North Korean Web goes dark days after

Obama pledges response to Sony hack

A
South Korean army soldier watches a TV news program showing North Korean leader
Kim Jong Un at the Seoul Railway Station in Seoul, South Korea, Monday, Dec. 22. (Ahn
Young-Joon/AP)

By Cecilia Kang,, Drew Harwell and Brian Fung December

22 at 10:55 PM
North Koreas fledgling Internet access went dark Monday, days after President
Obama promised a proportional response to the nations alleged hack of Sony
Pictures Entertainment. The question of who pulled the plug immediately became the
stuff of a global cyber-mystery.
Was it a shadowy crew of guerrilla hackers, under the flag of Anonymous? A retaliatory
strike from the United States? A betrayal from China, North Koreas top ally and its
Web gatekeeper? Or just a technical glitch or defensive maneuver from the Hermit
Kingdom itself?

On Monday, a State Department official issued a somewhat coy non-denial when asked
about U.S. involvement in North Koreas blackout. The official wouldnt comment on
how the government plans to avenge North Koreas alleged attack on Sony but added,
As we implement our responses, some will be seen, some will not be seen.
The mystery behind North Koreas 9 1/2 -hour outage highlights a paradox of modern
cyberwarfare: As attacks become more prominent, the combatants and their motives
are becoming harder to identify.
This is the standard for espionage: Things are murky. Its not like the movies, where
in the last scene someone ties it all together with one long soliloquy, said James
Lewis, a senior fellow at the Strategic Technologies Program at the Center for Strategic
and International Studies.
North Korea continues to deny that it was responsible for the hack that hobbled Sony,
exposed intimate e-mails from top executives and posted online copies of unreleased
films all efforts in an apparent revenge scheme for The Interview, a comedy about
two goofballs told to assassinate North Korean leader Kim Jong Un. After Obama
accused the country last week and promised retaliation, North Korean officials at first
offered to hold a joint investigation with the United States to find the source of the
attack.
Then Pyongyang warned through its state-owned news agency that it would fight any
retaliation with our toughest counteraction ... against the White House, the Pentagon
and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the
symmetric counteraction declared by Obama.
On Thursday, researchers began to notice an uptick in attacks against North Koreas
Internet infrastructure. Designed to overload servers and Web sites with a flood of fake
traffic, such denial-of-service attacks can render entire networks inoperable.
The next day, a Twitter account affiliated with Anonymous the collective behind

numerous high-profile hacks announced that a counterattack against North Korean

hackers had begun.
Operation RIP North Korea, engaged. #OpRIPNK, tweeted the account known as
@theanonmessage. (That account was suspended by Twitter on Monday over separate
threats it had made to release a sex tape belonging to rapper Iggy Azalea.)
On Monday, a separate group, also claiming links to Anonymous, sought credit for the
outages.
The timing of the two tweets was consistent with statistics tracked by the security
research firm Arbor Networks. On Thursday, the company recorded two denial-ofservice attacks. The next day it saw four. The wave peaked Saturday and Sunday with
5.97 gigabits of data inundating North Koreas pipes every second.
Late Monday, Dyn Research said North Koreas Internet access was restored after a
nine-hour, 31-minute outage.
While it is unclear whether Anonymous played a role in North Koreas downtime, at
least six of the observed denial-of-service attacks originated from the United States,
Arbor Networks said.
But other security experts said hostile code can be adapted from other attacks and
filtered covertly through foreign servers. Even basic cyberattacks can use decoys or
distractions, including hosts of zombie computers or falsified location data, to shake
pursuers off the trail.
The actual work of evidence-gathering and prosecution is so much more difficult in
the digital world than in the biological world, said Alec Ross, a senior fellow at
Columbia Universitys School of International and Public Affairs. Unlike a bullet,
something shot as a cyberweapon can be reused and repurposed. Obfuscation is much
easier, and its much easier to distribute an attack.

Some security analysts noted that North Koreas rudimentary Web pipeline flows
directly through the routers of a company called China Unicom, leading some experts
to speculate that Chinese hackers were responsible for the blackout. China may have
seen the Sony hack as an embarrassing, unauthorized mishap from its small but loud
ally, or thought the friction it sparked with the economies of the United States and
Japan could be too destabilizing to ignore.
It is quite possible that the Chinese are reminding the North Koreans of who really
controls those networks, Ross said.
On Monday, the U.S. envoy to the United Nations called for global partners to hold
North Korea accountable for the hack on Sony as well as longtime human rights
abuses. It is exactly the kind of behavior we have come to expect from a regime that
threatened to take merciless countermeasures against the U.S. over a Hollywood
comedy and has no qualms about holding tens of thousands of people in harrowing
gulags, Ambassador Samantha Power said.
Doug Madory, director of Internet analysis at Dyn Research, doubted that North Korea
took down its own Internet, saying the event was not consistent with a more common
outage, like a cut wire or technical error, because the connections struggled for hours
to come back online.
This doesnt look theyre taking themselves down. Youve got hours and hours of
instability, and that comes from somewhere, Madory said. It looks like their network
is for hours just struggling to stay online, trying to come back, and eventually its just
over, just down.
But Madory said that attributing blame for something like a distributed denial-ofservice (DDOS) attack is notoriously difficult, and that something as unsophisticated
as a DDOS attack would be easy to replicate.
Some hackers agreed the job wasnt necessarily a mission-impossible situation. A

group of hackers calling itself Lizard Squad, which has claimed knocking Sonys
PlayStation Network and several other gaming services offline over the past few
months, tweeted a Web address it called the North Korea off button. It also tweeted a
message suggesting the blackout would be easy: Xbox Live & other targets have way
more capacity. North Korea is a piece of cake.
Karen DeYoung and Ellen Nakashima contributed to this report.

Drew Harwell is a national business reporter at The

Washington Post.

Brian Fung covers technology for The Washington Post,

focusing on telecom, broadband and digital politics. Before joining the Post,
he was the technology correspondent for National Journal and an associate
editor at the Atlantic.
Posted by Thavam