FBI director James Comey has stuck to the bureau’s conclusion that the North Korean government is behind the mammoth cyber attack on Sony Pictures Entertainment (SPE), giving out a few more crumbs to explain his conviction.
Namely, the attackers “got sloppy” and allowed their IP addresses (and therefore their location) to slip out and to be identified on a number of occasions, he said.
Speaking at Fordham University’s international conference on cyber security on Wednesday, Comey said that in spite of skepticism in the security industry, he’s got no doubt about North Korea’s involvement:
I have every confidence about this attribution, as does the entire intelligence community.
The attackers were sloppy on multiple occasions, he said, failing to use proxy servers to route their internet connection through an obfuscating computer somewhere else in the world and thus revealing IP addresses that he said were used exclusively in North Korea.
Wired quotes him:
In nearly every case, [the Sony attackers, who signed their attack with the name "Guardians of Peace" (GOP)] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy.
Several times, either because they forgot or because of a technical problem, they connected directly, and we could see that the IPs they were using ... were exclusively used by the North Koreans.
They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.
Comey cited additional sources of his evidence, including a “behavioral analysis unit” of FBI experts trained to psychologically analyze foes based on their writings and actions, as well as an FBI comparison of the Sony attack with its own “red team” simulations to determine how the attack could have occurred.
This isn’t the first time the FBI has given a few details to explain why it’s holding North Korea responsible for the attack.
In December, the FBI announced that it found “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”
The FBI then said that it had found IP addresses previously associated with North Korea that were hard-coded into the malware used in the Sony attack.
Specifically, the FBI said that the tools used in the SPE attack are similar to those purportedly used by North Korea against South Korean banks and TV broadcasters in a March 2013 attack.
In the Sony attack, the IP addresses associated with North Korea reportedly contacted some of the command-and-control servers the Sony hackers used to communicate with malware on Sony’s computers.
And that’s about it vis-a-vis the few breadcrumbs the government’s dropped to explain its conclusion that North Korea is behind the SPE attack.
Given the paucity of proof being disclosed, there are, unsurprisingly, plenty of skeptics who don’t swallow the government’s conclusion, in spite of Comey citing the entire security industry as being in agreement about North Korea.
Security expert Bruce Schneier has said he is deeply skeptical of the FBI’s announcement that North Korea was behind the hack, and Errata Security CEO Robert Graham suggested the FBI’s claims may just be “group-think” that’s perhaps come out of a quick read of Mandiant’s report on the attack, mixed with a need to get on-message with government leaks, as well as a desperate desire for the culprit to be a known enemy.
Others have suggested disgruntled insiders were at the heart of the attack, given the intimate knowledge of Sony’s systems that was brought into play.
Still others suggest the attack might have been hacktivist shenanigans, while some have pointed the finger at China.
Then again, the government could well have gathered data about the attack through surveillance methods that it’s loathe to reveal.
There are plenty of theories, and not a lot of fact. The FBI isn’t giving out enough evidence to come to a conclusion.
As Naked Security’s Mark Stockley said:
Other people seem to be getting plenty of mileage out of the story by staking out clear opinions but I don't see how anybody can. It seems to me that you can take all the available evidence and come up with any conclusion you like because the one thing you don't know, is what you aren't being told.
Mr. Comey could be absolutely right about North Korea. Just saying “trust me”, however, doesn’t amount to proof.
Image of “North Korea fingerprint courtesy of Shutterstock.
4 comments on “‘Sloppy’ North Korean Sony attackers let their IP addresses slip, says FBI”
“Several times, either because they forgot or because of a technical problem, they connected directly, and we could see that the IPs they were using … were exclusively used by the North Koreans.”
Interestingly, it appears that the entirety of North Korea is on a private non-routable subnet under 10.x.x.x. So any IPs being seen would have been gateway IPs, which *could* be exclusively used by the North Koreans, or could be used by others as well, with this attack being evidence of that. So did they slip up, or is this just yet another proxy?
I agree with Mark: there’s not enough information being presented for a third party to arrive at a conclusion of any sort, other than that the FBI wants the public to believe this was done by North Korea, and North Korea’s government has claimed it wasn’t them.
Sure smells like WMD to me! Words of Mass Deception …. Fool me once
Could not hackers (not from N Korea) use proxies in N Korea to make it look like traffic came from N Korea? Or would traffic that originated from N Korea look different from traffic that used N Korea as a proxy? In other words, could hackers have used N Korea proxies to frame N Korea?
Unless someone catches the people that were sitting at the keyboards and asks them “Did North Korea pay you to do this” I don’t think we will ever know for sure. That is also assuming the attackers tell the truth, although i’m sure some kind of EIT (Enhanced Interrogation Technique = torture) could be used, not that an American intelligence organisation would ever do that…