaken by Netscout identified DDoS attacks which used this vector first occurring ‘in the wild’ in June 2019. At the time Netscout identified approximately 54,000 abusable devices, which were Apple Remote Management service (ARMS) enabled and had UDP/3283 open to the internet.
Data from Shodan shows that although the number of abusable devices has decreased since 2019, around 24,000 such devices remain at risk.
Figure 3: Abusable Devices with UDP/3283 Open (Data - Shodan)
Reviewing WHOIS information for the hosts utilized in the DDoS attack against the KCNA, it is evident that a large proportion of abusable devices are located in the United States.
Figure 4: Heat Map of Hosts Involved in 14 January DDoS Attack
DISRUPTION OF INTERNET-FACING WEBSITES; 25-26 JANUARY 2022
Between approximately 19:00 (UTC) on 25 January and 23:00 (UTC) on 26 January, a large volume of inbound TCP connections were observed to port 80 on IPs within the 126.96.36.199/22 netblock.
Figure 5 below is based on a sampling of this data, accounting for approximately 5% of the total number of observed records.
Figure 5: Network Telemetry Data for 25/26 January 2022
A review of the target IPs, augmented with Passive DNS data, indicates that a HTTP flood (DDoS) attack took place against various elements of the DPRK’s public web infrastructure. Table 1 below contains the top-10 most frequently targeted IPs.
Note, the displayed Passive DNS data is not exhaustive, but serves to highlight the websites targeted.
Central News Agency
Ministry of Foreign Affairs
Association of Social Scientists
Voice of Korea
Table 1: Targeted DPRK Web Infrastructure
In this case it is apparent that the attacker’s aim was to take down public North Korean websites, by overloading the infrastructure used to host them. This may be viewed as a symbolic act – this particular attack gained more widespread attention when users were unable to access these websites.
DPRK NAME SERVERS TARGETED VIA COMMON VECTOR; 29 JANUARY 2022
Between 03:27 (UTC) and 04:18 (UTC) on 29 January 2022, a large volume of outbound UDP sessions to remote port 123 were observed, sourced from 188.8.131.52 and 184.108.40.206.
Figure 6: Network Telemetry Data for 29 January 2022
Passive DNS data for 220.127.116.11 and 18.104.22.168 identifies them as name server infrastructure for the 22.214.171.124/22 netblock.
The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting North Korean name server infrastructure. UDP/123 is commonly associated with the Network Time Protocol, a service which is frequently utilized (abused) in this type of attack.
This blog has highlighted three significant DDoS attacks against the DPRK internet, providing context to reported outages during January 2022. Each attack was distinct, with a varying scope and attack methodology.
As a technical analysis, this blog does not attempt to attribute the attacks to particular actor(s), but is intended to support the understanding of the ‘internet outages’ first referenced at the beginning of this analysis. Notably the DDoS attack on 29 January 2022 does not appear to be a remnant of the DDoS attack which took place a few days earlier. These attacks may be indicative of a more concerted effort to disrupt the public North Korean internet at times of critical events, however copycat behaviour cannot be ruled out.
For comparison purposes, Figure 7 provides a snapshot of all observed inbound and outbound network telemetry data for 126.96.36.199/22, covering the month of December 2021.
Figure 7: Network Telemetry Data (December 2021) for 188.8.131.52/22