So Who Shut Down North Korea's Internet?

By Ashley Feinberg on at

Just this past Friday, North Korea's already shaky internet access started to crumble. Over the weekend, things just got worse, and by yesterday morning, the country was in a state of total blackout. Considering that the US just officially blamed North Korea for the Sony hack, and that the US asked China for help in bringing North Korea down,
and that North Korea has shoddy internet access in the first place—who's to blame?

Before we can start to point fingers, it helps to know what we're dealing with, which is a lot easier said than done. As Tom Chapman, Director of Cyber Operations Group at EdgeWave, explained to us over email:

For this to be an unplanned internet outage may be too much of a coincidence. That being said, there isn't enough information to definitely say that the outage is a result of a nation-state or hacktivist organisation, although that's certainly a possibility.

Of course, at least with what we know right now, it's impossible to say with absolute certainty who or what is behind North Korea's current outages. But that being said, we can narrow it down to a few likely suspects.

The United States

This is, of course, the conclusion most people will initially jump to. After all,
President Obama did promise a "proportional response" just this past Thursday. As for what that response would be, White House officials only went so far as to say that Obama's security team "is considering a range of options" as its means of retaliation. In other words, they're not telling us jack shit.

What's more, the White House made sure to emphasise that that the general public might never actually be aware of the "extent" of the government's response. Which is somewhat legitimate given the secretive nature of these types of operations, but also a good way of evading criticism if they do decide that the best option is doing nothing at all. As State Department spokeswoman Marie Harf told reporters just yesterday:

We aren't going to discuss, you know, publicly operational details about the possible response options. As we implement our responses, some will be seen, some may not be seen.

Of course, this type of secrecy does fall in line with similar, past U.S. operations. For instance, the cyberattack on Iran's nuclear enrichment facility dubbed "Olympic Games" has never formally been acknowledged and, according to the New York Times, "the central role played by Mr. Obama did not become clear until the summer of 2012, more than two years after the events." What's more, there are some strategic benefits to keeping quiet. Chapman elaborated:

There are advantages to not taking credit. The US can achieve the same strategic objectives of punishing the North Korean government and demonstrating that there are consequences for tangling with the US in the cyber domain, while at the same time not opening itself up to negative reactions from the global community.

With the previous cyberattacks on Iran, though, we didn't know anything had actually taken place until well after the fact, which would make it odd that the US executed such a blatant manoeuvre this time around. As Dan Holden, Director of Arbor Network's Security Engineering and Response Team, points out:

I'm quite sure that this is not the work of the U.S. government. Much like a real world strike from the US, you probably wouldn't know about it until it was too late. This is not the modus operandi of any government work.

Still, these are very different circumstances than Iran, which means the US would have to play a very different game.

A Third Party

The other obvious executer of a malicious attack on North Korea is, of course, China. Currently, North Korea's only outlet to global internet lies in a handful (at most) of fibre optic cables running across the border and into China, where it connects to China's upstream provider, and from there, the rest of the modern world.

And since China is the hermit country's sole gatekeeper when it comes to internet access, the US government has admitted to asking for China's help in actually cutting off North Korean internet access entirely—which it could easily do. The North's internet connection is entirely dependent on the Chinese ISP China Unicom. All it would have to do is switch off the hose that leads to the North, and Kim Jong-Un and co. would would be left totally in the dark.

While it's hard to say for certain, at least with what we currently know, Chapman does point to China as being far more likely than some unaffiliated, non-government sponsored group:

In this case, China would be in a good position to create the effects that North Korea experienced because North Korean internet services run through China. To reiterate, we wont know without some public admission by China or the US. Its possible that a non-state sponsored group could be behind the North Korean outage, but my sense is that this is chess match is being played on the geo-political level.

What's more, China is purportedly fed up with North Korea's antics. A retired Chinese general recently commented on the fact that "China has cleaned up the DPRK's mess too many times. But it doesn't have to do that in the future." And as the BBC wrote, "this is not the kind of statement published without some sort of approval." Motive? Maybe.

Shoddy Infrastructure

Of course, it's important not to discount that this whole thing could just be one huge coincidence. Because far as North Korea is concerned, shaky internet is nothing new (at least to the elite few who are lucky enough to have internet access in the first place).

To give you a sense of just how tenuous North Korea's internet connection can be, consider that the country reportedly only has 1,024 IP addresses total. The United States, in comparison, has billions. And while we have various internet service providers that can send and receive data, North Korea has just the one—state run ISP Star Joint Ventures.

And as Paul Brodsky, a senior analyst at TeleGeography, a telecom research and consulting firm, explained to us over the phone, North Korea is pretty much primed for outages:

From a network reliability, only having one upstream provider is a terrible idea. If anything happens to that one, single link, you're screwed. Of course, this is North Korea we're talking about—the last thing they want is their people to have access to what's going on in the rest of the world. So I suspect their priorities are different than ISPs that actually have customers and want to keep that link as reliable as possible. Either way, this idea of single homing is really just a disaster waiting to happen.

Still, while North Korean internet outages are nothing new, at least according to Arboer Networks, this particular outage does appear to have been caused by a distributed denial of service (DDoS) attack, in which hackers will flood a system with traffic it can't handle, causing the network to ultimately collapse. It's just that in North Korea's case, considering the entirety of the country's internet is already bottlenecked in that one upstream channel to China, the faintest breeze of a DDoS attack would be enough to cause it to topple.


So in the end, all signs point to some combination of all the options. Some sort of government intervention, one probably helped by the North's already easy-to-topple internet. Is it the US working in conjunction with China? That seems to be one of the most viable guesses at this point, especially considering that, this past Sunday,
China's Foreign Minister Wang Yi confirmed to John Kerry during a call regarding the recent attacks on Sony that "China opposes all forms of cyberattacks and cyberterrorism." Something it would have picked a bad time to admit unless it didn't mind aligning itself with North Korea's recent outages.

Until something more concrete comes along, though, that's technically all these can be—theories. But if this is a joint Chinese-US venture, that's good news. Because according to Chapman, "There is a theory working its way through the media that the Sony Hack may have been a test run for [North Korea's] cyber group Unit 121." And if that's the case, Sony is just the beginning. Which means as far as countermeasures go, a little DDoS blackout would be just the tip of the iceberg.