Internet, cryptocurrencies & blockchains in North Korea

Introduction

North Korea is considered as a secretive state. Paradoxically, the country is developing last trend technologies.

The scope of this work is related to the development of cryptocurrencies in the context of the DPRK. The report starts with a presentation of the IT sector in North Korea. The second chapter is focused on the development of Internet in North Korea. The two last chapters are dealing with North Korean’s IT attacks and the key organizations driving these issues.

The objectives of this study are to address key issues and critical paths for dangers associated to the bitcoins industry form the perspective of the DPRK. This report can be considered as crucial, as The IT sector in North Korea is a sub-cell of the North Korean economy which was analyzed only by a few western analysts.

1. The IT sector in North Korea

In spite of its secretive nature, the North Korean state proved its interests in ICT already in the 80’s[1]. The first public institution responsible for the development of the access to IT products was the KCC (조선컴퓨터위원회 – Chosŏnk’ŏmp’yut’ŏwiwŏnhoe ). One of its director was Kim Jong Nam (1971-2017), the eldest son of Kim Jong Il. He was appointed over there in the early 90’s. The latest known director is Han U-chol. The most famous North Korea IT product is probably the  Operating System  Red Star (붉은별; – Pulgŭnbyŏl), based on Linux and with a first development stage initiated in 1998 at the previously mentioned North Korean Computer Committee  is a North Korean Linux distribution, with development first starting in 1998 at the KCC. Version 3.0 was released in the summer of 2013, but as of 2014, version 1.0 continues to be more widely used.

To attract foreigners and IT specialists, North Korean authorities organized on a regular basis technological exhibition. The first one took place in 1999. During this event, the main North Korean universities (such as the Kim Il-sung University and the Kim Chaek University of Technology[2]) and public institutions (Pyongyang Information Technology Bureau) are promoting their knowledge and its latest softwares including linguistic translation tools, anti-virus programs and the organization of computer-based painting exhibitions. There are several other institutions which train North Korean hackers such as the University Mirim, the Computer Technology University of Hamheung[3], the Computer Technology University of Pyongyang[4], the Kim Il Sung Military Academy, and the Moranbong University[5].

2. Internet in North Korea

As of 2019, North Korea is known as being the only one in the world that does not grant an open access to its citizens[6]. However, there is an internal Internet in North Korea known as Kwangmyong (광명) providing e-shops, dating websites, news, and a content taken from Internet after the censorship[7]. The Kwangmyong network began to be developed in 1995, and was opened nationwide in 1998. The Kwangmyong network is only available within North Korea.

As stipulated before, there is no private Internet service provider in North Korea. However, some government elites are accessing the Internet via a Chine provider based in China. Thousands of companies and state organizations have intranet addresses. During the three years from 2004 to 2007, North Korea has connected optical cables for intranets to major cities and towns. The data transmission speed in Pyongyang is 70 ~ 80Mbps and the local speed is 10Mbps, which is the level of South Korea in 2000. In 2006 all intranet access at home were blocked and all PC rooms in Pyongyang were closed till 2015[8]. Foreigners have an access to Internet through special devices and the North Korean company Koryolink, however at a prohibitive rate (EUR 0,15 per Mb). This allow foreign reporters based in Pyongyang to wrote tweets in Pyongyang.

In 2010, Korean state organizations registered Twitter, YouTube and Facebook accounts. The majority of them were blocked by the previously mentioned western firms.

Table 2. Number of IP addresses in North Korea

Source: Trading Economics Korea. Data are provided for the period 2008-2015

The number of IP address assigned to North Korea consists of an important source of information as these IP addresses are more noteworthy. For instance, according to the AT&T Consulting company[9], some North Korean IP address are notorious as they were used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine[10]. However, it does not mean that we deal with the same people involved in the 2014/2015 attacks.

The access to e-mails is also prohibited to a large extent. It’s impossible from abroad to send an email to North Korea if the receiver didn’t confirm your e-mail address to North Korean authorities. Furthermore, any answers are usually sent within a few days, which is an improvement as a few years ago, foreigner used to wait several weeks before getting any answer. North Korean diplomats have also only a group e-mail. In other words, diplomats attached to an embassy have only one e-mail for all diplomats.

3.    North Korean’s IT attacks

The continuing round of sanctions imposed on North Korea by the UN aims to target some of the country’s main external revenue streams. With prohibitions restricting the flow of money, the country is turning to bitcoin and other cryptocurrencies to finance their programs, instead of coming under new pressure. Moreover, it has been reported that Kim Jong-un’s regime targets cryptocurrency trading in South Korea, with at least three confirmed successful attacks. When attacking bitcoins platforms in South Korea, the Lazarus Group The first cryptocurrency-focused lure appears designed to obtain the emails and passwords of users of South Korean cryptocurrency exchange platforms (for instance from the platform Coinlink).

