Cyberspying from North Korean IP addresses spike

Byron Acohido, USA TODAY | USATODAY

SEATTLE – North Korea is doing more than just saber rattling.

Tech security firm Solutionary on Thursday disclosed analysis showing a spike in cyberspying attempts during the month of February originating from computers with North Korean IP addresses.

Solutionary refers to any overt external attacks on company networks, as well as attempts to steal data as "touches."

In February, Solutionary recorded 12,473 touches directed at its clients' networks.

North Korea has historically generated no more than 200 such touches per month. That compares to China and Russia, which typically generate millions of touches a month.

Jon Heimerl, director of strategic security for Solutionary, notes that roughly 11,000 of these touches were directed against a single financial services entity as part of a prolonged attack, but that the remaining spike of around 1,000 was spread across the rest of Solutionary's corporate clients.

"That's still a relevant number," Hemerl says. "North Korea has never been considered a big player (in cyber warfare) but things are beginning to change with the new regime."

Heimerl acknowledges that there is no hard evidence directly tying the North Korean government to this escalation in cyberspying. But he says there appears to be "several parallels between escalated verbal rhetoric and escalated cyberattacks. "

Says Heimerl: "The dual-path of aggression is a new way of facing the world, at least from North Korea. Given the more hard-line government in North Korea, we expect escalations like this to continue, and to become even more evident in other conflicts around the globe."

Speaking of which, security start-up Cyber Squared on Thursday reported that the "Comment Crew" also known as "APT1" is back in action. You may recall this spy gang with ties to the Chinese military grabbed headlines a couple of months ago when forensics firm Mandiant released a detailed report of how the gang's day-to-day activities.

Some observers predicted Comment Crew would disperse. That did not happen, says Rich Barger, Cyber Squared's chief intelligence officer.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com, an online forum where more than 300 good-guy researchers share intel. Their consensus: Comment Crew and other Chinese APT threat groups are still conducting exploitation operations, and have not even bothered to significantly alter their tactics.

"In the case of Comment Crew, this signifies that there is no incentive for them to change," says Barger. "They will continue to operate under a status-quo until they find that are no longer operationally successful."