My understanding is that there are three mobile networks in North Korea: the normal one used by the citizens (they have smartphones made specifically for North Korea), one used by the government/military and one for tourists (requires a local SIM card only available in a specific hotel in Pyongyang).
The last one is connected to the internet and this is why you can see (or at least before the pandemic could see) Instagram posts from North Korea.
I have no idea if this information is still or ever was completely true though.
There's a somewhat dated but very interesting AMA on Reddit by an American teaching computer science in Pyongyang:
Reading about the internet knowledge possessed by North Korean students, I'm always surprised how they supposedly also manage to be some of the most cunning and evil actors when it comes to hacking.
> also manage to be some of the most cunning and evil actors when it comes to hacking.
America has penetrated most of the world and has nearly absolute control over digital systems. Keep that in mind when discussing cunning and evil actors.
How cunning and evil it is that America funded the internet and then allowed it to spread around the world.
If you're worried about "absolute control over digital systems", notice how many standards get published describing how those digital systems work -- you're welcome to reimplement them if you'd like more control.
A bit over a decade ago I used to spend a lot of time hacking North Korean web infrastructure, I mostly found that they tended to have firewalling around almost all boxes exposed to the global internet and usually had pretty impressive reaction times if you tried to access the country intranet through a compromised web server.
I've always wondered how successful NSA and the likes have been at infiltrating DPRK networks, as it would inherently be fairly easy to detect any sketchy traffic from the outside. I wonder if the recent NYT story essentially confirms that difficulty.
I guess I have a question after all: I'm not exactly clear on how NK treats end-user devices. Do you know if the endpoints used by NK based remote workers have internet and intranet access at the same time? If they do, such an endpoint could offer an easy and stealthy channel to access the intranet.
the end user devices are also really interesting. as far as i know they require a piece of software called netkey or oconnect as it's recently been renamed. that's for getting access inside the country and then for anyone outside they have software called hangro that is similar to a vpn for connecting back to north korea and getting messages
thanks really appreciate that!
I've seen that doc before and it does really make me wonder. part of the leaks from the NSA tools years back had some references in there for detecting north koreas ant-virus silivaccine
I assume they've been on their networks in the past but i think North Korea has also done a lot over the years to secure their side. it used to be a lot easier when they left everything as an open directory and didn't realize what they were doing.
South Korean NIS was in fact a hacking team client, so it would make sense. Especially considering how terrible Red Star OS was at the time, a HT engineer could probably have whipped those up in a couple of days.
>I assume they've been on their networks in the past but i think North Korea has also done a lot over the years to secure their side. it used to be a lot easier when they left everything as an open directory and didn't realize what they were doing.
I'm sure they've had some success, but I'd expect it to be a really difficult environment to operate in. Even for the NSA. I suppose eventually there'll be a better leak and we'll get to find out just how well it's been going.
It's interesting to discover the reality that packet routing ends up following political affiliations. I didn't know North Korea only has 1,024 IPv4 addresses. Do you know why so few IPs? How did they get them?
> It's interesting to discover the reality that packet routing ends up following political affiliations.
Certainly political affiliations have some influence, but also China and Russia have land borders with North Korea and are not at war. It's very common to run fiber optic on/under railroads and vehicle roads, so there you go. It's probably pretty hard to attract an international cable consortium to land in North Korea given everything, but terrestrial cabling is easier to start with anyway.
> I didn't know North Korea only has 1,024 IPv4 addresses. Do you know why so few IPs? How did they get them?
They would have asked APNIC, the Regional Internet address Registry for their region (Asia-Pacific). I can't find an assignment date, but 175/8 was assigned to APNIC in 2009. 2009 lines up with wikipedia reporting of the startup of the current ISP joint venture.
DPRK can certainly get however many IP addresses they want, DPRK just doesn't have that much infrastructure that they want externally accessible.
As far as I know, end-user traffic from within North Korea usually does not originate from those few IP addresses. Or at least not visibly so, they might be connecting to a proxy from a DPRK IP address.
Do those small utility boxes alongside the tracks make sense for fiber optic? I expected things like that to be larger, if only because fiber has a minimum bend radius.
My understanding is that there are three mobile networks in North Korea: the normal one used by the citizens (they have smartphones made specifically for North Korea), one used by the government/military and one for tourists (requires a local SIM card only available in a specific hotel in Pyongyang).
The last one is connected to the internet and this is why you can see (or at least before the pandemic could see) Instagram posts from North Korea.
I have no idea if this information is still or ever was completely true though.
There's a somewhat dated but very interesting AMA on Reddit by an American teaching computer science in Pyongyang:
https://www.reddit.com/r/IAmA/comments/1ucl11/iama_american_...
