North Korea’s internet elite has abandoned Facebook, Google and Instagram for Chinese alternatives in just six months
Last July, I wrote a piece based on some fascinating analysis from Recorded Future about how the 0.1% elite North Koreans with access to an unfiltered internet use the net. While the vast majority of the country’s 25 million population are limited to fewer pages than were created for Grand Theft Auto V, those with access to the unfiltered web used it in much the same way we do: social media, streaming video and online gaming – with a special fondness for World of Tanks.
But the follow-up report from Recorded Future, published today, reveals a sea change in behaviour. In six months after the initial report was released, the researchers found North Koreans all but abandoning western websites, and moving wholesale to Chinese alternatives. In short, Facebook, Amazon, Instagram and Google were out, while Alibaba, Tencent and Baidu were in. Facebook went from having more than double the daily usage of its Chinese counterparts to barely registering on the graph.
“The change in social media activity is likely a combination of factors,” the paper’s author, former NSA analyst Priscilla Moriuchi tells me. “First, North Korea has had a policy banning use of Facebook and other social media services intermittently since 2016. It is possible they have just begun to enforce that ban more broadly.
“Second, this is part of a broader overall movement enhancing internet security and secrecy by North Korean leaders. Chinese services are much less likely to be used or monitored by western governments and enable North Korean leaders to still engage in modern social media culture without concerns over western monitoring.”
And yes, this sudden crackdown could have been triggered by the wide publication of the last report – possibly spooking the North Korean government. “Media scrutiny and research on North Koreans’ access to information and digital media has intensified since last year and given leadership’s ease and comfort on the global internet, it is likely they have seen some of that reporting,” says Moriuchi. “Additionally, the means necessary to increase security and “cover your tracks” online are increasingly easy and cheap to use. Standard VPN [Virtual Private Network] services can cost as little as a few US dollars a month and implementation of these services is easy even for a novice user.”
That analysis certainly seems to match the data. Over the course of just six months, use of Tor, VPN, VPS (Virtual Private Servers) and TLS (Transport Layer Security) shot up by 1,200%.
READ NEXT: What is a VPN?
These attempts at obfuscation, North Korean officials will be disappointed to read, have not proved entirely successful. Indeed alongside the comprehensive analysis of how citizens are using the unfiltered internet, there’s also information on how they’re using it to raise money for the nation. Previously North Korean nationals were basing themselves in other countries (India, China, Malaysia, New Zealand, Nepal, Kenya, Mozambique and Indonesia) for cyber attacks, and now Recorded Future has two additional countries to add to the list: Thailand and Bangladesh.
The countries that host these North Korean expats raising money for their homeland may be completely unaware of their presence or activities, Moriuchi insists. “Some governments, like New Zealand, have suspended visas for North Korean citizens, and others may take no action at all,” she adds. “It is really very individualised and depends upon the nation.”
Cybercrime is just one way in which North Korean citizens earn money abroad. As the report explains, defectors have previously revealed how making counterfeit video games and bots to steal in-game items earns a healthy crust to send back home to the Kim regime. One such defector explained that each operative was expected to earn nearly $100,000 per year, with 80% being sent back home.
I ask Moriuchi why they would take this approach when off-the-shelf ransomware would likely be easier and more profitable. Once again the answer is secrecy: “Ransomware attacks can be monitored and traced, and require the attackers to interface with the victims if they are to be successful,” she explains, adding that there’s an expectation that ransoms paid will result in the decryption of files. “This is a much riskier method to raise funds than counterfeiting software or creating bots.”
The games played by the North Korean elite, the report posits, may provide insights into which games North Korean hackers abroad are likely targeting. World of Tanks seems to have fallen completely off the list, but other popular titles include 0AD: Empires Ascendant, Ace of Spades, Quake, The Marathon trilogy games, Armed Assault 1-3, World of Warcraft, Cube 2, Diablo 2, League of Legends, Second Life and various games on Steam.
One final element of interest in the report: while North Korea has always seen Bitcoin as a valuable way of raising money, in January the country turned its attention to Monero as well. Why? “It is most likely that the North Koreans have chosen to use Monero because it is one of the few widely-utilised and truly anonymous digital currencies,” Moriuchi explains. “All transactions are encrypted within the blockchain so that only the sender or receiver of a transaction can discover the other. This is unlike Bitcoin, where transactions tracked in the blockchain contain IP addresses and wallet numbers viewable by anyone.”