Cyber Incident Victim: Org 99206a16-01ce-4eda-a758-baaaac2722de
Date:
Jan 2022
Location:
North Korea
Summary
North Korea experienced suspected distributed denial-of-service (DDoS) attacks causing significant internet outages across two separate incidents, with the latest lasting approximately six hours and disrupting all inbound and outbound traffic. While email services later recovered, critical web infrastructure—including servers for the national airline, foreign affairs ministry, and government portal—remained intermittently inaccessible due to sustained network stress. Researchers noted the outages followed a pattern of escalating operational degradation, starting with timeouts before progressing to server and router failures, consistent with targeted network disruption rather than physical infrastructure issues. The country's highly restricted internet access, available to a minimal fraction of its population, amplified the impact of these disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
North Korea experienced two suspected distributed denial-of-service (DDoS) attacks targeting its internet infrastructure in January 2022, with incidents occurring on January 14 and January 26. The second attack began on the morning of January 26 and lasted approximately six hours, coinciding with North Korea's fifth missile test of the month. During the peak of this incident, all internet traffic to and from North Korea was disrupted, according to cybersecurity researcher Junade Ali, who monitored multiple North Korean web and email servers. Initial recovery saw email servers restored, but critical web infrastructure remained partially affected, including systems operated by state airline Air Koryo, the Ministry of Foreign Affairs, and the government's official Naenara portal. The attacks followed a similar pattern of concurrent outages observed during the January 14 incident reported by NK Pro, with Ali noting the simultaneous failure of all monitored web properties as atypical compared to routine individual server downtime.
Technical analysis indicated a progression of operational degradation during both incidents, beginning with network timeouts followed by individual server failures and culminating in key routers disconnecting from the internet. This pattern suggested deliberate network stress rather than alternative explanations such as power outages. Internet access in North Korea remains highly restricted, with estimates suggesting fewer than 25,000 citizens (0.1% of the population) have direct global connectivity, amplifying the operational impact of these outages on state institutions. No entity claimed responsibility for the attacks, and the North Korean government did not publicly acknowledge the disruptions. Researcher observations confirmed the restoration of basic email functionality within hours of the January 26 attack, while web services for specific government entities continued experiencing intermittent availability issues beyond the initial six-hour outage window.