Two Years Ago, Someone Hacked Into North Korea's Internet and Shut It Down for a Week. The Culprit Did It From Their Home

It’s a mistake to think there’s no Internet in North Korea. The most insultated country in the world is a mystery in many ways, but we know there’s an Internet connection. It isn’t something everyone can access—far from it—but it’s available to certain elites and members of the government.

Well, two years ago, the Internet went down because of an attack.

An attack by a single person in their pajamas at home.

North Korea’s Internet. There’s no official information about North Korea’s Internet connection. If there was, one should at least question it. What we do know, thanks to outlets like Vox and the People for Successful Korean Reunification (PDF), is that there’s a sort of national intranet called Kwangmyong, with essential tools like email and access to predetermined and censored sites.

Kwangmyong is available on computers in government offices, universities, and Internet cafes in large cities. However, traveling from one city to another is prohibited in North Korea, making it difficult for people in rural areas to go online.

There’s also the highly monitored and restricted Internet, which is available to elite members of society, government officials, technical specialists, researchers, and government-trained hackers. The last group make sense, given the country's proclivity for carrying out cyber attacks and stealing cryptocurrency. In 2022, North Korean hackers stole a record amount of crypto totaling $1 billion.

Finally, there’s the unrestricted Internet, and it’s easy to imagine who can use it: the ultra core of the government. The number of people that connect to this Internet is small, and the infrastructure that makes it possible isn’t secure or robust. Well, two years ago, that infrastructure went down. It did so after the government conducted ballistic missile tests. The perpetrator of the attack wasn’t a government, an agency, or a coordinated group of hackers in Guy Fawkes masks.

Alejandro Caceres. It was him. Formerly known as P4x (@_hyp3ri0n on X), Caceres is a 38-year-old cybersecurity researcher based in Florida. The reason for the hack, he explained in interviews with Wired and Spanish outletEl País, was personal: He had been the victim of a hacking attempt by the North Korean government a year earlier. The goal was to get his hacking tools. However, Caceres said the FBI didn't move to act when he was attacked. As such, the cybersecurity researcher decided to act on his own: from home, in flip-flops, and in his pijamas.

What the attack was like. As Caceres recounted in a Reddit Q&A, he discovered that North Korea had a lousy Internet structure. “Their Internet sucks and is terrible. Their ingress-egress routers are not great,” he answered. As we mentioned earlier, the Internet is there, but very few people use it.

In the end, Caceres decided to launch a mass bandwidth attack. To do this, he rented some servers near the country and set them to make requests until they blocked both routers. “That took down all the routing in and out of the country,” he said, adding that “it wasn’t just a DoS on their infrastructure; it actually took down all the routing. The errors people were getting were ‘no route to host,’ which was awesome to see!” For those looking for a more technical explanation, here are the details.

The connection returned because he allowed it to. North Korea was without Internet for a week because of Caceres' decision. “I let their Internet return because I wanted it to... I wanted this to be a warning, not a big takedown. I could have left them without the Internet indefinitely,” the researcher wrote on Reddit. In short, for Caceres, this was a warning, a wake-up call.

It didn’t go unnoticed. According to the researcher, U.S. authorities liked his attack. Over the next year, he met with various government security agencies, including the NSA. He explained that you could carry out this type of attack with teams of two to four well-trained hackers, but, “To do anything, you need authorization, which takes six months to get. And by the time you get it, what you want to do is no longer helpful.” In other words, excessive bureaucracy makes the counterattack slow. Eventually, Caceres left the government to start his own cybersecurity company, Hyperion Gray.

Revealing his identity. According to Caceres, “Both the NSA and the Department of Defense have a lot of talented hackers, but when it comes to conducting disruptive cyber operations, for some reason, we as a country are frozen and afraid... and that has to change.” Showing your face and revealing your identity is his way of saying that the U.S. needs to be more aggressive.

Image | Stephan under CC BY-SA 2.0 license, Hyperion Gray

Related | Quishing: What It Is, How It Works, How to Avoid It, and How to Protect Yourself From This Cyber Scam