Priyom reverse-engineers North Korean DPRK-ARQ diplomatic modem
Thursday, February 1, 2018
Have a listen:
Maybe you have heard this before. It is a sample recording of the rather common DPRK-ARQ modem, providing diplomatic communications on shortwave between North Korea and its embassy network. But one thing we didn't imagine when we started looking into this modem, was just how much prolific this North Korean diplomatic network was.
Since the reactivation of V15 in June 2016, North Korea is back in the numbers station world. Probably spurred by the escalating international tensions around the nuclear ambitions of the North Korean regime, monitoring of Radio Pyongyang and V15 has hit a bit of a craze - with reports that sometimes get a bit overly enthusiastic about radio signals sporadically heard under Radio Pyongyang on the same frequency, yet unrelated, such as the Common and Precious Morse beacon from Germany; or of correlation patterns between V15 transmissions and upcoming missile tests by the North Korean regime, from enthusiasts probably oblivious that V15 messages simply follow a known, predictable bi-monthly schedule.
Meanwhile, far from the spotlight, their diplomatic communications on shortwave have always been going on, quietly and little-noticed; the current modem, with its inconscpicuous data bursts, has been in use since as far back as 2003. When V15 reappeared, I, for one, was glamored by its folk music and the pompous enunciation of the North Korean announcers; in comparison, when I first considered looking into DPRK-ARQ, it didn't hold much more of a promise than an interesting study of a simple messaging protocol. But oh boy, was I wrong!
The FSK waveform quickly yielded a basic synchronous packet structure. But that turned out to be only the first step of many. Beneath these small 8-byte packets, slowly emerged a sophisticated multi-mode, full-duplex protocol, with several regional variants coexisting on the network, and an impressive list of link control command codes. Beneath this protocol, the payload too revealed several message types, and a complete binary header structure; we struggled but managed to identify and understand, one by one, the purpose of each field; and we observed how they tied in with the topology of the embassy network and the way messages were distributed and relayed. In the mean time, being able to decode and identify the stations behind these data bursts, we could list up a schedule of all the known links and contacts involving each embassy.
Although there are still a few details here and there left to clarify, and only one third of the embassy network has been precisely mapped so far, the Priyom team is proud to share and publish this research: it is the first time to our knowledge that the DPRK-ARQ protocol and operations get publicly documented to this extent and in such depth - although we imagine that intelligence agencies were already familiar with this knowledge! Visit our diplomatic stations section to read all the details.
One of the fun parts of studying this network is the sheer amount of traffic it carries. While V15 sends out a measly one message a week, the DPRK-ARQ network sees several telegrams every day, and many thousands in a year! Sometimes a single transmission carries more than 10 messages, and considering that contacts are scheduled twice a day, it's always a wonder how they managed to churn out so much traffic overnight! Another great particularity is that DPRK-ARQ doesn't use a star network, like for example the Egyptian diplomatic network where every embassy communicates over direct shortwave links with Cairo. Instead, the network is a distribution tree, where messages from Pyongyang get relayed several times hop by hop, embassy by embassy. It's quite interesting to see a same message, that must be of global concern, appear on several links, getting spread out in different directions to all or most embassies; and see it dutifully retransmitted to further downstream destinations on other links a bit later.
But maybe the best part of this network is the generous amount of cleartext content it carries. Of course some of it is just simple ASCII commands found in operator chatter. But monitor long enough, and you'll be surprised to catch operators discussing contact scheduling or operational issues, and even a few cleartext telegrams! Although it's always a bit obscure as it's all written in Korean, and in North Korean dialect using their particular KPS 9566 character encoding that nobody else seems to support. But when you work it out, this is a goldmine for figuring out what's going on behind the scenes.
The DPRK-ARQ modem is not the first digital mode that the Priyom team tackles. In 2014, we reverse-engineered the Polish intelligence mode F11, which was still called POL FSK at the time. In 2017, before moving on to DPRK-ARQ, we contributed major breakthroughs in decoding the Russian F06 modem, and implemented them in the Rivet decoder - these advances were also picked up by other, commercial software. As you can read in our mission statement, we believe in researching stations in the open and providing this information to the public, freely, without barriers. Although not all players in the industry share our ideology, we do invite SIGINT product editors to likewise implement our DPRK-ARQ research, and to contact us to collaborate or sponsor our work! In parallel to DPRK-ARQ, we've also started bringing up to light the successors to F11: a group of FSK and PSK-based counterpart modes newly designated as F03 and P03. Research on their data scrambling is still going on, so stay tuned!
linkfanel, OK SK