On October 20th 2017 I came across a news story posted on the website for The Sydney Morning Herald. The story was about an open letter which was sent from the North Korean Embassy in Jakarta Indonesia to the members of the Australian Parliament. The contents of the letter contained no new information and was for the most part a recitation of how evil America has become. However, as a life-long student in Open Source Intelligence (OSINT) gathering, one thing about this letter caught my eye almost immediately.
The footer lists the embassy’s official email address “firstname.lastname@example.org”. When I got over the humor of such an official email address I began to do some digging. After some poking around I discovered that “email@example.com” is likely linked with the prior email address. Now what is very interesting is when I plugged the gmail address into Facebook it resolved to a Facebook page for “Hyon Kim”.
At this point I realized I had an email address which I suspected was connected to a North Korean Embassy resolving to a Facebook profile. I then began to wonder what other embassy connected email address would resolve to Facebook pages?
Thanks to Wikipedia finding a list of countries that host North Korean Embassies proved very easy. One of the first checks I did was to look up the North Korean Embassy in the United Kingdom.
A quick internet search discovered the email address associated with this embassy is “firstname.lastname@example.org”. This email address resolved directly to a Facebook account for “Yongho Thae”. There are a couple things interesting about this connection. The first is, I was able to find many news sources which identifies “Yongho Thae” as having been an employee with the UK Embassy. Furthermore, around 2016 it would appear that “Yongho Thae” defected while posted in London.
The second thing I found interesting was examining the “friends” of “Yongho Thae” I noticed the name “Nick Bonner” (real name Nicholas Bonner). Mr. Bonner is an interesting person. Mr. Bonner runs Koryo Tours, a pro-North Korean travel company with a home base in China. Mr. Bonner was born in the United Kingdom. Thus the natural question I have is why would a North Korean embassy official be tied to a travel company on the other side of the globe? When one considers how some of the people suspected to be involved in the assassination of Kim Jong Nam where quickly gone from the country this connection raises all kinds of interesting theories.
These two examples are not unique. In fact, about half of the North Korean Embassies who who have published email addresses I found to be linked to suspiciously blank Facebook accounts.
Another interesting bit of surprising data I managed to find had to do with the email address associated with the North Korean Embassy in Mongolia (email@example.com). This email fell in the roughly 50% that did not resolve to a Facebook page. However, when I checked this address against the Have I been Pawned database; guess what? It has. In fact much to my delight many email addresses I have been able to find associated with North Korean Government Institutions have been involved in some major breaches.
In quick order I found the breach data:
Account User Name: richol (male)
Name: 리철광 (sorry my Korean is not very good and online translators don’t seem to do names very well)
Date of birth: 10-8-1948
Unsalted password hash: f5b7bede50a81a6ed28a82708dcf57f4
Keep in mind this is for the embassy in Mongolia. Any guesses what the password has is? “mongolia”; yep it would seem at one point the embassy in Mongolia had their email password as “mongolia”.
So for now I will leave it at that. Please let me know what you think about this article. You can connect with me on Twitter or use the above link to contact me.