How the FBI traced the Sony hack to North Korea


Email Print

Movie-goers wait in line outside the Los Feliz 3 Cinema in Los Angeles, California to purchase tickets for the "The Interview," on Dec. 25, 2014. Movie-goers wait in line outside the Los Feliz 3 Cinema in Los Angeles, California to purchase tickets for the "The Interview," on Dec. 25, 2014.


U.S. investigators were able to trace the hacking of Sony Pictures Entertainment to North Korea’s intelligence agency because of sloppy tradecraft used by the attackers, according to FBI Director James Comey.
The hackers sent e-mails to Sony employees and posted material online using Internet addresses known to be used exclusively by the North Korean government, Comey said in a speech today at a cybersecurity conference in New York.
“I have very high confidence about this attribution, as does the entire intelligence community,” Comey said.
The attack, which became public in November, was overseen by North Korea’s Reconnaissance General Bureau and is the most serious digital assault ever on America, U.S. Director of National Intelligence James Clapper said in a separate speech at the conference. North Korea’s government has denied involvement.
The comments by Clapper and Comey are part of an effort by President Barack Obama’s administration to explain why it has pinned blame on North Korea. A group calling itself the Guardians of Peace has claimed responsibility for the attack, which rendered thousands of computers inoperable and forced Sony to take its entire network offline.
The attack exposed Hollywood secrets, destroyed company data and caused the movie studio to initially cancel the release of a comedy about a fictional assassination of North Korea’s leader, Kim Jong Un.
‘Sloppy’ tradecraft
The group often routed their e-mails and Internet communications through servers that hid their true Internet Protocol addresses, Comey said. Sometimes, however, they “got sloppy,” he said. He offered previously unreleased evidence to bolster attribution to North Korea.
“Several times, either because they forgot or they had a technical problem, they connected directly and we could see them,” Comey said. “We could see that the IP addresses that were being used to post and to send e-mails were coming from IPs that were exclusively used by the North Koreans.”
It’s also likely the hackers used so-called spearphishing attacks, or targeted e-mails laced with malicious code, to gain initial entry into Sony’s networks, Comey said at the conference, hosted by the Federal Bureau of Investigation and Fordham University.
He said U.S. investigators are still exploring exactly how the hackers got into Sony’s computer network.
Public pushback
The Sony hack caused “potentially hundreds of millions of dollars in damage,” Clapper said. The Obama administration tightened sanctions on North Korean officials and state organizations in response,
For the first time, Clapper explained why the U.S. quickly and publicly attributed the Sony attack to the North Korean government, which contrasts with other hacks that have taken years to determine who was responsible or have gone unattributed.
Clapper said the U.S. had to “push back” in order to deter North Korea from carrying out similar attacks.
“Cyber is a powerful new realm for them where they believe they can exert maximum influence at minimum cost,” Clapper said.
Clapper warned that North Korea would be encouraged to carry out similar hacking attacks for the international attention and recognition.
“This recent episode with Sony has shown that they can get recognition for their cybercapabilities,” Clapper said. “If they get global recognition at a low cost and no consequence, they will do it again and keep doing it again until we push back.”
Different philosophy
The attack “was driven by an entirely different philosophy” in North Korea, Clapper said.
“They really do believe they are under siege from all directions, and painting us as an enemy that’s about to invade their country every day is one of the chief propaganda elements that’s held North Korea together for the past 60 years,” he said. They are deadly serious “about affronts to the supreme leader, whom they consider to be a deity.”
Clapper said he saw the movie that appeared to have been the impetus for the hacking. “I watched ‘The Interview’ over the weekend and it’s obvious to me the North Koreans don’t have a sense of humor.”
Korean insight
Clapper said he gained insight into the thinking of North Korean officials when he traveled to Pyongyang in November to secure the release of two American prisoners -- Kenneth Bae and Matthew Miller.
Clapper said he had a private dinner with the commander of the Reconnaissance General Bureau, General Kim Yong Chol. He is “the guy that ultimately would have to OK the cyber-attack against Sony,” Clapper said.
The interaction with the commander became tense at one point, Clapper recalled.
“He kept leaning toward me, pointing his finger at my chest and saying U.S. and South Korean exercises are a provocation of war,” Clapper said. “Of course, not being a diplomat, my reaction was to lean back across the table and point my finger at his chest and respond that shelling South Korean islands wasn’t the most diplomatic course of action they could take either.”
“He really is, I think, illustrative of the people we’re dealing with in the cyberrealm in North Korea,” Clapper said.

More Tech News