Looks like a bunch of domains have switched in the last few days and are now resolving to 175.45.177.10 and 175.45.177.11

I admit it’s been a while since all the excitement at the start of the year. I’m still not convinced that the person interviewed in the Wired article was responsible for the attacks, or at the very least if they were they definitely exaggerated their activity.

But, looking forward. Two things that I’ve been working on. One is taking a closer look at North Korean firewalls. The other is a list of 200 star-co.net.kp email addresses which has been an interesting list to search with. I’ll be posting some of the findings from that list.

For example I found this post on vk.com that describes the Nenara Taedongan TV factory which I haven’t seen anywhere else online. Judging based on the contact info and some of the information it appears to be something that can be reasonably trusted. https://vk.com/wall-61269228_2342?lang=en

This has all been very fun to monitor but looks like it’s coming to an end with the Wired article from yesterday. One last interesting thing that I wanted to point out is that I own a domain that is very similar to a popular North Korean domain, minus the .kp tld. It didn’t hit me until a few days later but there are some interesting coincidences in the traffic that I’ve seen on that server and comparing it to the outages on the DPRK websites.

If I can re-use my graph that I created the other day right around the final outage my website that is similar to the DPRK website received over 41,000 requests in the span of a minute and a half. Specifically right around the end of the 2.5 hour gap is when I saw things spin up.

Again, attribution is incredibly difficult and not something that I want to get into at all. But it was a pretty strange coincidence that my very similar domain saw a major spike in traffic at the exact same time that the DDoS against North Korea was occurring. I don’t want to share all of the details publicly but if you are interested, and have a decent use for the data, feel free to send me an email.

About a year ago I received an email from 주전골님 <sealhae@hanmail.net> about investing in North Korea. Below is the full context of the email as well as the JPG’s that were attached.

There’s nothing really interesting in the EXIF data other than the scanned documents have the phrase 형간염검사지 which apparently translates to hepatitis test papers. The only other piece of data that I’ve seen is on the picture with the timestamp in the bottom right corner. The picture was taken with a Digimax i6 PMP, Samsung #11 PMP

Dear    CEO       Senior Researcher          World  HCV , HBV , M/XDR-TB Treatment Natural food manufacturing and production cooperation in your country. We value new therapeutic substances research, collaboration and trust. "Indigenous platform food" is a method for curing viral diseases that cannot be treated with drugs.Safe cell therapy Hepatitis B and C treatment substances co-production. We want to cooperate with you in your home country for the manufacture and production of natural cures. Now there is a need for innovative new methods to treat human blood infection viruses. Use antiviral drugs for the treatment of all viral diseases produces the mutant viral antigen of this disease.To cope with the emergence of another virus in the future, difficulties such as this covid-19 will face national paralysis and crisis The world cannot make blood-borne virus therapeutics.Chemical treatments for blood viruses are ineffective.Viral blood tumor decomposition is a mechanism for treating humans with "natural platform food" that they consume on their own. Symptoms of hepatitis B started 3000 years ago.The reality that treatments have been studied by a chemical approach has never been cured anywhere in the world.Overpurification of Mycobacterium tuberculosis proceeds due to the imbalance in the use of drugs and the imbalance of the nutrients taken.It is the progression of human pain due to the inability of the efficacy of chemical drugs due to the evolution of Mycobacterium tuberculosis.After infection, reduced levels of human immune cells (CD-4 / 8, platelets) are damaged by the aggression capacity of the bacteria.Chemical drugs attack tuberculosis bacteria, but tuberculosis bacteria evolved and turned into viruses during metastasis to the liver.When bacteria spread from the lungs to the liver, the bacteria evolve into viruses.It is a refractory disease that has evolved into a complex infection of a long-term combined viral disease.Therapeutic agents of any chemical combination on the planet are incurable "tolerant" viral diseases. Viral diseases (HIV, HCV, HBV, M / XDR-TB) are simply treated.How to cure viral diseases (HIV, HCV, HBV, M / XDR-TB).1 "Virus killing of infected organs and blood.2 "Recovering and maintaining normal levels of degraded immunecells (CD-4 / 8, platelets) Confirm complete virus kill.3: Identify naturally occurring antibody cells in blood and organs aftertreatment.Live-attenuated Immune Cell Blood , Anti-HBc,Anti-HBs AntibodiesIt is a reliable evidence of the therapeutic effect "natural platform food"Test name ---------------- Test result --------------------- Reference value-- -------------- unitHBsAg -------------------- Neg (<0.05) ------------------- -Neg <0.05- ------------------ IU / mLAnti-HBc ------------------- Pos --------------------------- --11.64 ----------------------- mIU / mLAnti-HBs ------------------- Pos --------------------------- ---- 11.8 --------------------- --mIU / mL Live-attenuated Immune Cell Blood Test Record . Hospital blood test record proved to cure hepatitis with "native platform food" after human virus infection . Blood infection virus treatment is a natural substance that grows naturally in many countries around the world and can be easily collected and manufactured by anyone.0 " I propose to cooperate with you, your company and nutraceutical manufacturers for the manufacture and production of blood virus             ther  apeutics.     Production and manufacture of bioblood virus therapeutics of native substances is very simple.      Natural substances required for the manufacture of therapeutic substances.After infection, immune cells continue to decrease, causing serious severity of blood and organ pain.This therapeutic substance does not conflict with drugs, food, fertilizers, pesticides, chemicals, injections, drugs and lifestyles."natural platform food"  North Korea, North America, Australia, New Zealand, India, China, Vietnam, Myanmar, Laos, and Cambodia have a wide variety of native substances. 0" Liver tissue cells that have fully healed after being infected with  "hepatitis B virus,    Live-attenuated Immune Cell Blood  to provide.    Attachment is HBV cure hospital record of three people,All cure of this treatment mechanism is the role of "natural platform food". With North Korea's investment progress,With stable purchase of minerals necessary for the manufacture of cutting-edge products,Business progress for manufacturing next-generation hydrogen cell products,Thank you. Kim E RangSenior ResearcherResistant Virus Lab