Reading about the internet knowledge possessed by North Korean students, I'm always surprised how they supposedly also manage to be some of the most cunning and evil actors when it comes to hacking.
> also manage to be some of the most cunning and evil actors when it comes to hacking.
America has penetrated most of the world and has nearly absolute control over digital systems. Keep that in mind when discussing cunning and evil actors.
How cunning and evil it is that America funded the internet and then allowed it to spread around the world.
If you're worried about "absolute control over digital systems", notice how many standards get published describing how those digital systems work -- you're welcome to reimplement them if you'd like more control.
“allowed” is doing a hell of a lot of work for monopoly capitalism backed by us state diplomacy
you may want to read this book about the military history of the internet originating in counter insurgency strategy in vietnam.
https://www.amazon.com/Surveillance-Valley-Military-History-...
another way to look at american internet penetration is as “radio free asia dot com”
Thanks for sharing my site. Happy to answer any questions
Don't have questions, but your blog is very cool.
A bit over a decade ago I used to spend a lot of time hacking North Korean web infrastructure, I mostly found that they tended to have firewalling around almost all boxes exposed to the global internet and usually had pretty impressive reaction times if you tried to access the country intranet through a compromised web server.
I've always wondered how successful NSA and the likes have been at infiltrating DPRK networks, as it would inherently be fairly easy to detect any sketchy traffic from the outside. I wonder if the recent NYT story essentially confirms that difficulty.
Regarding the NSA and DPRK, there's this document from 2007 least https://www.eff.org/files/2015/02/03/20150117-spiegel-fifth_...
I guess I have a question after all: I'm not exactly clear on how NK treats end-user devices. Do you know if the endpoints used by NK based remote workers have internet and intranet access at the same time? If they do, such an endpoint could offer an easy and stealthy channel to access the intranet.
the end user devices are also really interesting. as far as i know they require a piece of software called netkey or oconnect as it's recently been renamed. that's for getting access inside the country and then for anyone outside they have software called hangro that is similar to a vpn for connecting back to north korea and getting messages
thanks really appreciate that! I've seen that doc before and it does really make me wonder. part of the leaks from the NSA tools years back had some references in there for detecting north koreas ant-virus silivaccine
https://github.com/b30wulf/Malware-collection/blob/4f5906c93...
There was also the hacking team leak from years ago and they were selling exploits for north korea's red star OS: https://nkinternet.wordpress.com/wp-content/uploads/2025/12/...
I assume they've been on their networks in the past but i think North Korea has also done a lot over the years to secure their side. it used to be a lot easier when they left everything as an open directory and didn't realize what they were doing.
>There was also the hacking team leak from years ago and they were selling exploits for north korea's red star OS: https://nkinternet.wordpress.com/wp-content/uploads/2025/12/...
South Korean NIS was in fact a hacking team client, so it would make sense. Especially considering how terrible Red Star OS was at the time, a HT engineer could probably have whipped those up in a couple of days.
https://web.archive.org/web/20180302155452/http://english.yo...
>I assume they've been on their networks in the past but i think North Korea has also done a lot over the years to secure their side. it used to be a lot easier when they left everything as an open directory and didn't realize what they were doing.
I'm sure they've had some success, but I'd expect it to be a really difficult environment to operate in. Even for the NSA. I suppose eventually there'll be a better leak and we'll get to find out just how well it's been going.
Impressive sleuthing!
It's interesting to discover the reality that packet routing ends up following political affiliations. I didn't know North Korea only has 1,024 IPv4 addresses. Do you know why so few IPs? How did they get them?
> It's interesting to discover the reality that packet routing ends up following political affiliations.
Certainly political affiliations have some influence, but also China and Russia have land borders with North Korea and are not at war. It's very common to run fiber optic on/under railroads and vehicle roads, so there you go. It's probably pretty hard to attract an international cable consortium to land in North Korea given everything, but terrestrial cabling is easier to start with anyway.
> I didn't know North Korea only has 1,024 IPv4 addresses. Do you know why so few IPs? How did they get them?
They would have asked APNIC, the Regional Internet address Registry for their region (Asia-Pacific). I can't find an assignment date, but 175/8 was assigned to APNIC in 2009. 2009 lines up with wikipedia reporting of the startup of the current ISP joint venture.
DPRK can certainly get however many IP addresses they want, DPRK just doesn't have that much infrastructure that they want externally accessible.
As far as I know, end-user traffic from within North Korea usually does not originate from those few IP addresses. Or at least not visibly so, they might be connecting to a proxy from a DPRK IP address.
What a great read. Thanks.
Do those small utility boxes alongside the tracks make sense for fiber optic? I expected things like that to be larger, if only because fiber has a minimum bend radius.
Edit: Good article though, I enjoyed it a lot.