The New York Times claims that the U.S. National Security Agency used intelligence gleaned from a clandestine operation to compromise North Korea’s cyber warfare unit to pin the blame for the Sony Pictures Entertainment hack on the reclusive Communist country.
According to the story by David Sanger and Martin Fackler, the Obama Administration’s decision to quickly blame the hack on the DPRK grew out of a four year-old National Security Agency (NSA) program that compromise Chinese networks that connect North Korea to the outside world.
The classified NSA program eventually placed malware that could track the internal workings of the computers and networks used by the North’s hackers and under the control of the Reconnaissance General Bureau, the North Korean intelligence unit, and Bureau 121, the North’s hacking unit, which mostly operates out of China.
It has long been recognized that North Korea, which lacks a mature information technology infrastructure, does much of its hacking from China. Stories such as this one describe one unusual arrangement, in which the North stations its hackers in a luxury Chinese hotel on the border with North Korea. The North is also believed to operate a training facility in India, as well as Pyongyang, the North Korean capital.
[Read more Security Ledger coverage of the Sony hack.]
The government’s move to pin the destructive attack on Sony Pictures on the DPRK drew criticism from security experts, who cited a lack of hard evidence, and clues pointing to Sony insiders. Attributing cyber attacks is a difficult business, many information security experts warn. And even moderately sophisticated attackers can easily disguise their true identity and intentions online.
In recent weeks, the government has started to discuss some of its evidence. At an event in New York City, FBI Director James Comey revealed that the DPRK attackers “got sloppy” in their work, connecting to Sony’s network and sending email communications to Sony Executives from IP addresses that were known to be used by the DPRK.
But there was more. According to the Times piece, the evidence gathered by a “early warning radar” of NSA-controlled malware that monitored North Korea’s activities “proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack.” The Times story cites unnamed “officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation.”
Still unanswered is why the NSA allowed the attack against Sony to persist without warning the company’s executives. According to the Times, the NSA failed to detect the spear phishing campaigns that netted administrative log ins and other credentials. That allowed the attackers to disguise their movements within the company’s network and, thus, the scope of the breach, until the hack became public in November.
President Obama eventually accused North Korea of ordering the attack and instituted a round of new economic sanctions as punishment. He has also promised a ‘proportional’ response to the North.