Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

FBI Defends Sony Hack Attribution

N. Korean Hackers 'Got Sloppy' During Attack, FBI Director Says
FBI Defends Sony Hack Attribution
FBI Director James Comey

In a Jan. 7 speech, FBI Director James Comey highlighted a bit of evidence to defend his agency's conclusion that North Korea was behind the cyber-attack on Sony Pictures Entertainment.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

"Some folks have suggested we have it wrong" in terms of attributing the breach to North Korea, Comey said during his speech at the International Conference on Cyber Security in New York. "I'd say, they don't have the facts I have. They don't see what I see."

One piece of evidence Comey shared was that sometimes the Guardians of Peace - the hacking group that took responsibility for the Sony breach - "got sloppy" as they were sending e-mails threatening Sony employees and posting online various statements.

"They used proxy servers to disguise where they were coming from, and in sending and pasting those statements," Comey said. "But several times they got sloppy," he explained, saying that the hackers either forgot or had technical issues with covering their tracks. During those times, the FBI could see that the IP addresses being used were coming from those "exclusively used by the North Koreans," Comey said.

"It was a mistake by them that was a very clear indication," he added.

While the FBI is still looking into the attack vector that led to the breach, Comey said he suspects that spear-phishing was the cause, occurring "as late as September" in 2014. "We'll do our best to give you the details," he said. "But that seems the likely vector."

'Most Serious' Cyber-Attack

Earlier in the conference, Director of National Intelligence James Clapper called the Sony breach the "most serious" cyber-attack made yet against U.S. interests, according to NBC News. "[North Koreans] are deadly serious about affronts to the supreme leader," he said. "They will keep doing it again and again until we push back."

Following the FBI's attribution of the Sony Pictures hack to North Korea on Dec. 19, President Obama imposed sanctions against 10 individuals and three entities associated with the country's Pyongyang-based government. North Korea has denied being involved in the Sony hack and has called for a joint investigation with the United States.

Continued Doubts?

Even after Comey's new remarks, some information security experts will continue to be skeptical of the FBI's attribution of the Sony attack to North Korea, says Rick Holland, a security analyst at Forrester Research. "Government trust within the cybersecurity space is at an all-time low," thanks in part to the leaks by former National Security Agency contractor Edward Snowden, Holland contends.

Still, it's not surprising to learn that the FBI's investigation was aided by the hackers' mistakes, Holland says. "Attackers are human and make mistakes, just like the defenders do," he says.

Earlier, many information security experts had been questioning the FBI's attribution of the Sony Pictures hack to North Korea, especially based on the scant amount of information that the bureau has so far released to substantiate that claim (see: Sony CEO Slams 'Vicious' Cyberattack).

Based on the publicly available information as of Jan. 5, Jeffrey Carr, CEO of threat-intelligence sharing firm Taia Global, warned that there's substantial "conflicting evidence" as to North Korea being involved at all.

Threat-intelligence firm Norse, which isn't officially involved in the Sony Pictures investigation, claims that it has found evidence that six people were behind the hack attack against Sony, and that none of them are based in North Korea. "We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history," Kurt Stammberger, a senior vice president at Norse, told CBS News.

Many security experts have also warned that attribution, by its very nature, is typically a lengthy process - for which no solid answers may ever be found.

Breach Recap

The Guardians of Peace claimed credit for unleashing the Nov. 24 wiper malware attack against Sony Pictures that reportedly compromised 6,000 employees' computers and landline phones, after which attackers leaked high-quality digital copies of unreleased movies, as well as sensitive - and embarrassing - corporate data. Following the attack, G.O.P. said it would stop the leaks if the studio promised to never release "The Interview," which features a plot to assassinate North Korean leader Kim Jong-un.

Major movie chains balked at showing the film after G.O.P. also issued a terror threat against any theater that showed it. While Sony initially said it would shelve the film, in the face of criticism from President Obama, it instead released the film Dec. 24 via online channels, followed by it opening in about 330 independent U.S. cinemas on Christmas Day. The film quickly set an online box office record for the studio.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.