In the world of information security, it always pays to be a little sceptical – especially in terms of state-sponsored attacks. Government spies are past masters at subterfuge, meaning things are rarely as they first appear. So, when it comes to attributing cyber-attacks, don't let a good narrative get in the way of the facts. Malicious code might feature snippets of the Russian language, for example, and it might even have been sent from IP addresses located in the country, but can you be sure those behind it were Russian agents?
The same is true of North Korea; a country increasingly blamed for a range of major cyber-attacks, from Sony Pictures Entertainment to WannaCry and the Bangladesh Bank heist. Research undertaken recently by Trend Micro revealed that some internet traffic coming from the country is, in fact, controlled by overseas botmasters.
What we found
North Korea is almost unique globally in terms of the strict controls over internet usage imposed by the authoritarian regime of Kim Jong-un. Up until now, many have suggested that it's therefore highly unlikely that a malicious third party could be allowed to compromise systems inside the country. Any attacks launched from North Korean IP space could therefore reasonably be assumed to have the blessing of the government – or so the logic goes.
Yet on closer inspection, this isn't quite the case. The country's internet space consists of four class C IP ranges – representing 1,024 IP addresses in total – connected via an upstream provider in China and one in Russia. North Korea also uses one class C IP range of 256 addresses assigned to China Unicom and there are an undisclosed number of satellite internet connections.
From previous reports we understand that a small number of citizens are allowed to use the Kwangmyong national intranet, including some schools and official administrative facilities. This traffic goes through a nation-wide proxy hardcoded in the default web browser Naenara of the indigenous Red Star OS. There are also a number of public websites hosted in the country including those of the Korean Central News Agency (KCNA) and national airline Air Koryo. For foreigners, things are more relaxed still, with international sites like Facebook and Instagram available from inside the country. Their traffic – and those of long-term foreign residents – is NAT-ed over external IP addresses.
Government agencies use third-party hosters for their email, while foreign embassies, tourist agencies, banks and other foreign entities either use their own servers or public email services such as Gmail and Hotmail. Mail sent from 18.104.22.168 and 22.214.171.124 is usually legitimate, while email from other North Korean IP addresses is at greater risk of being suspicious or malicious.
Don't speak too soon
Here's where it gets interesting. Contrary to popular belief, it is actually possible to compromise computers inside the hermit nation. In fact, machines there are just as susceptible to malware as anywhere else. Data from our Smart Protection Network (SPN) shows that spam campaigns originating from the North Korean IP range are actually part of unsolicited email campaigns sent by larger botnets most likely operated from overseas.
For example, from August to December 2016, IP address 126.96.36.199 took part in a massive spam campaign distributing ransomware and other malware; but was just one of the 80,000 unique spam-sending nodes worldwide.
We've also noted North Korean websites – such as the one belonging to KCNA – are frequent targets of watering hole attacks, although it's unclear whether these were compromised by outsiders or deliberately used to host malware.
Finally, our honeypot network has spotted UDP and TCP SYN DDoS attacks against North Korean IP addresses, often aligning with geopolitical incidents or public events like military parades. DDoS attacks also originate from North Korean IP space, although it's hard to tell if they were orchestrated from inside the country or not.
So, what can we learn? In short, the North Korean internet isn't quite as tightly controlled as many think, meaning that machines inside the country have been compromised from overseas to launch attacks and conduct malicious activity. Attribution is never quite as simple as it seems, and can be further complicated by VPN providers like Hide My Ass claiming to have exit nodes in North Korea which are actually located in Western countries. This might be enough to trick sysadmins reliant on Geo IP services when they come to review log files following an attack.
Hopefully, our governments use more sophisticated techniques before pointing the finger.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.