The U.S. government publicly accused Kim Jong-un’s regime of the Sony Pictures Entertainment hack last year, and some commentators believe that government agencies were responsible for a retaliatory attack which took down North Korea’s internet. However it turns out that other groups may have dealt the fatal blow, writes Shane Harris for The Daily Beast.

Who Took Down North Korea's Internet?

Revenge attack following Sony hack?

According to sources, not all of the hackers were intent on exacting revenge for the Sony hack. Some were simply curious about the way in which North Korea is connected to the wider world, and it may have been those independent hackers that ultimately broke those connections.

Sources close to the U.S. government cyber operation have stated that although a retaliatory attack was launched to send a message to North Korean officials, they were not designed to take the country offline. The government-sponsored attacks were allegedly more limited and focused on specific targets, and now certain groups of hacking vigilantes have claimed responsibility for the internet outages.

Analysis by Dyn Research shows that North Korea experienced network instability in the 24-hours preceding the attack, consistent with a cyber attack, and the U.S. government may have attacked North Korean government-operated sites and network infrastructure.

North Korea: Possible strategic decision

Officials from the Obama administration have neither confirmed nor denied that they played a role in the attacks, but former U.S. intelligence officers claim that government agencies are unlikely to take down entire networks in other countries because it would affect cyber spying programs. The NSA has a unit dedicated to spying on North Korea, mainly to gain information about its nuclear weapons program and the thinking behind Kim Jong-un’s regime.

Taking down the entire network would place information sources at risk, because there is no guarantee that agents would have access to the same sources when the connection was restored. One theory is that North Korea accidentally knocked out its own networks as it tried to defend itself, but other actors could have been involved.

Involvement of independent groups

A group connected to hacking collective Anonymous claimed responsibility on the day of the outage, while the Lizard Squad group also celebrated the take down. It would not have been terribly difficult for an independent hacker to take North Korea offline, given that there are only four routes connecting the country to the global network.

Posts on hacking forums show that independent hackers were infiltrating North Korea’s networks and sharing information about weaknesses. A later post contained a tool which would allow experienced hackers to take control of the RedStar operating system which is widely used in North Korea, and its public posting could signify that it had already been used.

Although U.S. officials have not confirmed any vigilante activity, it would have been easy for them to detect an attack. A debate among hackers on Reddit concluded that given the circumstances the U.S. government might turn a blind eye to a retaliatory attack on the North Korean internet.

The official line

Rep. Michael McCaul, the Republican chairman of the House Homeland Security Committee, said publicly that “there were some cyber responses to North Korea” in the aftermath of the Sony hack, but he refused to specify whether they were official or independent attacks. He has since refused to clarify his alleged statement that the outage was one such response.

CIA Director John Brennan also fielded questions about the blackout on Fox News Sunday, but he would not confirm U.S. involvement. However he did say that “there is an [Internet] infrastructure there that is rickety, there are challenges that they face on a technical front. So there are a lot of reasons why the North Korean people and the Internet system out there has problems.”

His interviewer asked whether the U.S. gave “a little shake to the rickety North Korean system,” to which he replied that he would not “address anything that we may have done in that instance, and I’m not acknowledging anything at all there.” An NSA spokesperson directed questions on the matter to the National Security Council, which made no further comment.

No definitive conclusion

Despite the fact that the identity of those responsible for the outage remains a mystery, it is likely that it made North Korea aware of grave weaknesses in its internet infrastructure. An interesting angle is that they may have already been aware of them, but left them in place to distract cyber spies or attract foreign agents into hacking infected machines known as honeypots, according to a Hewlett-Packard report from 2014.

Further problems with North Korea’s internet, which crashed once more in late January, may point to structural problems rather than clever strategy, and it seems as though Kim Jong-un has some work to do to secure the internet.