Worm Active in North Korea Shows Faults in IP-Based Attribution

A worm spotted on computers in North Korea shows why the source of a cyberattack should never be determined based only on IP addresses.

United States authorities say they’re confident that North Korea is behind the recent attack on Sony Pictures Entertainment. However, the only evidence presented so far is that some of the IP addresses utilized by the attackers have been “exclusively used by the North Koreans.”

Some believe that the FBI must have other evidence tying North Korea to the Sony hack besides some IP addresses. However, many of the experts contacted last week by SecurityWeek agree that IP addresses alone can’t be considered conclusive evidence.

“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere,” said Ian Amit, Vice President of ZeroFOX.

Suspicious activity traced back to a certain IP address is often associated with malware, as messaging security software provider Cloudmark showed on Friday.

Currently, there are only 1,024 IPv4 addresses allocated to North Korea (175.45.176.0/22 IP address block). On December 11, Cloudmark noticed that one of these addresses, 175.45.176.143, had been used to send spam.

Spamhaus’ Composite Block List (CBL) shows that this IP address is infected with Wapomi, an old worm that spreads through network shares and removable drives. Wapomi could allow hackers from outside North Korea to conduct malicious activities from within the country because the threat enables attackers to download and execute any type of malware on the victim’s machine, Cloudmark said.

“Cloudmark only detected this IP address sending spam on December 11, 2014, but it could have been under the control of criminal hackers long before that. It’s not clear if this is one of the IP addresses that the FBI regards as ‘Known North Korean infrastructure’,” Cloudmark research analyst Andrew Conway wrote in a blog post. “However, unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct.”

WhiteHat Security researchers have analyzed the Naenara Browser, the Web browser bundled with North Korea’s official operating system, Red Star OS. The browser is designed to allow the North Korean government to closely monitor Internet users’ online activities, experts found.

Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.