Cyber attacks against South Korean organizations have been much in the headlines in recent weeks. With each attempt to crash a web server, phish for private information or infiltrate a computer in South Korea, the country’s government points its finger of blame towards North Korea, but concrete evidence is often thin on the ground.
Investigators will typically try to trace a cyber attack by discovering the IP (Internet protocol) address from which it originated. Every computer on the Internet has such an address and discovering the source address will typically help identify the organization or service provider network from which the attack was launched.
But tracking cyber attacks is a difficult job at the best of times — attackers don’t often use their own machines but those of other people that they control through malware. In some cases they will route traffic through numerous points so it’s difficult to trace all the way back to source, and in other cases will use fake IP addresses to divert attention elsewhere.
Perhaps the North Korean hackers aren’t skilled enough to cover their tracks, so the source IP addresses can be easily caught, maybe they want the source to be clear, or perhaps North Korea is being implicated by hackers in other countries and the South Korean government is a little too eager to blame its neighbor. Without more technical information, it’s impossible to know.
There are two blocks of IP addresses that can be readily identified as North Korean.
The first is a block of 1,024 addresses that was put into use in 2010 by Star Joint Venture, the Internet service provider venture between the state-run Korea Posts and Telecommunications Co. and Thailand’s Loxley Pacific.
This is used to house all the official North Korean websites, such as KCNA, Naenara, the Voice of Korea, and Rodong Sinmun. Computers in North Korea capable of accessing the global Internet, such as those owned by resident foreigners, also use addresses in this range.
The block runs from 18.104.22.168 to 22.214.171.124.
A second, lesser known block of addresses also exists.
It contains 256 addresses and runs from 126.96.36.199 to 188.8.131.52.
Here’s what you get when you query the addresses in the “whois” directory:
inetnum: 184.108.40.206 - 220.127.116.11 netname: KPTC country: CN descr: Customer of CNC admin-c: TC254-AP tech-c: TC254-AP status: ASSIGNED NON-PORTABLE changed: email@example.com 20040803 mnt-by: MAINT-CN-ZM28 source: APNIC
At first glance they appear to be Chinese addresses because they are owned by China Netcom, one of China’s largest Internet service providers. But a closer look reveals they are assigned to a customer called KPTC. That’s Korea Posts and Telecommunications Co., the government-run telco.
The addresses were previously used for several North Korean websites and related Internet services including the Chesin e-mail system. Most of the services have moved to the Star JV addresses, but at least one website still uses the Chinese addresses: Chosun Expo.
They are still in use for other purposes. Scanning sometimes reveals blank or test websites that appear and disappear within a day, and there are at least three routers connected through the addresses behind which there are likely additional PCs.