The FBI announced today that it has gathered enough evidence to say with certainty that the government of the Democratic People’s Republic of Korea is in fact responsible for recent intrusions into the networks of Sony Pictures Entertainment (SPE).
This fact was all but officially stated yesterday when several media outlets, citing unnamed government sources, published reports claiming the U.S. government planned to issue a press release late in the day blaming North Korea for the hack.
“As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said.
FBI National Press Office statement on Sony Pictures investigation: https://t.co/iGFpaBX1dq
— FBI (@FBI) December 19, 2014
The FBI admits it is withholding certain aspects of the investigation in order to protects its sources and methods. However, it did say its technical analysis of wiper malware deployed in the attack is closely related other malware known to have been developed by North Korean actors. They write that there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI says it also found “significant overlap” between the infrastructure used in this and other North Korean linked attack campaigns. For example, the FBI claims to have discovered that several IP addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Finally, the bureau notes that the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was allegedly carried out by North Korea.
The FBI goes on to express its deep concern regarding this attack, saying that its destructive and coercive nature set it apart from all other attacks it has investigated.
“North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves,” the FBI wrote. “Such acts of intimidation fall outside the bounds of acceptable state behavior.”
Reports detailing an apparent network compromise at SPE began surfacing on November 25. It quickly became apparent that SPE’s networks had been thoroughly compromised, as a group calling itself “the Guardians of Peace” took credit for the hack and began releasing troves of information purloined from the production studio’s porous networks. To date, the stolen information has included copies of yet-to-be-released films and scripts, employee healthcare and salary information and internal email spools.
Until today, its been hotly debated whether North Korea was in fact responsible for the attack. The popular narrative has it that hackers acting at the behest of the North Korean government attacked Sony for producing a comedy called “The Interview” in which a TV host and his producer are granted a rare interview with and carry out a CIA plot to assassinate North Korean dictator Kim Jong-Un.
In the weeks following the attack, those claiming responsibility for it threatened violence against Sony, moviegoers and the broader American public if Sony moved forward with the premier of “The Interview.” In the end, after five large movie theater chains said they would not play the movie, Sony decided to delay its release indefinitely.
Skeptics have noted, reasonably so, that nation-state sponsored attacks are generally secretive, whereas the attack on Sony has been very public.
On the other side of the debate, Dave Aitel, CEO of Immunity, has offered a more measured analysis, noting that North Korea is very likely behind the attack, but that it has nothing to do with Sony or “The Interview.” In a Threatpost Digital Underground podcast today, Aitel explained that this attack is likely North Korea’s way of demonstrating its cyber-capabilities on the world stage
There was also substantial forensic and malware-related evidence tying the Sony attack to prior APT campaigns also attributed to North Korea, a finding substantiated by the FBI’s press release today.