Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Worm Active in North Korea Shows Faults in IP-Based Attribution

A worm spotted on computers in North Korea shows why the source of a cyberattack should never be determined based only on IP addresses.

A worm spotted on computers in North Korea shows why the source of a cyberattack should never be determined based only on IP addresses.

United States authorities say they’re confident that North Korea is behind the recent attack on Sony Pictures Entertainment. However, the only evidence presented so far is that some of the IP addresses utilized by the attackers have been “exclusively used by the North Koreans.”

Some believe that the FBI must have other evidence tying North Korea to the Sony hack besides some IP addresses. However, many of the experts contacted last week by SecurityWeek agree that IP addresses alone can’t be considered conclusive evidence.

“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere,” said Ian Amit, Vice President of ZeroFOX.

Suspicious activity traced back to a certain IP address is often associated with malware, as messaging security software provider Cloudmark showed on Friday.

Currently, there are only 1,024 IPv4 addresses allocated to North Korea ( IP address block). On December 11, Cloudmark noticed that one of these addresses,, had been used to send spam.

Spamhaus’ Composite Block List (CBL) shows that this IP address is infected with Wapomi, an old worm that spreads through network shares and removable drives. Wapomi could allow hackers from outside North Korea to conduct malicious activities from within the country because the threat enables attackers to download and execute any type of malware on the victim’s machine, Cloudmark said.

“Cloudmark only detected this IP address sending spam on December 11, 2014, but it could have been under the control of criminal hackers long before that. It’s not clear if this is one of the IP addresses that the FBI regards as ‘Known North Korean infrastructure’,” Cloudmark research analyst Andrew Conway wrote in a blog post. “However, unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct.”

WhiteHat Security researchers have analyzed the Naenara Browser, the Web browser bundled with North Korea’s official operating system, Red Star OS. The browser is designed to allow the North Korean government to closely monitor Internet users’ online activities, experts found.

Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


FBI Director Christopher Wray is “deeply concerned” about the Chinese government’s artificial intelligence program, asserting that it was “not constrained by the rule of...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Researchers tracking a remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.