Re: "Believed to be operating out of North Korea"
Attribution is hard. It's. possible that someone's been framing North Korea for an unspecified length of time, and they either are responsible for everything attributed to that country or are very good at mimicking characteristics of their malware to do the framing. If so, they're really good at fooling everybody. However, we've seen what it's like when people try to blame North Korea--someone who is probably Russia but theoretically could be someone else tried to do that a couple years ago, and they didn't stay hidden for very long.
As for solid proof, there are several types. The basic type of having found assets in the malware relating in some way to North Korea applies to most of them, but could obviously be faked given some effort. This runs from the simple string frequently used there to a network address that has been operated by Pyongyang interests at some point. There is also the tactic of code comparison. If a group uses a similar module (similar in the sense of similar compiled code) that was previously reliably attributed to North Korea, then it's probably North Korea doing it again. They're the only ones with the source, so it's extremely unlikely that someone went to the effort of reverse engineering their codebase just so they'd produce similar binaries. And finally, we can have extra confidence in some of these tactics because there are some pieces of malware to which the North Korean government has admitted. Using these tactics, researchers who have spent years looking at malware from different groups can do a reasonably good job of telling when one of those groups spins up again. Nothing is guaranteed, and attribution is very tricky, but don't presume they don't know what they're talking about.
Biting the hand that feeds IT
