North Korea loses its Internet, possibly in retaliation for a hack it may not have done

Update 10pm: North Korea’s Internet was restored after about 9.5 hours, according to Dyn Research.

North Korea’s Internet seems to be completely offline, according to multiple reports — most likely the result of a denial of service attack.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1630681,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"media,security,","session":"C"}']

The countrywide Internet outage comes the week after the U.S. FBI blamed the isolated nation for hacks directed at Sony Pictures that exposed a series of embarrassing emails. In the wake of the hack, Sony pulled the theatrical release of its upcoming movie The Interview, which the allegedly North Korean hackers had singled out as being particularly offensive. (Spoiler alert: The Interview pokes fun at, and ends with the assassination of, North Korean dictator Kim Jong-un.)

“According to public reports, North Korea’s total bandwidth is 2.5 gigabits per second, with a single Internet Service Provider, STAR-KP, and a single IP range consisting of 1024 addresses,” said Ofer Gayer, a security researcher at Incapsula, in an email. Denial-of-service attacks can often direct 10, 20, or even 100 gigabits per second of data at a target, Gayer noted. “Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint,” he added.

Dyn Research, a company that helps its clients manage their Internet performance, also noted that North Korea’s Internet is showing signs of a distributed denial-of-service (DDoS) attack, according to the New York Times.

The Times also quoted CloudFlare, which said that the North Korean network was “toast.”

But if it’s clear that North Korea is suffering from a crippling DDoS attack, it’s becoming somewhat less clear that the country was actually the source of the Sony hacks. Even though those hacks seem to be motivated by a sense of outrage at The Interview, and the FBI last week released a statement listing its reasons for fingering North Korea, many experts are now starting to pick apart the FBI’s claim.

“Many leading cybersecurity experts have now challenged [the FBI’s] statement, questioning everything from the code in the malware that was used to the IP evidence and capabilities of North Korean infrastructure,” reports Buzzfeed.

One of the experts cited by Buzzfeed is Jeffrey Carr, who singles out Loxley Pacific, a small Thailand-based company that provides telecommunications services to North Korea. (Note: This may contradict Incapsula’s claim that STAR-KP is the sole ISP for the country.) Carr believes that hackers may have used Loxley as an unwitting conduit into North Korea in order to make it look like the hack came from there.

Buzzfeed also points out that a single 2.5GB connection is hardly enough to exfiltrate terabytes of data from Sony’s corporate network, not without taking an inordinate amount of time and greatly reducing other Internet capabilities within North Korea.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1630681,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"media,security,","session":"C"}']

The actual source of the hack is far less clear, however. If it’s not a North Korean entity, it’s hard to tell who might be motivated to vacuum up terabytes of data from Sony then release it to the world. A competitor, perhaps? Buzzfeed’s sources mention China, Thailand, Russia, and Israel, all without citing any evidence, however.

For now, there’s little more than speculation. One thing’s for sure: Somebody is mad at North Korea — mad enough to cut off its Internet.

https://twitter.com/DynResearch/status/547216085767192577