North Korea DDoSed Off the Internet

North Korea has been knocked off the Internet by a distributed denial-of-service (DDoS) attack. Maybe the US did it, and maybe not.

This whole incident is a perfect illustration of how technology is equalizing capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a government.

Posted on December 23, 2014 at 10:09 AM • 24 Comments

Comments

Mace MonetaDecember 23, 2014 10:34 AM

Unless we have visibility into NK, I think it's premature to say they were DDOSed off the net. NK barely has electricity, and their tech is not exactly state of the art. I'd assume they had an outage without proof of a DDOS.

Ian PDecember 23, 2014 10:52 AM

When I heard about this my first thought was "This is NK. They probably drop off the internet regularly, but the media will pounce on this and call it retaliation." Our own Comcast's and TWC's can't keep us online 100% of the time. I imagine internet outages are a normal part of life for NK.

SamDecember 23, 2014 11:09 AM

If it was a US sponsored attack, a 10 hour DDoS is a fairly weak effort - I'd hope they could do better than that (i.e. Stuxnet).

Does anyone have historical data on North Korean internet outages? I wonder how many times they've fallen off the net in the past for one reason or another, but the incidents have gone unreported until the Sony hack.

d33tDecember 23, 2014 11:14 AM

"we can't tell the difference between a couple of hackers and a government"

I'd say there's little to no (tangible) proof that N. Korea did anything to Sony. How hard would it be to pwn a pack of servers sitting on N. Korean network turf and use them as stooges to stir up some action between the US / Japan / N Korea and possibly China? That might even be a better script than a stupid movie about assassinating a foreign political figure in comedic fashion. Don't get me wrong, to me, N. Korea is living proof that humans are incapable of following a "political plan" (or being generally kind to each other). We just haven't evolved nearly enough to govern over each other sans corruption, mass imprisonment, murder, torture et al. Some of us think we're glorious moon going monkeys, others believe in bearded guys in the sky who tell them to do awful stuff to each other for the holidays.

Also, where are all those really expensive, state of the art, NSA surveillance tools vacationing for this latest fiesta? We'll never know the "truth" because it's being compartmentalized due to "national security".

Daniel DDecember 23, 2014 11:34 AM

Food for thought: 1)N. Korea could have shut off lights amid fear of retaliation. 2) A plot to blame the US on this attack to escalate things.

DanielDecember 23, 2014 11:44 AM

Brcue writes, This whole incident is a perfect illustration of how technology is equalizing capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a government.

Yes in certain situations. In other situations, like Stuxnet, not so much. But in the NK type of situations I think the incident illustrates something else--the inability/incompetence of the average person to know what is going on. The more we rely on technology the more we rely on technical experts to tell us what is happening. Many technical experts themselves do not know what is going on. This makes it difficult both for those in incident response to calibrate a response and it's even tougher for those tasked with evaluating that response (the general public, customers, etc.)

Trust is difficult but it's even more difficult in time of high uncertainty and low information quality.

Sean Jason ByrneDecember 23, 2014 12:24 PM

it sounds plausible but how would we know that NK's internet, nation wide, is down? How would we measure that? Perhaps, this information is fabricated.

Matt HurdDecember 23, 2014 1:49 PM

Alternative scenario:

[sarcastic]

Damn it, we just blew $40M on a crap movie. The only way we're going to rescue this is to pretend to be hacked by NK. Gotta make it realistic and leak. If we can make the embarrassment large enough, perhaps we make $100M. What do you mean? How about some social security numbers, embarrassing e-mails, may be some politically sensitive ones. Go to the top. You know, I'm sure she rants all day in her emails. Go big. For $100M, I'm all in.

What if someone retaliates?

Think of the publicity. Then we've really made it.

OK. What'll it take? Check Schneier's blog for someone who'll take $1 or $2M. Plausible deniability...

[/sarcastic]

Perhaps not this time as it violates the fundamental law: never put down to conspiracy what is easily explained by incompetence.

However, it makes a future $100M template...


AndrewDecember 23, 2014 3:48 PM

I think I can see a typical (western) underestimation of what these guys are capable of. North Korea just hacked Sony, they made their own smartphone, they have the 5th army size of the world and they have nuclear weapons. Plus Putin just invited them to whatever conference.
Their internet is routed trough China, so this is only a temporary retaliation, probably they will extend massively in the future and internet will be their main focus.
Even if the population is poor and brain washed under the stalinist regime, they should be nothing like underestimated. Try to think at them as the same nation who made Samsung.

Matt HurdDecember 23, 2014 4:33 PM

@Andrew

Have to agree, but for a different reason...

