When the FBI publicly announced that the North Korean regime was responsible for an embarrassing compromise of corporate networks at Sony Pictures Entertainment, security experts remained skeptical. FBI Director James Comey doubled down on the assertion yesterday at the Fordham University International Conference on Cyber Security, saying that the hackers in question “got sloppy” with their use of proxy servers.
“There is not much in this life that I have high confidence about,” he said. “I have very high confidence about this attribution as does the entire intelligence community.”
According to excerpts and videos of his speech posted by various media outlets, Comey said he’d like to quell the critics by telling the whole story of why the FBI claims it came to know North Korea was behind the attack. At the same time, he also acknowledged the importance of keeping secret the FBI’s valued investigatory and forensic techniques regarding “how they see what they see.”
“Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong,” Comey said. “I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.”
Absent from Comey’s justification were the reasons the FBI has already given for it’s belief that North Korea was behind the attack. Namely, the similarities in infrastructure and in the destructive, wiper malware used in this and other attacks attributed to North Korea.
FBI Director James Comey expands on North Korea Sony hack attribution at #ICCS yesterdayTweet
Comey explained that one of the recently de-classified reasons the intelligence community is blaming North Korea for the hack stems from work done by the FBI’s Behavioral Analysis Unit at Quantico. The unit studied “the writings and the diction” of the group calling itself the Guardians of Peace and compared it to there attacks originating in North Korea and determined it was the same actors.
Of course, Comey could be appealing to a false authority with that reason, but his second reason, if true, has more weight:
“The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work,” Comey explained. “And in nearly every case they used proxy servers to disguise where they were coming from.
“And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans.”
Reports detailing an apparent network compromise at SPE began surfacing on Nov. 25. It quickly became apparent that SPE’s networks had been thoroughly compromised, as a group calling itself “The Guardians of Peace” took credit for the hack and began releasing troves of information purloined from the production studio’s porous networks. To date, the stolen information has included copies of yet-to-be-released films and scripts, employee healthcare and salary information and internal email spools.
The popular narrative had it that hackers acting at the behest of the North Korean government attacked Sony for producing a comedy called “The Interview” in which a TV host and his producer are granted a rare interview with and carry out a CIA plot to assassinate North Korean dictator Kim Jong-Un.
Skeptics have noted, reasonably so, that nation-state sponsored attacks are generally secretive, whereas the attack on Sony has been very public.