Suspected North Korean hacker group accessed Daily NK biweekly in 2018

Satellite imagery of Pyongyang’s Ryugyong-dong, Pottangang District. Image: Google Earth

A Google Analytics report for Korean language traffic has revealed that dozens of site visits were made to Daily NK’s homepage by users with North Korean IP addresses in 2018.

At least ten of these visitors connected through a Pyongyang-based IP address in the city’s Ryugyong-dong, Pottangang District using a domain. Kp is North Korea’s country code top-level domain, or ccTLD.

The Pyongyang-based users share the same IP address with the hacker group Kumsong 121 and selected Korean as their language preference. They primarily accessed Korean language versions of articles focusing on the North’s cyber threats, including the Mangyongdae Revolutionary Academy’s “hackers” program to recruit the country’s next generation of foreign agents and hacking attempts directed against Unification Media Group and identification of the hacker group’s IP address.

The Pyongyang-based users had Korean language set as their language preference. Image: Daily NK

It is also possible that other users are accessing Daily NK using Virtual Private Networks (VPNs) within North Korea to appear as if the connections are coming from other countries listed in the Google Analytics report. VPNs can also be used to make it appear as if web users are based in North Korea, when in fact they aren’t.

Regardless, a number of visitors appearing to be from North Korea read various opinion pieces about the summits and denuclearization as well as articles focusing on Kim Jong Un, the Wonsan-Kalma marine tourist zone, and North Korea’s young homeless population known as kkotjebi.

Screenshot of some of the articles accessed by the Ryugyong-dong IP address. Image: Daily NK

Daily NK was accessed directly, via Facebook, and via Google searches for Daily NK’s website address, suggesting familiarity with these tools and the publication itself.

All site visitors used desktop computers with the Google Chrome internet browser to access Daily NK’s site with versions 7, 8.1, and 10 Windows operating systems.

Sokwang website promotional video showing the Chrome browser being used to access North Korea’s Pyongyang Department Store No. 1 online store. Image: Sokwang