FBI Director James B. Comey said Wednesday that the recent cyberattack against Sony Pictures was traced back to Internet addresses “exclusively used” by North Korea, as he offered new evidence intended to rebut skeptics of the bureau’s claims.
There is “not much in this life that I have high confidence about,” Comey said at the International Conference on Cyber Security at Fordham University in New York. “I have very high confidence about this attribution — as does the entire intelligence community.”
The FBI last month attributed the attack to North Korea — a rare instance in which the U.S. government has publicly accused another government of carrying out a specific cyberattack. In a statement, the bureau cited a “technical analysis” of malicious software used in the operation. The analysis revealed links to other malware used previously by North Korean actors, the bureau said. The FBI also said the attack was linked to several Internet protocol addresses “associated with known North Korean infrastructure.”
The hackers behind the intrusion into Sony’s computer networks sent e-mails threatening the firm and posted statements online — in nearly every case using proxy servers to disguise their location, Comey said. But he said that on several occasions they “got sloppy,” either “because they forgot, or they had a technical problem.”
In those instances, Comey said, analysts could see their Internet protocol addresses, including those used only by North Koreans.
“It was a mistake by them,” he said. “They shut it off very quickly once they realized it was a mistake, but not before we saw them.”
The attack, ostensibly carried out because of Sony’s plan to release a comedy that ends with the death of the North Korean leader, wiped out data from Sony’s computers and shut its networks down for several weeks. The hackers, calling themselves Guardians of Peace, also filched huge volumes of data and leaked large amounts of sensitive company information, including embarrassing internal e-mails.
The FBI’s Behavioral Analysis Unit, based in Quantico, Va., studied the “statements, the writing, the diction” of the Sony hackers and compared them to claims accompanying cyberattacks previously attributed to the North Koreans, Comey said. And, he added, the analysts said: “It’s easy for us. It’s the same actors.”
He said that a “likely” means of penetrating Sony was spear phishing, or sending e-mails that look legitimate but are actually bait to trick recipients into clicking on links to malware that enables hackers to gain entry into targeted computer networks.
But some skeptics say the new evidence only raises more questions. How does the bureau know the e-mails allegedly sent by the hackers weren’t spoofed and “routed through North Korean infrastructure?” said Marc Rogers, principal security researcher for CloudFlare, a mobile security firm.
Earlier in the day, Director of National Intelligence James R. Clapper Jr. said that the North Korean official who most likely approved the Sony hack was Gen. Kim Yong Chol, head of the Reconnaissance General Bureau, the intelligence agency that Clapper said was “responsible for overseeing the attack.”
The RGB was one of three entities designated for financial sanctions under an executive order signed by President Obama last week. The measures marked the first time the United States has imposed financial sanctions in response to a cyberattack.
Clapper said he dined with Kim during a secret mission to Pyongyang in November to retrieve two Americans being held by the North Koreans. “General Kim,” he said, “spent the entire meal berating me about American aggression” and kept “pointing his finger at my chest.”
He said that the North Koreans believe cyber is a way they can exert “maximum influence” at a “minimal cost” — and that the recent Sony attack has shown they can get recognition for their efforts.