North Korea’s internet connections to China and India come under scrutiny

Recorded Future's findings of "a near absence of malicious cyber activity" from within North Korea itself support the longstanding assumption that Pyongyang conducts cyber-operations from outside its own borders.

New analysis of recent North Korean internet traffic reveals that the reclusive regime is most likely carrying out its cyber-operations via the networks of other countries across Asia, Oceania and Africa.

The report released Tuesday by threat intelligence firm Recorded Future finds fast-growing internet usage in North Korea that in many ways mirrors what people do online elsewhere: North Koreans who have internet access use it for social media, to stream video, to play video games and to shop. But “a near absence of malicious cyber activity” from within North Korea itself supports the longstanding assumption that Pyongyang conducts cyber-operations from outside its own borders, researchers concluded.

Another key piece of evidence that Recorded Future found in the data, which was collected by the nonprofit Internet security research group Team Cymru: above-average activity from North Korea’s internet to notable points in a handful of foreign countries, including China and India. The data was gathered from April 1 to July 6 on internet address blocks believed to be used by North Koreans.

The regime’s activities online are well-known, but the digital pathways for that activity have been less well-known. North Korea conducts extensive state-backed criminal and espionage operations both outside and inside cyberspace as a way to support a government that struggles under international sanctions. The Pyongyang-backed collective known as Lazarus Group stole $81 million in 2016, for instance, as part of a greater campaign. Stephan Haggard, visiting fellow at the Peterson Institute of International Economics, told CyberScoop that he estimated 10 to 15 percent of North Korea’s foreign exchange earnings — several hundred million dollars per year — come through dynamic and global illicit activity.


As might be expected, Recorded Future found solid links to China, a nation that has always been North Korea’s primary benefactor. About 10 percent of all North Korean internet activity observed involved its friendly neighbor. North Korean operators are known to work in China, including co-owning a hotel in Shenyang from which cyber-operators have worked.

“Grooming prodigies, deploying them, setting up internet, buying programs, and providing conditions for them to operate in China or another third country is considerably cheaper than buying new weapons or fighter jets which cost hundreds of millions of dollars,” according to a North Korean defector interviewed in 2011.

Recorded Future researchers saw exceptional traffic between North Korea and India as well, concluding “it is clear that North Korea has a broad physical and virtual presence in India” because “the data we analyzed supports the reports of increasingly close diplomatic and trade relationship between India and North Korea.” Almost 20 percent of all North Korean internet activity observed from April to July involved India.

The researchers say they saw suspicious but ultimately unclear cyber-activity involving the Indian Space Research Organization’s National Remote Sensing Centre and the Indian National Metallurgical Laboratory.

Above-average North Korean internet activity to and from New Zealand, Malaysia, Nepal, Kenya, Mozambique, and Indonesia also raised alarms especially because the traffic went to “many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations,” according to the report.


Some of the activity raises questions about North Korean work with “at least seven universities around [India]” and possible additional work “with several research institutes and government departments.” In large part this is no secret: India’s government describes their relationship with North Korea with words like “friendship, cooperation, and understanding,” a stark difference from the fast-rising tension that characterizes the current Washington-Pyongyang link.

Bitcoin mining in North Korea skyrocketed on May 17, according to the data set, just shortly after the global WannaCry ransomware attacks that has been pinned by U.S. intelligence agencies on North Korea. The mining activity went from virtually none to exponential increases with hundreds of coins, each worth thousands of dollars, being mined per day.

“It is not clear who is running the North Korean bitcoin mining operations,” the researchers wrote. “However, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control.”

Latest Podcasts