Ten hours after North Korea’s fragile and limited Internet connectivity disappeared on Monday, the isolated country was back online last night.

While that much is certain, it’s still unknown who was behind the outage and why.

Naturally, after promising on Friday a “proportional response,” immediate speculation focused on the White House in retaliation for the damaging Sony hack. Internet watchers such as Arbor Networks went so far as to call it an attack, pointing out indicators of NTP or SSDP reflection amplification in a report published yesterday. Others such as CloudFlare CEO Matthew Prince laid out a few possibilities, all-but dismissing a state-sponsored DDoS attack.

“Still not clear on the cause, but it probably can help rule out some possibilities,” Prince said in an email to Threatpost after North Korea came back online. “In particular, I think it is pretty good evidence that the outage wasn’t caused by a state-sponsored attack, otherwise it’d likely still be down for the count.”

“In particular, I think it is pretty good evidence that the outage wasn’t caused by a state-sponsored attack, otherwise it’d likely still be down for the count.” -Matthew Prince

North Korea’s connectivity had been shaky since last Thursday, Arbor Networks’ Dan Holden points out, with DDoS traffic peaking Saturday and Sunday targeting the country’s primary and secondary authoritative DNS servers, Naenara, the official Web portal of North Korea, and Kim II Sung University, the country’s first university website. Holden said the peak of the attack came on Saturday, topping out at 5.97 Gbps.

Holden too said it was unlikely this was a state-sponsored attack.

“I’m quite sure that this is not the work of the U.S. government,” Holden said. “Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work.”

Toppling over North Korea’s Internet, however, wouldn’t require a massively resourced effort. According to nknetobserver.github.io, few people have public Internet access in North Korea aside from government officials, state-run journalists and select others. Others have access to a private North Korean network that is strictly controlled by the government. The country has allocated only 1,024 IP addresses. Two other blocks of IP addresses are assigned to the country, one through China Unicom and the other by SatGate, a Russian Satellite company, the website said. Arbor, for example, said the outage was likely caused by the country’s infrastructure not being able to resolve IPs.

CloudFlare said the outage began Monday around 11 a.m. ET; the country’s IP space had been dropped from routing tables and was no longer being announced over BGP, Prince said.

Oppressive regimes sometimes cut Internet services in times of crisis, and Prince speculated that this could be one explanation for the North Korean outage. It’s also possible, he said, that China Unicom terminated the country’s access to the public Internet.

“Since North Korea relies on a single provider upstream of the country, if China Unicom terminated access it would effectively eliminate North Korea’s Internet access,” Prince said. “It is impossible upstream to tell the difference between this and the first possibility.”

Prince did not rule out the possibility of a hardware failure or cut cable, but he did try to temper the discourse around a state-sponsored DDoS attack.

“It’s worth remembering that just a few weeks ago a teenager in the UK pled guilty for, single handedly, generating a 300Gbps attack against Spamhaus. That, again, is likely at least an order of magnitude larger than the total capacity of North Korea’s link to the public Internet,” Prince said. “In other words, if it turns out it was an attack, I’d be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask.”

On Friday, the FBI officially blamed North Korea for the Sony hack, hours after an unnamed White House source said the U.S. would have a proportional response to the attack.

Sony has been under siege since Nov. 24 when employee workstations were rendered useless by a wiper malware attack. Threats then surfaced from a hacker group calling themselves the Guardians of Peace promising more attacks and a 9/11-style terrorist attack against theaters showing the comedy movie The Interview, a satire depicting the assassination of North Korean leader Kim Jong-Un. Since then, Sony has been subjected to numerous data leaks including unreleased movies and scripts made available online, to embarrassing email exchanges between executives, to the personal health care and contact information of employees released to Pastebin.

Over the weekend, US-CERT issued an advisory with indicators of compromise describing a dropper used in the attacks against Sony targeting Windows Server Message Block shares. The worm uses a brute-force authentication attack to access networks shares via SMB, and when successful, drops a backdoor and wiper malware capable of overwriting hard drives and a computer’s Master Boot Record.

Categories: Critical Infrastructure, Hacks