North Korea: Hackers or Hacked?

Share with your network!
Attempting to attribute the Sony Pictures Entertainment attack to North Korea is complicated by the fact that a worm active in that country may be allowing foreign hackers access to computers within North Korea. While there is no evidence computers infected with this worm were involved on the attack on Sony, any attribution based on IP address alone must be treated as suspect. North Korea has an extremely narrow connection to the Internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific. Star JV peers with two other networks to connect to the Internet, China Unicom and Intelsat, and is only allocated a single IP address block, 175.45.176.0/22. That address block contains 1,024 IPv4 addresses. This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses as is allocated to Cloudmark. The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE). Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees. One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony. However, the data may well have been exfiltrated to a location outside North Korea. For example, one part of the SPE attack was traced to the Regis Hotel in Bangkok. As part of the evidence that North Korea was responsible for the SPE attack, the FBI stated that, "...several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack." On examining the email flows sent to Cloudmark clients from North Korean IP addresses we can see that one of North Korean IP, 175.45.176.143, has been sending spam, which is a common sign of an infected machine. The Composite Block List (CBL) maintained by the anti-spam non-profit Spamhaus confirms this. That currently lists 175.45.176.143 as being infected with the Wapomi worm, which is transmitted by USB drives and file server shares. This malware includes a software downloader that gives the criminal controlling it the ability to download and run any sort of malware on the victim’s machine. Cloudmark only detected this IP address sending spam on December 11, 2014, but it could have been under the control of criminal hackers long before that. It’s not clear if this is one of the IP addresses that the FBI regards as “Known North Korean infrastructure.” However, unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct.