Category Archives: North Korea

Five Eyes, Nine Eyes & 14-Eyes Countries and VPNs Important to know when using (or planning to use) a VPN

The content herein is part of an article published in a VPN site where at the end of this short introduction there will be a link to take you to a lot more viewpoints & info. ENJOY.

This article will discuss available VPNs in relation to the 5 Eyes, the 9 Eyes and the 14 Eyes government surveillance alliances.

Encryption is the only way to protect private communications. While there are encrypted messaging systems that can be used for direct correspondence, virtual private networks (VPNs, also based on encryption) are the best tools for hiding internet activity, such as which websites are visited. Again, there are valid reasons to do so: to protect the privacy of religion, sexual orientation and sensitive medical conditions; all of which can be inferred from visited websites.


During the second world war, US and UK intelligence agencies worked closely on code-breaking. After the war, the UK center at Bletchley Park evolved into the Government Communications Headquarters (GCHQ). The American service evolved into the National Security Agency (NSA). In 1946, the working relationship between the two countries was formalized in the UKUSA agreement. It worked on signals intelligence (SIGINT); that is, the interception and analysis of adversarial telecommunications.

In order to provide global coverage for communications interception, Australia, New Zealand and Australia joined the UK and the USA – and became known as the Five Eyes.

However, such is the NSA’s global dominance of intelligence gathering, other countries have sought to cooperate in return for specific ‘threat’ information from the NSA. This has led to other SIGINT groupings: the 9 Eyes and the 14 Eyes.

The operation of these intelligence agencies was long kept secret. As global communications have increased – and as perceived threats have grown (first in the Cold War between east and west and more recently in the ‘war on terror’), the 5 Eyes in particular began to secretly use technology to gather everything for later analysis. GCHQ, for example, had a secret project called Mastering the Internet. None of this was publicly known.

In 2013, NSA whistleblower Edward Snowden leaked thousands of top secret NSA and GCHQ documents showing, for the first time, the extent to which national governments spy on everybody. It is always done in the name of ‘national security’, and both the relevant agencies and their governments insist on their right to do so.


Henry Sapiecha

The WannaCry Ransomware connected to Suspected North Korean Hackers

As the WannaCry ransomware epidemic wreaked havoc across the globe over the past three days, cybersecurity researchers and victims alike have asked themselves what cybercriminal group would paralyze so many critical systems for such relatively small profit? Some researchers are now starting to point to the first, still-tenuous hint of a familiar suspect: North Korea.

On Monday, Google researcher Neel Mehta issued a cryptic tweet containing only a set of characters. They referred to two portions of code in a pair of malware samples, along with the hashtag #WannaCryptAttribution. Researchers immediately followed Mehta’s signposts to an important clue: An early version of WannaCry—one that first surfaced in February—shared some code with a backdoor program known as Contopee. The latter has been used by a group known as Lazarus, a hacker cabal increasingly believed to operate under the North Korean government’s control.

“There’s no doubt this function is shared across these two programs,” says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”

According to Suiche, that chunk of commands represents an encoding algorithm. But the code’s function isn’t nearly as interesting as its Lazarus provenance. The group rose to notoriety following a series of high-profile attacks, including the devastating hack of Sony Pictures in late 2014, that were identified by US intelligence agencies as a North Korean government operation. More recently, researchers believe that Lazarus compromised the SWIFT banking system, netting tens of millions of dollars from Bangladeshi and Vietnamese banks. Security firm Symantec first identified Contopee as one of the tools used in those intrusions.

Researchers at the security firm Kaspersky last month presented new evidence tying those attacks together, pointing to North Korea as the culprit. On Monday, Kaspersky followed up on Mehta’s tweet with a blog post analyzing the similarities in the two code samples. But while they noted the shared code in the Lazarus malware and the early version of the WannaCry, they stopped short of definitively stating that the ransomware stemmed from state-sponsored North Korean actors.

“For now, more research is required into older versions of Wannacry,” the company wrote. “We believe this might hold the key to solve some of the mysteries around this attack.”

In its blog post, Kaspersky acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea. After all, the WannaCry authors cribbed techniques from the NSA as well. The ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public last month.

Kaspersky called that false flag scenario “possible” but “improbable.” After all, the hackers didn’t copy the NSA code verbatim but, rather, lifted it from the public hacking tool Metasploit. The Lazarus code, by contrast, looks far more like a reuse of unique code by a single group out of convenience. “This case is different,” Kaspersky researcher Costin Raiu wrote to WIRED. “It shows that an early version of WannaCry was built with custom/proprietary source code used in a family of Lazarus backdoors and nowhere else.”

Any link to North Korea is far from confirmed. But WannaCry would fit the Hermit Kingdom’s evolving playbook of hacker operations. Over the past decade, the country’s digital attacks have shifted from mere DDoS attacks on South Korean targets to far more sophisticated breaches, including the Sony hack. More recently, Kaspersky and other firms have argued that the impoverished country recently expanded its techniques to outright cybercriminal theft, like the SWIFT attacks.

If the author of WannaCry isn’t Lazarus, it would show a remarkable degree of deception for a cybercriminal group that has in other respects shown itself to be rather inept at making money; WannaCry included inexplicable an “kill switch” in its code that limited its spread, and even implemented ransomware functions that fail to properly identify who’s paid a ransom.

“Attribution can be faked,” concedes Comae’s Suiche. “But that would be pretty smart. To write ransomware, target everyone in the world, and then make a fake attribution to North Korea—that would be a lot of trouble.”

For now, plenty of unanswered questions remain. Even if researchers somehow prove that the North Korean government cooked up WannaCry, its motive for indiscriminately handicapping so many institutions around the world would remain a mystery. And it’s tough to square the malware’s shoddy configuration and botched profiteering with the more sophisticated intrusions Lazarus has pulled off in the past.

But Suiche sees the Contopee link as a strong clue about WannaCry’s origins. The Dubai-based researcher has closely followed the WannaCry malware epidemic since Friday, and over the weekend he identified a new “kill switch” in an adapted version of the code, a web domain the WannaCry ransomware checks to determine whether it will encrypt a victim’s machine. Just before Mehta’s finding, he identified a new URL—this time, one that begins with the characters “ayylmao.”

That LMAO string, in Suiche’s view, is no coincidence. “This one looks like an actual provocation to the law-enforcement and security community,” Suiche says. “I believe that’s North Korea actually trolling everyone now.”


Henry Sapiecha

Amateur spies put North Korea on the map after sourcing info about the country

one of North Korean dictator Kim Jong Il's palatial mansions with expansive gardens.image

Living large … one of North Korean dictator Kim Jong Il’s palatial mansions with expansive gardens.

A group of amateur spies has used Google Earth to provide a rare glimpse inside North Korea, one of the world’s most secretive countries.

By default the Google Earth map of North Korea is completely bare, with no roads or landmarks labelled.

Over two years, US doctoral student Curtis Melvin and other volunteers pored over news reports, images, accounts, books and maps painstakingly identifying and locating thousands of buildings, monuments, missile-storage facilities, mass graves, secret labour camps, palaces, restaurants, tourist sites, main roads and even the entrance to the country’s subterranean nuclear test base.

The result, North Korea Uncovered , is one of the most detailed maps of North Korea available to the public today. The small file, which can be installed on top of Google Earth, has been downloaded more than 47,000 times since an updated version was released last month.

“We have portrayed things about which they are most proud and ashamed,” Melvin said in an email interview.

Among the most notable findings is the site of mass graves created in the 1990s following a famine that the UN estimates killed about 2 million people.

“Graves cover entire mountains,” Melvin said.

Also visible is the stark contrast between the living conditions of North Korea’s elite and the general population.

The palaces housing dictator Kim Jong Il and his inner circle, clearly shown on the maps, contain Olympic-size swimming pools with giant waterslides and golf courses.

Conversely, much of North Korea’s population is reliant on foreign food aid, ironic given the authoritarian regime is built around the ideology of self-reliance.

Analysing the satellite maps allowed Melvin to plot the country’s transport and electricity network, revealing that many towns have no power supply at all.

Melvin and his team also believe they have discovered the Vinalon complex that has been connected with chemical warfare experiments.

The project highlights the collaborative power of the internet, which allows disparate groups of amateur sleuths to work together to uncover state secrets and shine new light on previously hidden countries.

North Korea is of particular interest to diplomats, analysts and the public of late because the communist regime has ramped up its nuclear tests, launched a series of short-range missiles and threatened possible attacks on South Korea.

Melvin said he notified two North Korean embassies of his project but received no response.

“This project is a terrific record of their ‘revolution’ so I would love to have more of their input for historical purposes,” he said

Melvin, who began the project as a way of mapping places in North Korea that he had visited, said he pored over books, maps, pictures and news reports to identify locations on the Google satellite map. But he received significant help from collaborators, some of whom have studied North Korea professionally.

For instance, The Wall Street Journal reported that Joshua Stanton, a Washington attorney who has served in the US military in South Korea, identified one of the country’s most notorious prisons, Camp 16, by combing the map for structures identified in sketches created by defectors.

A US senator then used Stanton’s information to criticise North Korea’s human rights record, saying “Google has made a witness of all of us … we can no longer deny these things exist”.

North Korea’s own publicity of the movements of Kim Jong Il have also been invaluable to Melvin. Media reports from the country allowed him to identify locations the dictator has visited, such as a hydroelectric dam and power station he toured in April.

project & construction finance banner image (8)

Henry Sapiecha