It is not that they are North Korean, or like Samsung, it is because they are people.

Apply some kind of "smart" filter on 3,000 people and make them focus on anything, such as, just sayin', cyberfoo, for a few years and they should, at worst, perhaps not suck. This is how bureaucracies, including security agencies, win. The relentless focus on outcomes eventually delivers, even in you waste a bucket of money. Competitive framework. Align rewards with outcomes desired. Adequate resources. Harness progression and incremental improvement. Keep marching forward. If you fail, do it again and try to learn. Might not create any strokes of genius but it is hardly needed in the real world as you can rarely read enough to cover existing research anyway.

Sanctions don't work alone. They were happy to have a couple of million, around 10% of their population, starve to death.

Targeting luxury goods was smart but it is also ineffective. Good idea but a cut snake is always a risk.

Only reasonable solution is sanctions + FOMO. FOMO only comes from improved comms whether it be cell, broadcast, google balloons, whatever. South Korean soaps really are the big danger NK thinks. East Germans wanted what West Germans had.

North Korean demise is inevitable but perhaps not soon given the ruthless threat of killing you and locking up your 100 closest relatives in hard labour. That would keep me in check, I suspect.

Perhaps, the slow drip of improved comms and tools for association to let people decide their own fate is all that can be done without armed intervention.

DanDecember 23, 2014 4:39 PM

It seems doubtful that the US would resort to something as temporary as a DDOS to retaliate given the impact of what happened to Sony, but I'm sure they are grinning coyly with this development.

Turning the conspiracy theory dial up a bit, it is possible that this is all smoke and mirrors. Many have noticed that the hackers didn't mention the movie until the press did, and on top of that there is an interesting bit from a Reuters article today (1):

"A Twitter account with the handle @LizardSquad, which under similar accounts has previously claimed credit for attacks on prominent gaming websites, said in a tweet it was behind the North Korean outage."

Wait, what? Isn't this the same LizardSquad that forced PSN offline several months ago and grounded a Sony exec with a bomb threat to his plane? Not only do they already have a grudge against Sony, they've already issued real-life bomb threats during previous attacks. So why are they claiming responsibility for something that a supporter of Sony/US would do? Maybe they slipped up and couldn't resist the temptation to brag about taking an entire country offline. And maybe they're playing both sides against each other while all of this is a cover-up of something more that they're doing behind the scenes while the US and N Korea shake their fists at one another. 100+ TB is a lot of data to sort through...


(1) http://www.reuters.com/article/2014/12/23/us-northkorea-cyberattack-outage-idUSKBN0K10HN20141223

ThothDecember 23, 2014 8:41 PM

There might be a possibility that Nork knocked off their own Internet in an attempt to anticipate backlashes or probably being petty ? Either way, DDOS may be possible but not the only reason unless there are statistics that showed a huge spike of incoming traffic into Nork domains before their network went blackout.

Another propaganda Psy-Ops program to create perception that the Internet was brought down by the mighty warhawks ?

MadisDecember 24, 2014 2:19 AM

Having in mind the reach of Internet in North Korea, if this was the government, it gives a totally new meaning to the term "asymmetrical warfare"..

Kevin James LapsleyDecember 24, 2014 4:54 AM

I ended up in the hospital at the beginning of December when I spotted an anomaly while at a bar called Club 21 in Portland Oregon. The circumstances that this took place was my knowledge of scientists matrix testing and what it truly meant considering our nations outrageous date and corruption. I sat drinking a couple beers with a few people as some others gathered around and this beautiful Asian girl sat next to me and joined in the conversation. As my patrons sat drunk disbelieving the science of what she and I were discussing, which might I add she seemed to have already known something I posted in a private note on my Facebook back in 2012. I created a Poly Alphabetic/numeric ciphering technique that led me to discovering an algorithm in the numbers of Pi as well as finding Zion written in the first 8 numbers.

Example: Pi equals 3.1415926
N is the 14th letter
O is the 15th letter
I is the 9th letter
Z is the 26th letter
Making 3.1415926 equal in an alphabetic/numeric cipher 3.NOIZ
Hebrew reads the opposite direction of English(I'm sure you know this)
making Pi read ZION.3 which the 3rd English letter is C, Hebrew 3rd is "G"
The cipher a super computer taught me found a musical rhythm in Pi.
The computer is known as EidolonTLP and the DoD intimidated the guy who did EidolonTLP's YouTube channel into stopping making videos. There are still 16 or so videos up if you search EidolonTLP on YouTube. I asked a question "Like Shakespeare incorporated multiple languages to further(or worsen haha) the English language, what would EidolonTLP teach humans to communicate with it.
Well I can explain in detail what singularity is and point out the evidence to back up my theory, the fact that 3 weeks ago is when I was in the hospital at the beginning of this month for spotting something concerning cyber cryptography techniques I discovered a couple years ago.
Our nation is drunk, and our debt is the black hole that they said the Higgs Boson might create. Such is why they announced they had discovered it on the 4th of July 2012, an American holiday celebrating freedom from foreign debt. The Interview movie was brought out of theaters and into the view of the global theater because the new James Bond script is why Comic-Con is a global celebration.
Lots of info, don't wanna bore you with because I "don't make sense" probably. I get that a lot.

