clock menu more-arrow no yes mobile

Filed under:

North Korea's Internet Connections Disrupted, May Be Under Attack

A "usually stable" network has been "under duress" since Sunday.

Internet connections into the isolated nation of North Korea are showing what researchers call “signs of distress,” which could indicate they are under some kind of cyber attack.

Analysts at DYN Research, a New Hampshire-based firm that tracks the health of the Internet’s underlying infrastructure, says the firm has monitored some disruptions to the flow of Internet traffic into the country since early Sunday.

Doug Madory, the firm’s lead analyst, told Re/code that connections that are typically solid have experienced ongoing and persistent disruptions, the source of which remains unknown.

“They’re pretty stable networks normally,” Madory said. “In the last 24 hours or so, the networks in North Korea are under some kind of duress, but I can’t tell you exactly what’s causing it.” Possible reasons include an attack by another nation or third-party hackers, he said, but also things like power outages and network maintenance. “There’s no way to confirm that these outages are the result of an attack, but given the timing, it’s something we have to consider,” he said.

The disruption comes on the heels of the accusations by the FBI implicating North Korea for a devastating hacking attack against Sony Pictures Entertainment. The attack first came to light on Nov. 24, and may have been motivated by a Sony-made motion picture comedy, “The Interview,” which concerns a CIA-backed assassination attempt on the life of North Korean leader Kim Jong-un.

On Friday President Obama said that the U.S. would respond to the attack against Sony “at a time and place of our choosing,” but declined to elaborate.

Madory said that under normal circumstances, the North Korean networks, like those of any other country, steadily announce their availability to the wider Internet. Since Sunday those announcements have been disrupted, consistent with the Internet routers responsible for coordinating the country’s traffic going offline. “It sometimes goes down for a little while and then comes back,” Madory said. “This has been recurring and constant and is definitely outside the norm.”

The disruption recalls an incident in 2013 in which North Korean networks were thought to be under attack in retaliation for the “Dark Seoul” attacks against South Korea. In the Dark Seoul incident, networks of three South Korean TV broadcasters and three of its banks were crippled; South Korea blamed North Korea for that attack. But when North Korea’s networks were under attack, that country officially blamed the U.S.

The thing about North Korea’s Internet is that it barely exists at all. The country has only one Internet provider supplying it with outside links, known as Star JV. It’s a joint venture between North Korea’s Post and Telecommunications Corporation and a Thailand-based firm called Loxley Pacific, DYN Research says. Star gets its connectivity from China Unicom and Intelsat.

Whether it’s an attack or not, given North Korea’s isolation, it’s hard to know how disruptive an Internet outage might be to its society. Last year the magazine Foreign Policy sought to count how many people might have access to it, and estimates ranged from a few dozen, to about 1,000 people on the outside. Most are believed to be members of Kim’s inner circle or foreigners. For others, there’s a strictly controlled domestic intranet that looks nothing like the Internet we’re accustomed to.

Update: Arbor Networks, a security research firm, is also monitoring the network disruption in North Korea. Dan Holden, the firm’s director of security research said he’s been monitoring what he said appears to be attacks against North Korea’s domain name routing servers or DNS servers.

The method is similar to attacks used against Sony’s PlayStation Network and Microsoft’s Xbox network. The attackers, he said, appear to be using the Internet’s time servers to launch anonymous denial of service attacks against North Korea’s DNS machines. DNS servers act like a global telephone directory correlating Internet domain names to numerical IP addresses, making them an essential part of the Internet. Disrupting their operation makes sites that rely on those DNS servers invisible on the Internet.

“The technique is highly effective, it’s anonymous and it’s not hard to do,” Holden said. “Traffic from the time servers is being reflected to North Korea’s DNS servers.

The White House had no immediate comment on the network disruptions.

This article originally appeared on