A fresh batch of user names and personal details of people subscribing to North Korean-related websites has been published by hackers. They are the result of weekend attacks on the websites minjok.com and paekdu-hanna.com, two U.S.-based websites.
Links to the information were posted on Twitter by accounts associated with the loosely coordinated hacker group “Anonymous.” The group previously claimed credit for the attacks.
Minjok.com is the site of Minjok Tongshin, which carries Korean and English-language news about North Korea. The English articles are mostly culled from other media. Paekdu-hanna is an associated site that appears to be run by the same group.
Of the two databases, the one for Paekdu Hanna is the largest at around 80 users. There are just 17 account details for Minjok.com.
Just about all of the accounts are from web-based mail service provides like Hotmail, Gmail, Hanmail, Daum and Naver. They include names, birthdates and, in some cases, additional information such as the Internet address used for the last login.
None of the accounts list an address in North Korea’s assigned IP space.
At around 100 users in total, the details are a fraction of those previously released by hackers for Uriminzokkiri.com, the China-based propaganda site with close ties to Pyongyang. When that was attacked, hackers managed to obtain details on roughly 15,000 users.
The DPRK is loudly protesting the preliminary results of a South Korean investigation that found it was behind widespread computer disruption that hit several TV stations and banks on March 20. [Updated, see below.]
The computer attacks wiped clean the hard disk drives of around 48,000 personal computers and servers inside broadcasters KBS, MBC and YTN, and the Shinhan, Nonghyup and Jeju Banks.
In an almost 2,000 word response carried on the state-run KCNA newswire, the main results of the investigation were picked through and discounted. The article, which came a day after Seoul disclosed its findings, was attributed to a spokesman for the General Staff of the Korean People’s Army.
The South Korean investigation concluded Pyongyang’s involvement based on some key points:
The first was the disclosure, apparently in error, of an Internet address being used by a hacker in the weeks before the attacks. The address fell within a batch used exclusively by North Korea and was only visible for a few minutes before being hidden, the report said.
On this — as in much of the reply — the KPA spokesman demonstrates a working knowledge of how computer hackers operate.
“It is a common method used by hackers to hide themselves to abuse other’s IP address or fake it up on open internet for hacking. The group claims that a few records of IP addresses by which accesses were made to south Korean computer networks prove that the case was the ‘north’s work.’ This cannot be construed otherwise than evidence of ignorance of how cyber warfare is waged,” KCNA reported.
The next piece of evidence came in the form of software code used to mount the attacks. Of 76 pieces of code recorded, roughly a third were identical to code used in previous hacking attempts against South Korea, the government report said.
“This assertion is utterly baseless,” KCNA quoted the spokesman as saying.
The rebuttal then goes on to assert that South Korea doesn’t really understand how hackers operate. If it did, it wouldn’t have come to its conclusions.
“All this goes to clearly prove that what the group claims is nothing but a sinister plot hatched by those hell-bent on the confrontation with fellow countrymen, bereft of even an elementary concept of the cyber warfare,” the spokesman told KCNA.
The response shouldn’t come as a surprise to anyone that watches the peninsula. It was inevitable whether the DPRK was behind the hacking or not.
What’s more interesting perhaps is that it marks the first time the state-run media has commented on the event in a major way. On March 20 and in the days after, the North Korean government didn’t mention the attacks. Perhaps that’s because this time, unlike after previous computer attacks, the South Korean government didn’t immediately assign blame to the DPRK. But plenty of others in Seoul were pointing their fingers towards Pyongyang.
For whatever reason, North Korea decided to speak up only after the government made its allegations.
Here’s what Voice of Korea, the DPRK’s international radio station, had to say about the report:
The Broadcasting Board of Governors disclosed the plan in its annual budget request, which was published on Wednesday.
The plan, if realized, could mean a substantially stronger and more reliable signal for the two stations, but is likely to attract jamming by North Korean authorities.
The BBG is seeking to construct a new medium wave transmitter in South Korea. This transmitter, optimally situated in a location near the border with North Korea, would be capable of sending a strong signal that would significantly enhance the BBG’s Korean Services’ capability to reach audiences. — BBG Fiscal Year 2014 Budget Request.
Both Voice of America and Radio Free Asia have broadcast their Korean language services on shortwave for years. Shortwave transmissions can easily cover all of the DPRK, but they are affected by atmospheric conditions so different frequencies need to be used at different times of day and year. They also require a shortwave radio.