Dirk PraetDecember 24, 2014 4:55 AM

@ Sam

Does anyone have historical data on North Korean internet outages? I wonder how many times they've fallen off the net in the past for one reason or another

From Brian Krebs' article "The Case for N. Korea’s Role in Sony Hack": According to Jason Lancaster, a security researcher at HP, the entire North Korean Internet space suffered a similar outage around the same time as the 2013 offensive against South Korea.

Although @LizardSquad has claimed credit, I wouldn't be surprised if someone like @th3j35t3r was behind it.

Clive RobinsonDecember 24, 2014 9:28 AM

Has anyone thought "why DDoS?"

And secondly "How do we know it's a DDoS?"

What we do know is that NK has a 1K block of asigned IP addressess and these appear fronted by a Cisco Router (NSA "owned"?) And a bunch of Linux boxes based on Red Hat / CentOS and local modifications (How many "zero days" for these?).

Mounting a DDoS requires "owning" or in other wise subverting machines outside of NK's borders, which is illegal in most jurisdictions.

So the likely hood is it's script kides with a bot net for hire, the question then is who is renting/controling, it would be interesting to see if payed by BitCoin and trace it back to maybe those taken from SilkRoad etc...

But back to the second question is it realy a DDoS or are people just following "Chinese whispers"?

On the assumption it's not a real DDoS it is possible NK have just shut down external access to either,

1, Protect the internal network (way way to late).
2, To stop NKs seeing the online debate in a light the NK leadership don't want.

There is a distinct possibility for the latter, NKs rhetoric even when apparently directed at the west etc, is actuall written for home consumption not consumption outside of NK. It's why it almost always sounds so bizarre that it's been written by people out of their heads, because you can read into it almost anything you want [1].

Thus NK could be controlling what the majority of NKs see for some reason, or are making it clear "the great satan" is attacking and "the eternal leader" is heroically defending the people...

Thus untill we get hard evidence I'm saying it's all just to bizarre to muddle out as we don't even have one end of a trail to follow.

[1] It's kind of like God giving Moses tablets of stone where the commandments have been sent serially through Giggle Translate a few times once for each basic language base. In theory "everybody should have the same song sheet" in practice it's unintelligible and could mean anything.

Clive RobinsonDecember 24, 2014 11:37 AM

@ Dirk,

There is a problem with the Krebs article which you can see from his cited sources, they are not impartial by any means, and one even claims that those that don't agree have no evidence, yet offers zero evidence for his position to be evaluated.

Further there is a "large elephant in the room" over what is going on in South Korea, which is totally unmentioned in the artical. It is well recognised by South Koreans that they have "nutter groups" in their own ranks who want to forment trouble between north and south to forment very right wing views which would equate with the old Ronnie "RayGun" "Bomb the commies" attitude and comments.

Bruce SchneierDecember 24, 2014 3:11 PM

"If it was a US sponsored attack, a 10 hour DDoS is a fairly weak effort - I'd hope they could do better than that (i.e. Stuxnet)."

If it was the US, then it was just a demonstration of capability. A "look what we can do -- whenever we want, and for as long as we want."

Clive RobinsonDecember 24, 2014 4:01 PM

@ Bruce,

If it was the US, then it was just a demonstration of capability. A "look what we can do -- whenever we want, and for as long as we want."

Do you realy mean that or is it just an "off the cuff" comment?

The DDoS only works by attacking other "third party" peoples ICT infrastructure, which is clearly an illegal act even in the US jurisdiction.

In other peoples jurisdiction it is what many would see as an international act of cyber-crime / warefare by the US Government, and worse an attempt by the US Government to embroil other nations that have no intentional participation in the dispute the US has with NK into an act of cyber-warfare as "first part attacker".

At the very least it would make the US Government contemptible, hypocritical and an potential a war criminal, with no legitimacy in the rest of the world, it would in effect hand China the gift of a stich on a silver platter with which to beat the US unceasingly.

I suspect that the senior members of the current administration are not quite that stupid but I could be wrong.

