Did Vigilantes Knock North Korea Offline?

U.S. cyberspies swear they didn’t take down the Hermit Kingdom’s Internet after the Sony hack. And those spies weren’t the only ones rooting around Pyongyang’s servers.

03.24.15 9:25 AM ET

A variety of hackers—some working for the United States government, others operating independently—attacked and probed key portions of the North Korean Internet after the targeting of Sony Pictures Entertainment last year. Some of these hackers, including U.S. government employees, were acting in retaliation for the Sony attack; others, The Daily Beast has learned, were apparently driven by sheer curiosity about how the Hermit Kingdom’s fragile computer networks are connected to the outside world. And some of those independent actors claim that they are the ones who took North Korea offline.

Sources with knowledge of the U.S. government cyber operations launched against North Korea tell The Daily Beast that they were designed to send a message that North Korean officials weren’t beyond the reach of the American government. That there would be consequences for cyber aggression that damaged American companies.

These sources wouldn’t describe the operations in detail. But the sources insisted that the U.S. government did not cause North Korea’s Internet to crash, pointing to a dramatic collapse of the country’s few, fragile links to the outside world on December 22, 2014, three days after President Obama publicly fingered North Korea as responsible for the Sony intrusion. The Internet blackout led to speculation that the administration had ordered a cyber attack as part of what Obama said would be a “proportional” response to North Korea hacking Sony.

These sources, however, note that the U.S. government activities appeared to be more limited and narrowly focused than actions taken by independent hackers and vigilantes, some of whom claim to have caused massive Internet outages in North Korea in response to the Sony intrusion.

The U.S. may have contributed to some of an initial spate of attacks preceding the blackout, including ones that researchers say were aimed at North Korean government-operated sites and network infrastructure. The country also experienced a 24-hour period of network instability just prior to the blackout that was consistent with an outside cyber attack, according to an analysis by Dyn Research, which monitors global Internet connectivity.

And yes, the U.S. government was launching cyber operations against North Korea during the period before the blackout, according to the sources, who spoke on the condition of anonymity to discuss sensitive intelligence operations. But the takedown itself was not a U.S. government op.

Precisely how North Korea’s Internet went down still hasn’t been fully explained, and publicly, Obama administration officials have neither confirmed nor denied that the government played a role. However, former U.S. intelligence officers who weren’t involved in the North Korean operation said the American government would hesitate to take down the country’s entire network because it would cut intelligence agencies off from the cyber spying they were doing inside North Korea.

A senior U.S. intelligence official recently told The Daily Beast that spying on the country’s networks was mainly to gather information about North Korea’s nuclear weapons program and to get insights into the regime’s thinking. The National Security Agency considers North Korea a priority target and has a unit dedicated to covering it, former officials said. When the country’s Internet connections went down, there was no guarantee that the NSA would still be able to spy on all the same targets when it came back up, they said, another factor that would have argued against deliberately knocking out the country’s Internet access.

There are a number of potential causes for the crash. One intriguing theory making the rounds among U.S. intelligence analysts is that North Korea inadvertently knocked itself offline during a frantic attempt to defend itself during the initial wave of attacks.

But outside actors could have been at work. One group associated with the hacker collective Anonymous claimed credit for the outage on the day it occurred. And another group, calling itself Lizard Squad, which claims to have taken down Sony’s PlayStation network, also celebrated the downing of North Korea’s Internet. Experts have said it would be a relatively easy feat to take the entire country offline given that there are only four routes connecting North Korea to the global network. Researchers tracked floods of traffic directed at North Korea at the time of the shutdown, pointing to a so-called denial of service attack.

Online forums also show that hackers were probing the country’s networks to find out what devices were running on them and sharing information about where the weakness were. Also available on a popular hacker forum in the weeks after the attack: a tool that would allow an experienced practitioner to take over the customized operating system known as RedStar that is widely used in North Korea. One technical expert noted that by the time such exploits are submitted, they have usually been verified to work, and likely have been used.

U.S. officials have been reluctant to confirm any activity by private hackers. But it would have been easy to spot their chatter. In a lengthy Reddit thread, commenters who were examining a series of remote probes and scans that mapped out some of North Korea’s network debated whether it would be illegal for American citizens to launch retaliatory strikes against the country. The group arrived at no consensus, but some commenters speculated that, under the circumstances, the U.S. government might look the other way if someone wanted to disable a North Korean Internet router.

Last week, Rep. Michael McCaul, the Republican chairman of the House Homeland Security Committee, said publicly that “there were some cyber responses to North Korea” following the Sony intrusion, but he didn’t specify whether they U.S. government was behind them or some other group. Asked by Bloomberg whether “the North Korea Internet outage was one of the responses,” McCaul reportedly said yes. McCaul’s spokesperson didn’t respond to several requests from The Daily Beast to clarify McCaul’s statement.

CIA Director John Brennan was asked about the blackout on Fox News Sunday, and he too wouldn’t confirm any U.S. involvement. But he alluded to the relative ease of knocking North Korea offline. 

“There is an [Internet] infrastructure there that is rickety, there are challenges that they face on a technical front. So there are a lot of reasons why the North Korean people and the Internet system out there has problems,” Brennan said. Asked if the United States gave “a little shake to the rickety North Korean system,” Brennan replied that he would not “address anything that we may have done in that instance, and I’m not acknowledging anything at all there.”

Get The Beast In Your Inbox!
By clicking "Subscribe," you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason

A spokesperson for the NSA referred questions about the blackout to the National Security Council, which declined to comment beyond what officials have already said.

Regardless of who caused the blackout, it almost certainly alerted the North Korean regime to fundamental weaknesses in its cyber infrastructure. A security briefing compiled by Hewlett-Packard noted that a scan of North Korea’s networks in 2014 revealed “dated technology that is potentially susceptible to multiple vulnerabilities…” It wasn’t clear whether the regime had noticed the weaknesses, or had kept certain devices detectable to throw off spies or lure foreign government into hacking infected machines, known as honeypots, the report said.

But given that North Korea’s Internet crashed again in late January of this year, the connections continue to look as rickety as U.S. officials say. And it seems Kim Jong Un can’t keep them up.