North Korea’s Internet Connections Disrupted, May Be Under Attack

Internet connections into the isolated nation of North Korea are showing what researchers call “signs of distress,” which could indicate they are under some kind of cyber attack.

Analysts at DYN Research, a New Hampshire-based firm that tracks the health of the Internet’s underlying infrastructure, says the firm has monitored some disruptions to the flow of Internet traffic into the country since early Sunday.

Doug Madory, the firm’s lead analyst, told Re/code that connections that are typically solid have experienced ongoing and persistent disruptions, the source of which remains unknown.

“They’re pretty stable networks normally,” Madory said. “In the last 24 hours or so, the networks in North Korea are under some kind of duress, but I can’t tell you exactly what’s causing it.” Possible reasons include an attack by another nation or third-party hackers, he said, but also things like power outages and network maintenance. “There’s no way to confirm that these outages are the result of an attack, but given the timing, it’s something we have to consider,” he said.

The disruption comes on the heels of the accusations by the FBI implicating North Korea for a devastating hacking attack against Sony Pictures Entertainment. The attack first came to light on Nov. 24, and may have been motivated by a Sony-made motion picture comedy, “The Interview,” which concerns a CIA-backed assassination attempt on the life of North Korean leader Kim Jong-un.

On Friday President Obama said that the U.S. would respond to the attack against Sony “at a time and place of our choosing,” but declined to elaborate.

Madory said that under normal circumstances, the North Korean networks, like those of any other country, steadily announce their availability to the wider Internet. Since Sunday those announcements have been disrupted, consistent with the Internet routers responsible for coordinating the country’s traffic going offline. “It sometimes goes down for a little while and then comes back,” Madory said. “This has been recurring and constant and is definitely outside the norm.”

The disruption recalls an incident in 2013 in which North Korean networks were thought to be under attack in retaliation for the “Dark Seoul” attacks against South Korea. In the Dark Seoul incident, networks of three South Korean TV broadcasters and three of its banks were crippled; South Korea blamed North Korea for that attack. But when North Korea’s networks were under attack, that country officially blamed the U.S.

The thing about North Korea’s Internet is that it barely exists at all. The country has only one Internet provider supplying it with outside links, known as Star JV. It’s a joint venture between North Korea’s Post and Telecommunications Corporation and a Thailand-based firm called Loxley Pacific, DYN Research says. Star gets its connectivity from China Unicom and Intelsat.

Whether it’s an attack or not, given North Korea’s isolation, it’s hard to know how disruptive an Internet outage might be to its society. Last year the magazine Foreign Policy sought to count how many people might have access to it, and estimates ranged from a few dozen, to about 1,000 people on the outside. Most are believed to be members of Kim’s inner circle or foreigners. For others, there’s a strictly controlled domestic intranet that looks nothing like the Internet we’re accustomed to.

Update: Arbor Networks, a security research firm, is also monitoring the network disruption in North Korea. Dan Holden, the firm’s director of security research said he’s been monitoring what he said appears to be attacks against North Korea’s domain name routing servers or DNS servers.

The method is similar to attacks used against Sony’s PlayStation Network and Microsoft’s Xbox network. The attackers, he said, appear to be using the Internet’s time servers to launch anonymous denial of service attacks against North Korea’s DNS machines. DNS servers act like a global telephone directory correlating Internet domain names to numerical IP addresses, making them an essential part of the Internet. Disrupting their operation makes sites that rely on those DNS servers invisible on the Internet.

“The technique is highly effective, it’s anonymous and it’s not hard to do,” Holden said. “Traffic from the time servers is being reflected to North Korea’s DNS servers.

The White House had no immediate comment on the network disruptions.

More on the Sony Hack Attack

• “The Interview,” Now With 100 Percent More Franco and Rogen
• Apple Starts Streaming “The Interview,” Too (Update)
• Re/code on TV: The North Korea Edition
• Sony Works for Third Day to Restore PlayStation Network After Attack
• Internet Crashes in North Korea as 3G Networks Fail
• Sony, Google and Microsoft Will Stream “The Interview” Starting Today (Updated)
• North Korea’s Internet Connection Unstable for Second Day
• Sony Hack: What You Missed
• North Korea’s Internet Links Restored
• Sony Threatens Twitter Over Tweets Containing Stolen Emails
• North Korea’s Internet Connections Disrupted, May Be Under Attack
• China Condemns Cyber Attacks, but Says No Proof North Korea Hacked Sony
• Sony Hasn’t Decided Where to Stream “The Interview” — Meaning Not on Crackle (For Now)
• Re/code on TV: The Sony Saga Continues and Decoding the Uber Way
• You Will Get to See “The Interview,” Sony Lawyer Says
• Dr. Evil Invades SNL to Blast North Korea and Sony (Video)
• North Korea Says It Didn’t Hack Sony, Wants Joint Probe With U.S.
• President Obama Slams Sony for Canceling “The Interview”; Sony Blames Theater Owners (Updated)
• FBI Says North Korea Responsible for Sony Hack (Updated)
• Sony Pictures Hackers Demand “The Interview” Never Be Released
• For North Korea’s Cyber Army, Long-Term Target May Be Telecoms, Utility Grids
• Google Is Shocked — Shocked! — by Hollywood Studios’ Lobbying
• White House Calls Sony Cyber Attack “Serious National Security Matter”
• U.S. Links North Korea to Sony Hack Attack
• Snapchat’s Evan Spiegel “Angry” and “Devastated” Over Email Leak
• Sony Cancels Release of “The Interview” After Terrorist Threats (Update)
• Rival Studios Urge Theaters to Drop Sony’s “The Interview” Over Terror Threat
• Sony Hack Attack: Here Come the Lawsuits
• Sony Hackers Threaten Violence Over “The Interview” (Update)
• Here’s Sony Lawyer’s Letter Telling Publishers to Stop Publishing Leaks
• Sony Hack: Ripping the Veil Off Hollywood’s Secrets
• Sony Pictures Hackers Release Seventh Stolen Data Dump
• Sony Pictures Knew of Gaps in Computer Network Before Hack Attack
• Sony Pictures Tries to Disrupt Downloads of Its Stolen Files
• Cyber Attack Could Cost Sony Studio as Much as $100 Million
• Sony Brass Worried Over Kim’s Fate in “The Interview” Film, Emails Show
• Another Day, Another Sony Pictures Data Disclosure
• FBI Says There Is No North Korean Connection in Sony Hack “At This Point”
• Sony Hacker Leaks More Internal Documents, Issues Demand
• Hackers Hit Sony, Again
• Sony Says Hack Attack Is “Unprecedented”
• James Franco, Seth Rogen Spoof Sony Hack on SNL (Video)
• North Korea Denies Connection to Sony Hack, But Praises Attackers
• Attackers Threaten Sony Pictures Employees
• Malware in Sony Attack Linked to 2013 South Korean Incidents
• Sony to Officially Name North Korea as Source of Hack Attack
• Details Emerge on Malware Used in Sony Hacking Attack
• Here’s What We Know About North Korea’s Cyberwar Army
• Sony Hires Mandiant After Cyber Attack, FBI Starts Probe
• Sony Hackers Leaked Movies to File-Sharing Sites
• Sony Pictures Investigates North Korea Link In Hack Attack