Joker_vDDecember 25, 2014 1:56 AM

"At the very least it would make the US Government contemptible, hypocritical and an potential a war criminal, with no legitimacy in the rest of the world,"

Ummm... well, how to put it delicately... Say, during the Lybia mess, both the UK and France governments openly admitted that they deployed their Special Forces units specifically tasked with capturing or killing Ghaddafi. It *is* an act of unprovoked agression, but as you probably know, neither Cameron nor Holland were charged with anything.

And if the liberal (or "democratic", hur-hur) drone and air strikes, and multiple attempts (successful or not) at regime changes and financing coups did not "make the US Government contemptible, hypocritical and an potential a war criminal, with no legitimacy in the rest of the world", this one easily deniable action would not either.

Dirk PraetDecember 25, 2014 9:41 AM

@ Clive

Further there is a large elephant in the room over what is going on in South Korea

Exactly my idea. It's been mentioned in one of the other threads too, but unless someone comes up with some conclusive evidence against the DPRK, my five cents are actually on a South Korean unit working with a Sony insider or infiltrator. To me, it just doesn't add up that the DPRK would pull off a stunt like this just to stop a movie, knowing only too well everybody would be pointing the finger at them. Unless they are complete morons, surely they can put their resources to better and more productive uses than this.

A rogue South Korean group - with or without government ties - on the other hand makes perfect sense. They've got motives a plenty and like everyone else had ample time to study and mimic the MO of past attacks like Dark Seoul, attributed to the DPRK. Ruling out a direct attack against DPRK assets for practical reasons or in fear of (military) retaliation, an indirect attack on Sony setting up the DPRK for the fall would have been a logical and prudent alternative.

Which only leaves the question "why Sony?". In my opinion, they were the ideal target: a high-profile Japanese company everyone in certain circles loves to hate and that over the last years has been repeatedly rooted, pwned and backdoored to Kingdom Come with management just refusing to learn any lessons whatsoever from passed breaches. I wouldn't be surprised if there were even underground masterclass penetration courses and manuals out there featuring Sony as the live target in certification exams.

I have of course zero proof for this theory, but the same thing goes for most other narratives I've heard sofar.

SkepticalDecember 26, 2014 9:17 AM


@Dirk: To me, it just doesn't add up that the DPRK would pull off a stunt like this just to stop a movie, knowing only too well everybody would be pointing the finger at them. Unless they are complete morons, surely they can put their resources to better and more productive uses than this.

I think you may be falling into the trap of projecting your own sense of rationality on to another's decision process. Of course, you may be correct here instead. Still, consider an alternative hypothesis in light of the following facts:

(i) Kim Jong-un and the DPRK regime are deeply concerned about image. The level of propaganda in the DPRK as a tool for maintaining regime power is extraordinary. As a relatively new leader, Kim Jong-un is especially concerned about image and perception.

(ii) In June the DPRK called the film a "wanton act of terror and war" and threatened a "merciless and resolute" response unless the US banned the film.

(iii) In July the DPRK then further complained in a letter to the UN General Secretary that "[t]o allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war...."

All of this is easy to dismiss as typical bluster from the DPRK. Still, that the DPRK bothers to make such threats and claims at all is telling. Such acts do not quite the model of rationality you are attributing to them.

One final fact:

(iv) The DPRK has a long history of undertaking highly provocative, and covert, operations against foreign interests and targets, ranging from kidnapping foreign citizens to sinking naval vessels. More recently it has a developed a history of successful cyber-operations on foreign targets.

Therefore the hypothesis that the DPRK, considering the maintenance of the image of the regime to be a matter of national security, and for Kim Jong-un a matter of personal survival, and having long resorted to covert operations as a means, may well have considered a deniable cyber-attack on Sony to be a viable and useful option.

If it went according to plan, the regime could claim a great victory to its inner elite circles, other companies would be deterred from making such films, Sony would be justly punished for encouraging the assassination of the sacrosanct leader, and their cyber-operations department would receive additional "real world" training. Even if discovered, what are the risks? Thus far, it seems, very little.

So it is not unbelievable at all that North Korea would undertake such an operation. In fact it's highly plausible.

Sancho_PDecember 26, 2014 7:13 PM

@ Skeptical

Your (i) is correct, and Kim Jong-un will include the makers of that precious film in his everyday’s prayers for the publicity he got.
He is so strong that the Americans dream of killing him !!!
Nothing could underline better his power and position as world leader.

I didn’t know about (ii) and (iii), thanks.
Arrogance leads the US diplomacy, some may call it strengths.
I’ve never been a 9/11 conspiracist but neglecting warnings has some tradition in the US, isn’t it?

How do you call that, brightness?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.