North Korea’s fledgling Internet access went dark Monday, days after President Obama promised a “proportional response” to the nation’s alleged hack of Sony Pictures Entertainment. The question of who pulled the plug immediately became the stuff of a global cyber-mystery.
Was it a shadowy crew of guerrilla hackers, under the flag of Anonymous? A retaliatory strike from the United States? A betrayal from China, North Korea’s top ally and its Web gatekeeper? Or just a technical glitch or defensive maneuver from the Hermit Kingdom itself?
On Monday, a State Department official issued a somewhat coy non-denial when asked about U.S. involvement in North Korea’s blackout. The official wouldn’t comment on how the government plans to avenge North Korea’s alleged attack on Sony but added, “As we implement our responses, some will be seen, some will not be seen.”
The mystery behind North Korea’s 9
“This is the standard for espionage: Things are murky. It’s not like the movies, where in the last scene someone ties it all together with one long soliloquy,” said James Lewis, a senior fellow at the Strategic Technologies Program at the Center for Strategic and International Studies.
North Korea continues to deny that it was responsible for the hack that hobbled Sony, exposed intimate e-mails from top executives and posted online copies of unreleased films — all efforts in an apparent revenge scheme for “The Interview,” a comedy about two goofballs told to assassinate North Korean leader Kim Jong Un. After Obama accused the country last week and promised retaliation, North Korean officials at first offered to hold a joint investigation with the United States to find the source of the attack.
Then Pyongyang warned through its state-owned news agency that it would fight any retaliation with “our toughest counteraction . . . against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the ‘symmetric counteraction’ declared by Obama.”
On Thursday, researchers began to notice an uptick in attacks against North Korea’s Internet infrastructure. Designed to overload servers and Web sites with a flood of fake traffic, such “denial-of-service” attacks can render entire networks inoperable.
The next day, a Twitter account affiliated with Anonymous — the collective behind numerous high-profile hacks — announced that a counterattack against North Korean hackers had begun.
“Operation RIP North Korea, engaged. #OpRIPNK,” tweeted the account known as @theanonmessage. (That account was suspended by Twitter on Monday over separate threats it had made to release a sex tape belonging to rapper Iggy Azalea.)
On Monday, a separate group, also claiming links to Anonymous, sought credit for the outages.
The timing of the two tweets was consistent with statistics tracked by the security research firm Arbor Networks. On Thursday, the company recorded two denial-of-service attacks. The next day it saw four. The wave peaked Saturday and Sunday with 5.97 gigabits of data inundating North Korea’s pipes every second.
Late Monday, Dyn Research said North Korea’s Internet access was restored after a nine-hour, 31-minute outage.
While it is unclear whether Anonymous played a role in North Korea’s downtime, at least six of the observed denial-of-service attacks originated from the United States, Arbor Networks said.
But other security experts said hostile code can be adapted from other attacks and filtered covertly through foreign servers. Even basic cyberattacks can use decoys or distractions, including hosts of “zombie” computers or falsified location data, to shake pursuers off the trail.
“The actual work of evidence-gathering and prosecution is so much more difficult in the digital world than in the biological world,” said Alec Ross, a senior fellow at Columbia University’s School of International and Public Affairs. “Unlike a bullet, something ‘shot’ as a cyberweapon can be reused and repurposed. Obfuscation is much easier, and it’s much easier to distribute an attack.”
Some security analysts noted that North Korea’s rudimentary Web pipeline flows directly through the routers of a company called China Unicom, leading some experts to speculate that Chinese hackers were responsible for the blackout. China may have seen the Sony hack as an embarrassing, unauthorized mishap from its small but loud ally, or thought the friction it sparked with the economies of the United States and Japan could be too destabilizing to ignore.
“It is quite possible that the Chinese are reminding the North Koreans of who really controls those networks,” Ross said.
On Monday, the U.S. envoy to the United Nations called for global partners to hold North Korea accountable for the hack on Sony as well as longtime human rights abuses. “It is exactly the kind of behavior we have come to expect from a regime that threatened to take ‘merciless countermeasures’ against the U.S. over a Hollywood comedy and has no qualms about holding tens of thousands of people in harrowing gulags,” Ambassador Samantha Power said.
Doug Madory, director of Internet analysis at Dyn Research, doubted that North Korea took down its own Internet, saying the event was not consistent with a more common outage, like a cut wire or technical error, because the connections struggled for hours to come back online.
“This doesn’t look they’re taking themselves down. You’ve got hours and hours of instability, and that comes from somewhere,” Madory said. “It looks like their network is for hours just struggling to stay online, trying to come back, and eventually it’s just over, just down.”
But Madory said that attributing blame for something like a distributed denial-of-service (DDOS) attack is “notoriously difficult,” and that something as unsophisticated as a DDOS attack would be easy to replicate.
Some hackers agreed the job wasn’t necessarily a mission-impossible situation. A group of hackers calling itself Lizard Squad, which has claimed knocking Sony’s PlayStation Network and several other gaming services offline over the past few months, tweeted a Web address it called the “North Korea off button.” It also tweeted a message suggesting the blackout would be easy: “Xbox Live & other targets have way more capacity. North Korea is a piece of cake.”
Karen DeYoung and Ellen Nakashima contributed to this report.