The most famous attack took place in 2014 and was related to Sony Picture’s hijacking and due to the movie “The Interview”[11]. One year later, the account of the Central Bank of Bangladesh at the Federal Reserve Bank in New York was robbered with USD 80 million. Hackers tried to transfer financial assets to some accounts localized in Sri Lanka and the Philippines. Unfortunately for them, on the 5^th transaction, a mistake was done. Hackers wrote fandation instead of foundation, when they wanted to transfer some funds to an organization called Shalika Foundation. In 2017 due to the spread of the WannaCry virus, european institutions (and especially the Polish Financial Supervision Authority[12]) was hacked. On the same year, in October the Taiwan Far Eastern International Bank was also robbered[13]. During the following years, attacks were more focused on financial institutions in African countries, South Korea, or Vietnam. In march 2019, an Israeli institution was also attacked[14].

On the other side, North Korean authorities decided to participate to the cryptocurrencies market, considering it as a source of foreign currency. The first transactions of bitcoins in North Korea were realized in 2014[15]. In order to improve its image, North Korean authorities organized one Blockchain and Cryptocurrencies conference. The first one was supposed to be held in 2018. This event  called the “Korean International Blockchain Conference,” would take place in Pyongyang from September 27 to October 4. However, it was cancelled. Therefore a new edition was set up for 2019. This 7-days event held from April 18^th till the 25^th of 2019 was organized by the Korean Friendship Association and the consulting firm TokenKey led by the 30 years old Christopher Emms[16]. Emms originally reached out to KFA to help bring the conference to North Korea, following his experience speaking at similar events in other countries in recent years. The seminar attended by more than 100 people from North Korea and abroad took place at the Pyongyang University of Science and Technology[17]. Foreign experts were invited and provided lectures on protocols related to crypto-currencies such as “mining” or blockchain. The panels related to block-chains were screened on the 22&23 April. Other sessions were done under the form of field trip at the Kim Il-sung University, Panmunjom, and at the Daedong River Beer Factory. Participants to the conference visited the War Memorial, the Pyongyang Foreign Language University, the Juche Idea Tower, the city of Kaesong and Panmunjom[18].

According to a report prepared by the UN Security Council, North Korea has managed to extort more than $ 670 million in cryptocurrencies since the beginning of its activities in 2015. 571 million dollars were allegedly stolen directly from Asian cryptocurrency trading platforms during various hacks, such as the Japanese platform Coincheck in January 2018 where 532 million dollars were stolen of the platform Zaïf for $ 60 million. The South Korean e-commerce platform Interpark was also hacked. 10 million personal data were stolen in 2016[19].

4.    The Lazarus organization

North Korean authorities set up a militia dedicated to cyber-attacks to ensure cash flow while circumventing international sanctions. For several years, cyber security experts have identified this group of hackers as Lazarus[20]. The leader of the Lazarus group[21] is supposed to be Park Jin-hyok[22]. Born on the 15 August 1994, he completed his education at the Kim Chaek University of Technology, one of the top IT University of North Korea[23] where he acquired skills in Visual C++. He’s supposed to be an employee of Chosun Expo[24], a North Korean company based in northeastern China, in Dalian, a port city overlooking the gulf of Korea. He was working there between 2010 and 2014. During his malwares operations, he was also known as Kim Hyon-woo.

Sources indicate that he participated to the biggest North Korean hacks such as the WannaCry virus, which has infected hundreds of thousands of computers around the world such as the  hacking of the Central Bank of Bangladesh with a $ 81 million diversion[25]. He’s considered as the leader of the group of hackers Lazarus, responsible for the infiltration of the servers of the Sony Group. He also speaks English and Chinese. The Lazarus Kaspersky Lab estimates that Lazarus[26] has been active since at least 2009 utilizing the MYDOOM worm or and malicious .hwp extension files[27]. “Hwp files” are word processor file written in Hangul, the Korean writing system, used in both Koreas.

It must be also taken in consideration that even if the group of hackers are based in North Korea or at the Kim Il Sung University[28], it does not mean that they are North Korean, as North Korean education structures welcome also foreigner student, especially from China, Russia, and Vietnam.