In contrast, mediumwave coverage is much less prone to atmospheric interference and changes in a much more predictable way: at night signals bounce off the ionosphere and travel greater distances than during daylight. Mediumwave radios are also much more common.
For these reasons, mediumwave is desirable for broadcasting into North Korea, but getting on air in East Asia can be difficult because of the heavily regulated media scene.
In the last few years, Voice of America and Radio Free Asia have managed to put some of their programs on mediumwave by leasing time on two transmitters: the 1188kHz station of religious station Far East Broadcasting Co. (FEBC) in Seoul and the 648kHz transmitter of Voice of Russia near Vladivostok.
The envisaged new transmitter would probably cover a large portion of North Korea, from the border northwards.
North Korea would likely jam the frequency by deliberately broadcasting noise on the same frequency, but that’s often not completely successful — especially for the dedicated listener.
No further details of the plan were revealed in the budget filing.
BBG did report that radio remains the best way to reach North Koreans with news. The lack of Internet access in the DPRK means there isn’t a viable alternative for fast dissemination of information.
Both Voice of America and Radio Free Asia currently broadcast for five hours per day in Korean, with each retaining its own identity. Their programs are scheduled so that they don’t air at the same time.
VOA kicks off broadcasting at 9pm local time with three hours of programs until midnight. RFA then broadcasts through the night until 4am when VOA comes back on air until 6am. RFA puts out a final hour of programming between 6am and 7am.
At first those might seem like odd hours to be on the air, but foreign radio listening needs to be done in private at home, so nighttime or early morning broadcasts are preferred. Broadcasting overnight has the added benefit that radio wave propagation is generally better during the hours of darkness.
In its budget request, BBG asked for $2.15 million to run Radio Free Asia’s Korean service in the fiscal year, a drop of 2 percent from its current budget. RFA will see budget cuts to all its services in 2014, according to the budget, but those for the Korean service are among the smallest and nowhere near to 28 percent cut to Cambodian services.
The Voice of America budget does not break out the Korean service, but the East Asia and Pacific division in which it’s included will see its proposed 2014 budget unchanged at $33.3 million.
Here’s how the BBG explained the different identities and directions of each station:
In order to help audiences understand U.S. government policies and views, VOA Korean goes directly to key American policymakers on North Korea issues. Through its sources in the Administration, Congress, and the think tank community, VOA Korean consistently provides the latest and most authoritative news and analysis on U.S. policy towards North Korea, in the Korean language. To enhance its capabilities to reach North Koreans, VOA Korean is expanding its partnership with South Korean entities through program placements.
RFA Korean’s strength in surrogate reporting lies in its utilization of North Korean defectors. Working closely with an extensive network of contacts inside the target area and Chinese towns bordering North Korea, RFA Korean uses defectors to add value to broadcast content. The Service’s feature stories highlight the human rights situation both inside and outside North Korea, including in China, where many North Korean refugees stay in hiding. — BBG Fiscal Year 2014 Budget Request.
South Korea’s government has concluded the March 20 cyberattacks that hit three of the country’s TV broadcasters and three of its banks were launched by attackers linked to the North Korean government.
The attacks began at 2pm local time on March 20 and caused the complete deletion of data on hard disk drives in roughly 48,000 personal computers inside broadcasters KBS, MBC and YTN, and the Shinhan, Nonghyup and Jeju Banks.
North Korean hackers were suspected almost immediately although unusually the government in Seoul wasn’t quick to point its finger. Officials launched an investigation and it was the preliminary conclusions of that work that were announced on Wednesday.
The main evidence appears to be the use of several Internet addresses either in North Korea or used in attacks blamed on the country in the past and the re-use of software code from previous attacks.
Yonhap News quoted Lee Seung-won, an official at the Ministry of Science, ICT & Future Planning, as saying, “An analysis of cyber terror access logs, malicious code and North Korean intelligence showed that the attack methods were similar to those used by the North’s Reconnaissance General Bureau, which has led hacking attacks against South Korea.”
The investigation uncovered more than 1,500 intrusions into the local networks of the affected companies from six computers since June 2012 indicating the attack was planned for sometime.
Of 76 pieces of malware used in various parts of the attack, a number were seen in attacks tied to North Korea in the past. Yonhap put that number at 18 while AP reported 30.
The attacks came after North Korea suffered almost two days of Internet connectivity problems. While the country came out and blamed the U.S. and its allies for the glitches, it’s still unclear if the problems were as a result of a hack or technical problems.
In recent days the country’s handful of websites have come under attack from hackers acting under the umbrella of “Anonymous.” They launched denial of service attacks against several of the most important state-run websites and broke into Uriminzokkiri, a leading North Korean propaganda portal that is based in China. This latter attack included the defacement of several sister websites, intrusion to the site’s Twitter and Flickr channels and the leaking of 15,000 user details.
The “clinical medicine information service system” contains details on 12,000 pharmaceuticals and 154,000 kinds of medicines from more than 50 countries, according to a report carried by Voice of Korea.
“It has also more than 15,000 words for search concerning indications, side-effects and contra-indications so that everyone can freely search information on medicines on their basis,” VOK said in its report.
A 90-second report on the system also made the Tuesday evening TV news (below), but I haven’t see a KCNA article about it yet.
From the looks of the system in the TV report, it’s based around a software program running on Windows that either runs from a local (likely) or network database. It’s not a fully online service that runs through a browser.
In addition to the publicly-funded outlets, there are several private stations. Their editorial balance at the stations differ although none are pro-regime stations. Some are jammed by North Korea making reception difficult — but not impossible — inside the country.
Given the right conditions, the broadcasts should be audible across a wide swarth of Asia.
All times at UTC and all broadcasts in Korea unless noted.
== International Broadcasters ==
1200 to 1300 (2100 to 2200 local) on 1,188kHz, 7,225kHz, 9,490kHz and 15,775kHz
1300 to 1500 (2200 to 0000 local) on 1,188kHz, 7,225kHz, 11,935kHz and 15,775kHz
1900 to 2100 (0400 to 0600 local) on 648kHz, 5,900kHz, 6,060kHz and 7,365kHz
1500 to 1700 (0000 to 0200 local) on 648kHz, 5,820kHz, 7,210kHz and 7,455kHz
1700 to 1800 (0200 to 0300 local) on 648kHz, 5,820kHz and 9,975kHz
1800 to 1900 (0300 to 0400 local) on 648kHz and 5,820kHz
2100 to 2200 (0600 to 0700 local) on 648kHz, 7,460kHz, 9,610kHz and 11,945kHz
0400 to 0000 (1300 to 0900 local) on 972kHz and 6,015kHz
1000 to 0400 (1900 to 1300 local) on 1,170kHz
== South Korea to North Korea ==
Free North Korea Radio (자유북한방송)
1430 to 1630 (2330 to 0130 local) on 11,570kHz
Open Radio for North Korea (열린북한방송)
1230 to 1430 (2130 to 2330 local) on 11,550kHz and 15,700kHz
1900 to 1955 (0400 to 0455 local) on 774kHz and 92.3MHz via MBC Chuncheon
2100 to 2200 (0600 to 0700 local) on 7,480kHz
Radio Free Choson (자유조선방송)
1200 to 1400 (2100 to 2300 local) on 11,540kHz and 15,720kHz
2000 to 2100 (0500 to 0600 local) on 7,505kHz
North Korea Reform Radio (북한개혁방송)
1500 to 1600 (0000 to 0100 local) on 7,590kHz
== Japan to North Korea ==
1330 to 1400 (2230 to 2300 local) on 6020kHz via Japan (in Japanese on Mon, Tue, Thu, Fri; Chinese on Wed; English on Sat; Korean on Sun)
1400 to 1430 (2300 to 2330 local) on 6020kHz via Japan (in Korean on Mon, Wed; Japanese on Tue, Thu, Fri, Sun; English on Sat)
2000 to 2030 (0500 to 0530 local) on 6075kHz via Japan (in Japanese on Mon, Tue, Thu, Fri; Chinese on Wed; English on Sat; Korean on Sun)
2030 to 2100 (0530 to 0600 local) on 6075kHz via Japan (in Korean on Mon, Wed; Japanese on Tue, Thu, Fri, Sun; English on Sat)
Furusato no kaze (ふるさとの風)
1330 to 1357 (2230 to 2257 local) on 9950kHz via Taiwan (in Japanese)
1430 to 1500 (2330 to 0000 local) on 9960kHz via Palau (in Japanese)
1600 to 1630 (0100 to 0130 local) on 9780kHz via Taiwan (in Japanese)
Nippon no kaze (日本の風)
1300 to 1330 (2200 to 2230 local) on 9950kHz via Taiwan
1500 to 1530 (0000 to 0030 local) on 9975kHz via Palau
1530 to 1600 (0030 to 0100 local) on 9965kHz via Palau
== Religious ==
1300 to 1330 (2200 to 2230 local) on 17,650kHz (Monday to Saturday)
1300 to 1400 (2200 to 2300 local) on 11,860kHz (Monday to Saturday)
1300 to 1430 (2200 to 2330 local) on 17,650kHz and 11,860kHz (Sunday)
1620 to 1635 (0120 to 0135 local) on 1,188kHz (Friday and Saturday)
1900 to 1930 (0400 to 0430 local) on 1,566kHz (Sunday)
1900 to 2000 (0400 to 0500 local) on 1,566kHz (Tuesday, Thursday)
1900 to 2000 (0400 to 0500 local) on 7,375kHz (Monday to Saturday)
1900 to 2030 (0400 to 0530 local) on 7,375kHz (Sunday)
1600 to 1730 (0100 to 0230 local) on 7,515kHz
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet.
The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider, to China Unicom Hong Kong’s network.
Most of the Internet traffic to and from the country already runs over a link from mainland China that is serviced by China Unicom. Almost exactly a year ago, a second connection was added via Intelsat satellite.
The new connection appears to provides a third way for traffic to reach the country, although much is unclear. It’s not immediately clear if it represents a third physical connection or it only happening on the network level, and at present there’s no way to know if it serves as an additional backup or will become an important connection.
Update time: 2013-04-08 03:21 (UTC) Detected by #peers: 2 Detected prefix: 126.96.36.199/24 Announced by: AS131279 (STAR-KP -- Ryugyong-dong) Upstream AS: AS10099 (HKUNICOM1-AP China Unicom (Hong Kong) Operations Limited)
Renesys, which specializes in analysis of Internet networking, confirmed it was also seeing a new path via China Unicom Hong Kong to North Korea.
“Trace routes … from providers who have chosen this new route now send their traffic to Unicom in Hong Kong whereas previously they connected elsewhere,” said Doug Madory. A trace route is a plot of each step taken by a data packet between its source and destination.
At first, only about 3 percent of Internet providers that Renesys tracks were using the new link, he said. But as Tuesday progressed in Pyongyang, there were several changes in the route that caused it to go on and off.
The connection links just one of the DPRK’s four blocks of Internet addresses.
The block in question isn’t the one that hosts North Korea’s handful of web servers — the ones that came under denial of service attack in the last few days. But it does host some computers, including an Internet gateway that serves as one of the ways traffic from inside North Korea gets to the rest of the Internet, according to NorthKoreaTech monitoring.
It’s still too early to say anything definitive about this, but its appearance after the denial of service attacks is interesting. We’ll likely be able to conclude more in the coming days.
It marked the first time in the current round of attacks that anyone had managed to break in and deface a North Korean website. Over the last couple of weeks, several sites have been taken offline by denial of service attacks, but such attacks simply impede the website’s ability to serve pages and don’t affect the content.
This time around the attack saw the site removed and its Twitter and Flickr channels accessed. The Flickr channel is back under a new account, it appears Uriminzokkiri still doesn’t have access to its Twitter channel, and the site itself is back online, albeit with some previous content missing.
The site’s YouTube channel wasn’t apparently affected.
Four of Uriminzokkiri’s companion sites were also hit. One, AINDF.com, still displays a poster of Kim Jong Un depicted as a pig, while Ryugyongclip.com, Ryomyong.com and Ournation-school.com are offline.
From an analysis viewpoint, perhaps most interesting was the roughly 15,000 user account details that were also published. They are providing a fascinating profile of the type of people who registered with the site.
The details were released in two batches with the second of around 6,000 names coming on Saturday.
So, what’s next?
Some North Korean sites still appear to be under sporadic denial of service attack.
People posting Twitter messages under the name of Anonymous have been claiming further attacks will take place on April 19, under the name “OpFreeKorea,” and June 25, under the name “OpKoreanWar,” although the former date is being mentioned much less than the latter.
A lot will probably depend on the situation on the Korean peninsula. If tensions continue to rise, expect the attacks to continue. If things fall back to normal, North Korea won’t have such a high profile in news headlines and some attackers are likely to move on to other targets.