North Korea’s Chinese IP addresses
Cyber attacks against South Korean organizations have been much in the headlines in recent weeks. With each attempt to crash a web server, phish for private information or infiltrate a computer in South Korea, the country’s government points its finger of blame towards North Korea, but concrete evidence is often thin on the ground.
Investigators will typically try to trace a cyber attack by discovering the IP (Internet protocol) address from which it originated. Every computer on the Internet has such an address and discovering the source address will typically help identify the organization or service provider network from which the attack was launched.
But tracking cyber attacks is a difficult job at the best of times — attackers don’t often use their own machines but those of other people that they control through malware. In some cases they will route traffic through numerous points so it’s difficult to trace all the way back to source, and in other cases will use fake IP addresses to divert attention elsewhere.
Perhaps the North Korean hackers aren’t skilled enough to cover their tracks, so the source IP addresses can be easily caught, maybe they want the source to be clear, or perhaps North Korea is being implicated by hackers in other countries and the South Korean government is a little too eager to blame its neighbor. Without more technical information, it’s impossible to know.
There are two blocks of IP addresses that can be readily identified as North Korean.
The first is a block of 1,024 addresses that was put into use in 2010 by Star Joint Venture, the Internet service provider venture between the state-run Korea Posts and Telecommunications Co. and Thailand’s Loxley Pacific.
This is used to house all the official North Korean websites, such as KCNA, Naenara, the Voice of Korea, and Rodong Sinmun. Computers in North Korea capable of accessing the global Internet, such as those owned by resident foreigners, also use addresses in this range.
The block runs from 188.8.131.52 to 184.108.40.206.
A second, lesser known block of addresses also exists.
It contains 256 addresses and runs from 220.127.116.11 to 18.104.22.168.
Here’s what you get when you query the addresses in the “whois” directory:
inetnum: 22.214.171.124 - 126.96.36.199 netname: KPTC country: CN descr: Customer of CNC admin-c: TC254-AP tech-c: TC254-AP status: ASSIGNED NON-PORTABLE changed: firstname.lastname@example.org 20040803 mnt-by: MAINT-CN-ZM28 source: APNIC
At first glance they appear to be Chinese addresses because they are owned by China Netcom, one of China’s largest Internet service providers. But a closer look reveals they are assigned to a customer called KPTC. That’s Korea Posts and Telecommunications Co., the government-run telco.
The addresses were previously used for several North Korean websites and related Internet services including the Chesin e-mail system. Most of the services have moved to the Star JV addresses, but at least one website still uses the Chinese addresses: Chosun Expo.
They are still in use for other purposes. Scanning sometimes reveals blank or test websites that appear and disappear within a day, and there are at least three routers connected through the addresses behind which there are likely additional PCs.
|Print article||This entry was posted by Martyn Williams on June 26, 2011 at 10:48, and is filed under Hacking, Internet, Security. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
about 1 year ago - 2 comments
Officials from North and South Korea have come to an agreement that should allow limited Internet access inside the Kaesong Industrial Zone, the jointly-run manufacturing complex just north of the inter-Korean border. The agreement was reached during talks on Friday, according to reports quoting South Korea’s Unification Ministry. South Korean managers who work at the factories…
about 2 years ago - 4 comments
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet. The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider,…
about 2 years ago - 2 comments
The Internet disruption that affected North Korea’s Internet link earlier this week lasted almost two days, an Internet monitoring company said Friday. It began just before 0100 GMT on Wednesday — that’s 10am local time — and continued for much of the next day and a half. It then took several hours for traffic levels and…
about 2 years ago - 2 comments
Just when you thought it couldn’t get any more bizarre than Dennis Rodman hugging Kim Jong Un, the operators of The Pirate Bay site claimed Monday that they are now running from the North Korean Internet. The Pirate Bay is one of the Internet’s longest surviving pirate sites. It links to Bit Torrent files of…
about 3 years ago - 2 comments
When North Korea launched a modernization of its broadcasting network in 2011, the Chinese company chosen to supply new TV and radio transmitters to the country faced a problem. The location of broadcast towers in North Korea is so much of a state secret that engineers from the company weren’t permitted to travel to the DPRK…
about 3 years ago - 4 comments
North Korea no longer relies on a single foreign telecom company to carry its Internet traffic to and from the rest of the world. Ever since Star Joint Venture launched the country’s first fully-fledged Internet connection in 2010, North Korean traffic has flowed across the country’s northern border and through an interconnection with China Netcom.…
about 3 years ago - 1 comment
A recent Google Earth update has revealed some changes at one of North Korea’s largest international communications center. Pyongyang Earth Station, situated in Pyongyang’s eastern suburb of Sadong, is believed to be responsible for the country’s civilian satellite communications links with the rest of the world. I wrote a little about its history in a previous post.…