North Korea may be using New Zealand as a virtual launching pad for cyber attacks around the world, a new report has suggested.
Foreign Affairs Minister Gerry Brownlee has confirmed the Government is looking into the findings, but says the heightened internet activity is not proof of a New Zealand link to attacks - a view backed by an expert.
The revelation of New Zealand’s potential role in North Korea’s state-sponsored cyber attacks is in a report from threat intelligence firm Recorded Future, based on data from the insular country.
The report says there was a “near absence of malicious cyber activity from the North Korean mainland” between April and July 2017, indicating that most state-sponsored cyber attacks were likely being conducted from abroad.
Instead, it identifies New Zealand as one of eight countries - along with India, Malaysia, Nepal, Kenya, Mozambique, Indonesia, and China - where North Korea has “large and active” presences.
“Our source revealed not only above-average levels of activity to and from these nations, but to many local resources, news outlets, and governments, which was uncharacteristic of North Korean activity in other nations.”
The report states it is “highly likely that North Korea is conducting cyber operations from third-party countries" - implying New Zealand could be among those.
It says the finding is a “significant operational weakness” which could allow Western countries to place pressure on Kim’s regime by limiting the freedom of North Korea’s cyber teams.
Govt unworried - Brownlee
Brownlee said he had asked officials to look into the report’s findings, but believed the activity was more likely to be ordinary North Koreans using “tunnelling apps” such as virtual proxy networks (VPNs) to access the internet.
“If that’s the case it’s a positive sign, because it means that the regime is starting to lose its grip, and it means that there is a significant number of people in North Korea who do not appreciate the compromised life that they have to live under that regime.”
Government agencies kept “a watchful eye” on potential cyber attacks against New Zealand entities, but it was difficult to identify which countries presented specific threats.
“It’s kind of pointless having a list of countries that you want to watch, because as this shows it can be coming from anywhere.”
Asked what work the Government was doing to assess the credibility of the report, Brownlee responded: “We have a very efficient set of capabilities in New Zealand for dealing with this, and I’m not saying anything beyond that...as soon as we've got that information, we’ll then know exactly what the nature of this activity is and we’ll make appropriate decisions on what to do at that time.”
Van Jackson, a senior lecturer in international relations at Victoria University and defence and strategy fellow at the Centre for Strategic Studies, cast similar doubt on the report’s findings, saying while New Zealand may be a country from which North Koreans accessed the internet, it had been “unjustly lumped in” with countries like China involved in hacking.
“The overwhelming majority of tracebacks when you look at the origin of specific attacks, especially DDoS [Distributed Denial of Service] attacks, it comes from China.
“The idea that they’d be launching them from here would be extremely problematic because it would mean there are groups of North Korean hackers in here, and that’s very unlikely, but...there are entire units in China.”
While it was possible that North Korean hackers were leveraging New Zealand servers for their attacks - thanks in part to much of the country’s telecommunications being supplied by China - Jackson said it was not accurate to characterise that as being an attack from New Zealand.
“It’s not quite so easy [to prevent] when you have darknet actors sort of co-opting server space that just happens to be in New Zealand, and they don’t exploit servers that are here on a continuing basis - they jump around from servers around the world that happen to be accessible.”
However, Jackson said the primary concern for New Zealand would be that of the report publicly associating it with North Korean cyber attacks, even though that was not borne out by the facts.
“The entire world is operating foreign policy off of public perceptions right now, and there’s a hardcore pressure campaign from Washington on North Korea, so it’s entirely plausible that this report is going to draw some unwanted attention to New Zealand and pressure from Washington to do something, but it will ultimately fall flat because there’s not much to be done.”
'Not disconnected from the world'
The report also looks at the activities of the slim number of North Korea’s senior leaders and ruling elite with direct access to the worldwide internet.
Recorded Future says the data shows that North Korean leaders “are not disconnected from the world and the consequences of their actions”, with many similarities between their internet use and that of most Westerners.
“Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are much more active and engaged in the world, popular culture, international news, and with contemporary services and technologies than many outside North Korea had previously thought.”
North Koreans spend much of their time online checking social media, searching the web and browsing e-commerce sites like Amazon and Alibaba, while Facebook is the most widely used social network.
Jackson said that was not a surprise, with many North Korean elites either having legitimate access or using VPNs to access the outside world.
“The Korea watcher community was acutely aware that North Korea is far from isolated, economically and digitally...there’s lots of interaction that happens with North Korea, it just pales in comparison to the frequency and depth in interaction that other countries engage in around the world.”