Security Researcher Takes Down North Korea's Internet

In terms of cyber security when North Korea is in the headlines it is generally as the attacker stealing vast sums of money or cryptocurrency and developing new malware  strains and toolsets that keep security researchers busy. Put differently North Korean hackers are highly skilled at making a nuisance of themselves and tend to dish out the punishment.

Now they have been on the receiving end of an attack. The hermit kingdom has been suffering from Internet outages seemingly caused by state-sponsored attackers. It is easy to say they have just received a taste of their own medicine but as with many things the truth can be far stranger than fiction.

Security Researcher Takes Down North Korea's Internet

The Internet outages, caused by Distributed Denial of Service (DDoS) attacks, seemed a response to recent missile tests conducted by North Korea. Those tracking North Korea discovered the Internet outages and chalked it up to South Korean state-sponsored groups responding against their northern neighbor's saber-rattling.

This is a logical assumption given the current geopolitical climate, summarised neatly by Choe Sang-Hun writing for the New York Times, Sang-Hun notes,

“North Korea fired two short-range ballistic missiles off its east coast on ​Thursday ​in its ​sixth missile test this month, the South Korean military said. North Korea began the year with a spate of missile tests, raising tensions at a sensitive time: China is gearing up to host the Winter Olympics in Beijing next month, and South Korea is preparing for its presidential election on March 9. The latest launch came ​two days ​after North Korea​ fired what South Korean defense officials said were two cruise missiles.”

Further, South Korean cyber retaliation is not without precedent. In March 2020, Wired reported that an elite spy group made use of five vulnerabilities to attack North Korean cyberinfrastructure. At the time it was strongly believed that South Korean state-sponsored groups were responsible for the attack. The articles stated,

“South Koreans spying on a northern adversary that frequently threatens to launch missiles across the border is not unexpected. But the country's ability to use five zero days in a single spy campaign within a year represents a surprising level of sophistication and resources. "Finding this many zero-day exploits from the same actor in a relatively short time frame is rare," writes Google TAG researcher Toni Gidwani in the company's blog post. "The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues." In a follow-up email, Google clarified that a subset of the victims were not merely from North Korea, but in the country—suggesting that these targets weren't North Korean defectors, whom the North Korean regime frequently targets.”

P4x Responsible

Assuming South Korea may have had a hand in the DDoS attacks  certainly seemed a reasonable answer to the question of responsibility. However, according to a recent article published by wired the responsible party was a single individual base in North America.

The individual in question has claimed responsibility for taking out websites associated with North Korea’s Air Koryo airline and Naenara, a page that serves as the official portal for dictator Kim Jong-un's government.

Further, at least one of the central routers that allow access to the country's networks appeared at one point to be paralyzed, crippling the Hermit Kingdom's digital connections to the outside world. Wired describes the responsible individual as,

“In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.”

The individual who goes by the moniker P4x, so as not to be identified for fear of reprisals or legal action, is attacked in retaliation. According to P4x, several security researchers were being targeted by North Korean state-sponsored threat actors. North American security researchers were being targeted to steal their hacking tools and possible details about software vulnerabilities that can be readily exploited.

He says he managed to prevent those hackers from swiping anything of value from him, nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally. To make matters worse P4x was stunned by the lack of any visible response from the US government.

Given some time, a response by US authorities was still not forthcoming and P4x decided to take matters into his own hands. Soon the security researcher discovered several vulnerabilities within North Korean online infrastructure. These vulnerabilities would be exploited to conduct DDoS attacks on the hermit kingdom's limited outward-facing online presence.

Old vulnerabilities, with available patches,  were found in the web server software NginX that mishandles certain HTTP headers, and “ancient” versions of the web server software Apache. The NginX vulnerability, in particular, could be exploited to run scripts that would overwhelm the server's capabilities to deal with traffic requests.

As an added bonus P4x discovered interesting facts about the nation’s homebrew operating system Red Star OS which he describes as an old and possibly vulnerable version of Linux.

Questions have been raised as to how effective the hacks will be in preventing further attacks on North American security researchers as many of North Korea’s top hacking groups operate outside of North Korea, in China, for example. P4x contends that the aim of the attacks was to target the North Korean government and not its people.

This is in a sense is a success as few of the hermit kingdom’s citizenry has access to an Internet connection that connects to the outside world.

That said P4x has started a hacktivist collective called FUNK, standing for FU North Korea, that should be able to bring more firepower to bear and possibly target the main offenders carrying out North Korea’s extensive cyber operations.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal