At the International Conference on Cyber Security held at Fordham University on Wednesday, FBI Director James Comey revealed new details about why the FBI and “the entire intelligence community” has a “very high confidence” that North Korea was responsible for the so-called Sony Hack. The full text of these parts of his remarks are appended at the end of this post.
Most importantly, Mr. Comey stated:
“[T]here are a couple things I have urged the intelligence community to declassify that I will tell you right now.
[S]everal times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans.” (my emphasis added).
In response, some might say that it is generally commonplace for hackers to use a false IP address (see the comments to Lorenzo Franceschi’s tweet). However, over at Verge, Russell Brandom writes: “Web access in North Korea is extremely limited and connections are almost exclusively controlled by the government, which makes it unlikely a third party would be able to hijack a North Korean IP without the government’s explicit consent.”
Mr. Comey also stated that the FBI’s Behavioral Analysis Unit assessed the content of communications, including “diction of the people involved,” and matched them to prior North Korean attacks:
“We put [the Behavioral Analysis Unit] to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, ‘Easy. For us it’s the same actors.’” (my emphasis added)
Over at Lawfare earlier this week, Jack Goldsmith argued that compelling the US intelligence community to reveal more information about how it determines attribution can have unintended consequences for cyber security:
“[P]ublic knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack.”
That’s a sober reminder. Assuming the validity of Mr. Comey explanation, the perpetrators of the Sony Hack, and perhaps others like them, are less likely to be “sloppy” in the same way again.
Here’s the full text of this part of Mr. Comey’s remarks (via Fortune):
James B. Comey
Federal Bureau of Investigation
International Conference on Cyber Security, Fordham University
January 7, 2015
… As you know, we at the FBI and the entire intelligence community have attributed these attacks to North Korea. And we continue to believe that is the case. There is not much in this life that I have high confidence about—I have very high confidence about this attribution as does the entire intelligence community. So how do we know that? Or why do I have such high confidence in this attribution to North Korea?
Here’s the tricky part: I want to show you as much as I can the American people about the why and I want to show the bad guys as little as possible about the how—how we see what we see—because it will happen again and we have to preserve our methods and our sources.
There’s a couple of ways we’ve already said. You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
As I said, we have a range of other sources and methods that I’m going to continue to protect because we think that they’re critical to our ability—the entire intelligence community’s ability—to see future attacks and to understand this attack better. We have brought them all to bear in this situation and I remain where I started not just with high confidence, but with very high confidence that the North Koreans perpetrated this attack.
We’re still looking to identify the vector—so how did they get into Sony? We see so far spear phishing coming at Sony as late as September of this year. We’re still working that and when we figure that out we’ll do our best to give you the details on that. But that seems the likely vector for the entry to Sony.
[Editor’s note: For Just Security‘s earlier coverage of the Sony Hack and related issues, see here]