Table 3. Structure of the Lazarus Group

Source: own research

North Korea specifically targets Southeast Asia, especially since the lifting of sanctions against the country, following the meeting in Hanoi last February between Kim Jong Un and US President Donald Trump, did not work out. Cryptocurrencies stolen by North Korea, such as Bitcoin, Ethereum or XRP, would be used to:

• Fundraising: To meet its cash requirements, North Korea can obtain cryptocurrencies for the purpose of converting them into short-term currency.
• Storing funds: North Korea could accumulate cryptocurrency reserves for the purpose of spending them or converting them into currency at a given time.
• Bypass sanctions: North Korea could use cryptocurrencies to pay for goods, services and resources explicitly prohibited by international sanctions.

In December 2018, IssueMakersLab, a cybersecurity blockchain startup, explained that North Korean hackers had changed their strategy and were attacking crypto-investors directly rather than attacking crypto-exchanges.

The key-market for North Korean hackers remain South Korea as this country hosts some of the world’s largest and richest bitcoin exchange platforms. North Korean hackers try to obtain an access to less-know cryptocurrencies such as Monero, the 14th largest cryptocurrency by value as of 2018. Some studies demonstrated that North Korean hackers infected IT devices to mine Monero owners and send their cryptocurrencies back to North Korea[29]. It’s also possible to use bitcoins in North Korea but to an extent limited to 4 restaurants in Pyongyang[30]. In any case, It is very difficult for North Korea to expand its activities related to virtual currency due to lack of electricity, lack of high-performance computer, and lack of internet infrastructure.

There is a dedicated team of South Korean specialists dedicated to domestic attacks of Lazarus[31].

Unfortunately, according to Jay Rosenberg, a senior security researcher based in North America, who belongs to Kaspersky Lab’s Global Research Analyst Team (GReAT) “North Korea’s cyber capabilities are improving. They will continue to attack in the future using evolved attack techniques.”[32]

Findings

The findings can be summarized as follows.

• To meet its cash requirements, North Korea can obtain cryptocurrencies for the purpose of converting them into real currencies. North Korean authorities use cryptocurrencies to have a viable source of income. Later North Korean authorities may use these cryptocurrencies for trading activities. As of 2019, North Korea has managed to extort more than $ 670 million in cryptocurrencies since the beginning of its activities in 2015.
• Previously, most of this type of attack appeared destined to cause social disruption or covert data, and the targets were usually computer networks of government agencies or media companies in countries considered hostile. In recent years, North Korean pirates seem to be more interested in stealing money. “. Therefore, The strategy of North Korean specialists changed over the year, looking for the weak link. North Korean hackers are attacking crypto-investors instead of attacking crypto-exchanges or platforms.
• We recommend to less advanced countries, which are more vulnerable to North Korean attacks, to regulate cryptocurrency platforms, and imposing anti-money laundering and anti-terrorist financing standards.
• Although, according to the document, cryptocurrencies are likely to play only a peripheral role in general fundraising and tax evasion activities in North Korea, the authors indicate, however, that better coordination between the different countries in the region would make them less vulnerable to attacks by Kim Jong Un. It’s especially important in the context of South-East Asia, where the cryptocurrency sector is booming. Fortunately, Singapore is the most advanced country in regulating and regulating cryptocurrency platforms and shall play a role of mentor for less advanced countries such as Malaysia, the Philippines and Thailand, which are vulnerable to North Korean attacks.
• Westerners who participate to the development of the bitcoin/blockchain industry in North Korean are young ventures people. We can’t blame them of the development of hacking industry in North Korea.
• We have no information whether the Lazarus group consists only of North Korean workers.

Definitions

Blockchain: The blockchain is a technology of storage and transmission of information, and functioning without a central control body. By extension, a blockchain is a database that contains the history of all the exchanges made between its users since its creation. This database is secure and distributed: it is shared by its different users, without intermediaries, which allows everyone to check the validity of the chain.

Cryptocurrency: Cryptocurrency or cryptographic currency is a 100% electronic and magnetic currency. Its value is the same as the currencies we use on a daily basis but it is virtual. The cryptocurrency was created based on the computer technology called blockchain.

Publikacja powstała dzięki wsparciu finansowemu Centrum Studiów Polska-Azja. 

This material can be found in Quarterly Boym – No. 1/2019

Nicolas Levi Analyst on North and South Korea. He is an assistant professor at the Institute of Mediterranean and Oriental Cultures of the Polish Academy of Sciences. Author of 7 books, more than 20 academic articles, and over 50 analytical reports on the Korean Peninsula, Poland, and related issues. He conducts lectures at top universities in Poland and abroad.