Could North Korea be framed for global cyberattacks?
"Attribution of these attacks is extremely difficult," warns Trend Micro researchers.
Ever since the Sony Pictures hack in 2014, the reclusive state of North Korea has been linked to a number of cybercrimes – from the $81m (£61.5m) heist at the Bangladesh Central Bank in 2016 to the WannaCry outbreak back in May – but how do we know it was involved?
According to reports, the hermit kingdom's hacking unit has swelled to 6,000-people strong – conducting operations even as the country's local internet remains weak.
Chris Inglis, the former deputy director of the National Security Agency (NSA), recently said it may be "one of the most successful cyber-programmes on the planet".
But new research released by Trend Micro shows how true attribution in such cases remains murky.
"Computers connected to the internet in North Korea are susceptible to malware and botnet infections, just like in any other country," the firm said on 17 October.
"There are computers in the country that communicate with [...] servers of actors that most likely operate from overseas. This also means that massive port scans or hack attempts originating from North Korean IP space could be the work of actors located elsewhere."
Trend Micro runs honeypot-style operations to help monitor malware and cyberattacks emanating from North Korean IP addresses. Most attacks and internet port scans, it said, come from the same network that hosts the proxy exit nodes used by international visitors.
"Attribution of these attacks is extremely difficult, as the scans could either be from real North Korean actors or compromised computers that get their orders from command and control (C&C) servers overseas," the company's analysts wrote in the report.
"This leads us to an interesting conclusion.
"A number of public reports used the appearance of a North Korean IP address in a log file as one of the key factors that links certain operations to North Korean hackers.
"We have demonstrated with a number of findings that this may not always be sufficient evidence as the North Korean network does have compromised machines just like any other network connected to the internet."
"The North Korean internet is not as strictly controlled as many assume it to be and some internet traffic coming out of North Korea is, in fact, caused by botmasters overseas."
Of course, North Korean hackers have been known to operate outside the country – mainly in China, one of its few remaining allies. This access is reportedly under threat as a result of US pressure, but Russia has helpfully stepped in to help ensure access remains strong.
North Korea's main hacking team has been christened "Lazarus" by many experts – and research is clear: the threat is very real. The clandestine group has, most recently, reportedly been targeting cash machines in South Korea and bitcoin exchanges in order to steal currency.
Cybersecurity firm Symantec said its code was found in WannaCry, the infectious ransomware strain that infected hundreds of thousands of computers around the world back in May. The assertion backed up an initial finding from Google researcher Neel Mehta.
In 2014, the US government made the rare step of formally accusing Kim Jong-un's government of ordering the Sony Pictures hack, based on evidence from the NSA.
Only last month, Donald Trump confirmed US forces were attacking the North's internet.
But experts remain convinced that true attribution of cyberattacks remains difficult. Could North Korean hackers be framed?
It's possible. However, there are other ways to identify a threat – coding samples, the malware used and attack patterns, for example.
Kaspersky Lab, a Moscow-based cyber-intelligence and anti-virus company, spoke out last year after it emerged a campaign dubbed "TigerMilk" used false flags to confuse experts.
"The attribution of targeted attacks is complicated, unreliable and subjective – and threat actors increasingly try to manipulate the indicators researchers rely on, further muddying the waters," said senior Kaspersky researcher Brian Bartholomew at the time.
He added: "We believe that accurate attribution is often almost impossible."
It's clear to everyone that North Korea hacks. What separates it from other nations – such as the US and UK – is that it uses digital techniques for criminal purposes, not just espionage. But it's also clear that knee-jerk links to the regime need to be carefully considered going forward.