The Obama administration has been tightlipped about its controversial naming of the North Korean government as the definitive source of the hack that eviscerated Sony Pictures Entertainment late last year. But FBI director James Comey is standing by the bureau's conclusion, and has offered up a few tiny breadcrumbs of the evidence that led to it. Those crumbs include the claim that Sony hackers sometimes failed to use the proxy servers that masked the origin of their attack, revealing IP addresses that the FBI says were used exclusively by North Korea.
Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has "very high confidence" in the FBI's attribution of the attack to North Korea. And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own "red team" simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.
"In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy," Comey said. "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using...were exclusively used by the North Koreans."
"They shut it off very quickly once they saw the mistake," he added. "But not before we saw where it was coming from."
Comey's brief and cryptic remarks---with no opportunity for followup questions from reporters---respond to skepticism and calls for more evidence from cybersecurity experts unsatisfied with the FBI's vague statements tying the hack to North Korean government. In a previous public announcement the FBI had said only that it found "similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks," as well as IP addresses that matched prior attacks it knows to have originated in North Korea. At that time, the FBI also said it had further evidence matching the tools used in the attack to a North Korean hacking attack that hit South Korean banks and media outlets.
Following those elliptical statements, the cybersecurity community demanded more information be released to prove North Korea's involvement. Some have even signed a petition on the White House website calling for more transparency in the investigation. Well-known security blogger and author Bruce Schneier has compared the FBI's "trust us" mentality to the claims of the Bush administration about Saddam Hussein's nonexistent weapons of mass destruction in the run-up to the Iraq War. Without more information, security experts themselves have remained deeply divided in their conclusions about who hacked Sony.
The Obama administration, meanwhile, isn't waiting for wider acceptance of its claims. Last week it levied new sanctions against the North Korean government. In a speech earlier in the day at the Fordham event, director of national intelligence James Clapper said that"we have to push back” against North Korea, adding that "if they get global recognition with no consequence they’ll do it again and again.”
In his statement Wednesday, Comey acknowledged the skepticism about the FBI's attributions claims. But he responded that "they don’t have the facts that I have. They don’t see what I see."
Comey said he'd like to share more about the analysis that led the FBI to Sony, but nearly all of it remains secret for security reasons.__ "I want to show you, the American people, as much as I can about the why, but show the bad guys as little as possible about the how," he said. "This will happen again and we have to preserve our methods and our sources."__
Comey also hinted that the intelligence community, seemingly including the NSA, agreed with the FBI's analysis. "There is not much in this life that I have high confidence about," he said. "I have very high confidence in this attribution, as does the entire intelligence community."
That pseudo-explanation will likely do little to quell the security community's doubts. Even if the hackers appeared to fail to use proxies on some occasions, it could still be very difficult to be sure those "real" IP addresses weren't proxies themselves designed to serve as further misdirection. And a nagging loose thread remains that the Guardians of Peace hackers in their initial statements to Sony tried to extort money from the company before making any political demands. Sony's Kim Jong-un assassination comedy "The Interview," the suppression of which is believed by many to be the North Korean government's motive in the hack, wasn't even mentioned by the hackers until long after the intrusion was underway. Comey didn't address that plot hole in the North Korean explanation in his speech.
Instead, he applauded the Obama administration's public response to the hack, comparing it to the indictment of five Chinese military hackers in March of this year. And he said that naming and shaming would be increasingly common in response to future state-sponsored hacks. "As often as possible
we’re going to call out the conduct...We’re going to say 'here's what happened and who did it,'" he said.
"I think it's very important that we at the FBI said 'We know who hacked Sony. It was the North Koreans who hacked Sony.' And we called out that conduct and explained it."
