Not so isolated: North Korea's elite uses Gmail, Facebook and iTunes
By CRAIG TIMBERG, ELLEN NAKASHIMA | The Washington Post | Published: July 25, 2017
Western researchers recently began sifting through troves of North Korean Internet data, looking for activity related to missile launches or malicious cyber activity within the famously isolated country.
What they found instead surprised them.
North Korea's tiny circle of elite families — among the few people in the country with unfettered access to the Internet — turned out to be strikingly like the rest of the world in their digital habits. They use their smartphones to check Gmail, call up their Facebook accounts and browse for goods at Amazon and Alibaba, a Chinese e-commerce company, according to a report to be released Tuesday and provided in advance to The Washington Post.
"These leaders are doing many of the same things that we do when we wake up in the morning," said Priscilla Moriuchi of Recorded Future, a threat intelligence firm that wrote the report. "They're not isolated."
These observations apply to only a tiny sliver of North Koreans because the vast majority of the nation's 25 million people are poor and have no access to the Internet. Even the few who have mobile devices — a number estimated as high as 4 million people — are confined to a heavily censored, government-run national network called Kwangmyong.
But some North Koreans do have direct access to the Internet through universities, select businesses and perhaps the homes of top government or military officials. Whoever they are, 65 percent of their overall Internet traffic was devoted to gaming and streaming online content. Among the most popular streaming services are China's Youku video-hosting service and iTunes.
North Koreans with Internet access have a particular fondness for Baidu, a Chinese search engine and Internet services firm, as well for a multiplayer online game called World of Tanks, the researchers found.
The researchers also found that few of the elites on the Internet in North Korea used virtual private networks or other tools for cloaking the origin of digital activity, although one iPad used a virtual private network "to check a Gmail account, access Google Cloud, check Facebook and MSN accounts, and view adult content," the report found. Other people with Internet access used virtual private networks to make purchases using bitcoin, follow Twitter and upload documents to Dropbox.
"If it's real, it's very interesting because it shows more access from North Koreans to the Internet and more access to information," said technology journalist Martyn Williams, who runs the North Korea Tech website from his home in Northern California.
Recorded Future, based in Somerville, Massachusetts, reached its conclusions by examining data collected by Team Cymru, a nonprofit Internet security research group, between April 1 and July 6 on three sets of Internet address blocks they think are used by North Koreans.
The trove of data probably did not include Internet use by foreign embassies or international groups based in the country, which typically use their own Internet links, the researchers said. But the data may have included some small amount of traffic from foreign journalists or other visitors to the country.
The findings track loosely with other research showing that North Koreans are more plugged in to global information flows than commonly assumed, said Victor D. Cha, a former White House North Korea expert and now a senior adviser to the Center for Strategic and International Studies, a Washington think tank.
He said interviews conducted with people living in the country have revealed alternative sources of information for North Koreans beyond government propaganda, and that people working in professional settings often speak privately of their frustrations with the regime of Kim Jong Un.
"There's a surprising level of awareness of the inadequacies of the government," Cha said.
The report by Recorded Future also shows that North Koreans are reaching the Internet through access available in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique and Indonesia — all countries where North Korea also has at least some small base of operations through government programs, universities or other institutions.
Recorded Future researchers said they saw a "near absence of malicious cyber activity" from the North Korean mainland in the April to July time frame, which indicated to them that the regime is conducting most of its malicious activity from abroad. U.S. intelligence analysts say that North Korea conducts most of its cyber operations from outside the country — primarily in China, but from other countries, such as Malaysia, as well.
That is not to say that North Koreans don't use online resources to communicate about missile launches or unleash cyberattacks, such as the devastating WannaCry ransomware attack in May. The National Security Agency has assessed that the attack was conducted by Pyongyang, although the U.S. government has not publicly blamed the country. But those activities happen on networks beyond the reach of the data set studied by the researchers.
The intelligence analysts say that North Korea's Reconnaissance General Bureau, its military spy agency, has an overseas network of RGB-trained hackers and North Korean workers moonlighting as hackers. China has the single largest network of such hackers, said one analyst, who spoke on the condition of anonymity to discuss sensitive information. Many of these individuals operate in a gray area, as legal software developers abroad who moonlight as hackers for the regime, the U.S. intelligence analysts said.
"North Korean cyber activity abroad presents huge opportunities for the United States to put financial pressure on the regime via third countries to expel cyber actors and to reduce malicious cyber activity," said one U.S. intelligence analyst, speaking on the condition of anonymity to discuss matters not authorized for public comment.