Looks like Wired got to the bottom of the recent outages in North Korea: https://www.wired.com/story/north-korea-hacker-internet-outage/

Now that it doesn’t make much of a difference this was a graph that I created a few days ago to start getting a better idea of when launches and outages were occurring.

As as side note to all of this I’ve spent far too much time in the last few days really digging into North Korea’s internet and the way that they are peering with other networks which probably will require a new post later.

PUST maintains a GitHub account for committing changes to open source projects on GitHub: https://github.com/arirang-pust

A sample commit can be found here: https://github.com/mlpack/mlpack/pull/842

Chat logs from the MLPACK developers discussing the change from PUST: https://www.mlpack.org/irc/mlpack.20161220.html

Blog post from the professor at PUST discussing the changes: https://izbicki.me/blog/teaching-open-source-in-north-korea.html

Associated LinkedIn account for PUST can be found here: https://www.linkedin.com/in/arirang-pust-748483144/

Thanks to the person that submitted this over email!

Since the outage last week I’ve been tracking some DPRK websites and IP’s more closely. For the most part they’ve been up pretty consistently but about 16 hours ago there appeared to be some pretty substantial instability. Will keep watching.

Nothing too exciting but I thought this was interesting. A 404 page on rodong.rep.kp that looks like the Google logo. You can see it here: http://www.rodong.rep.kp/ko/index.php?strPageID=SF02_02_01

I noticed the other day that 188.43.136.115 and 188.43.136.116 had the same certificate information in November 2021 as 175.45.176.21 and 175.45.176.22 had until recently. Now this doesn’t prove anything but it’s also interesting to note that both had ports 443 and 8888 exposed. Something to keep an eye on. Certificate is below. Could not find any other IP’s using that certificate when searching the hash.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9961 (0x26e9)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN=ISRA
        Validity
            Not Before: Sep 10 10:19:41 2021 GMT
            Not After : Sep 10 10:19:41 2022 GMT
        Subject: CN=is_server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:4d:da:80:80:5e:1c:99:c0:cb:cf:c0:a3:a2:6f:
                    2b:1c:ca:f0:4a:03:6a:82:35:64:26:08:0f:c0:ac:
                    6f:31:e5:38:b9:04:cd:ca:1c:4e:39:d7:1e:32:81:
                    a5:62:65:be:2d:db:9f:80:61:e8:0b:46:95:d8:c6:
                    e5:48:29:e8:48:e8:af:85:24:bd:58:93:92:40:aa:
                    10:d1:a8:c2:e7:06:f3:ab:7b:29:cd:6f:57:b3:84:
                    60:1d:90:96:3b:7f:c8
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                C2:A2:12:38:21:74:43:BF:F0:DE:5A:F8:EA:0E:B1:68:98:0E:3E:C3
            X509v3 Authority Key Identifier: 
                keyid:CB:36:50:B9:C4:39:6E:9B:F4:43:46:56:D5:2B:C2:99:6D:E6:F5:FA

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:30:4c:19:3b:cc:a9:3d:4b:01:5d:ab:df:09:93:3f:
         fc:e0:8f:f1:9c:61:11:c8:a4:d7:d8:fa:5f:6f:4e:08:a9:1f:
         42:81:97:6e:5d:d5:cb:53:30:d2:25:cb:56:db:9f:22:02:31:
         00:c7:b1:5e:ac:f8:67:82:c9:7b:88:e4:cf:03:23:b2:1f:65:
         39:e7:22:25:d6:e1:76:68:e2:1e:f5:de:13:ce:fa:94:24:77:
         51:8d:eb:08:77:eb:8d:55:9c:da:f7:38:63