FBI uses malware to ID North Korea as Sony culprit
- By Sean Lyngaas
- Dec 19, 2014
After several weeks of investigation, the FBI on Dec. 19 blamed the North Korean government for the massive hack on Sony Pictures last month.
"Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed," the FBI said in a statement.
The FBI announcement follows weeks of speculation in the media about whether Pyongyang was behind the cyberattack on Sony, which resulted in the dump of, by one count, nearly 40 GB of Sony data online. The leak included the salaries and Social Security numbers of thousands of Sony employees, and several unreleased Sony films.
North Korea had vaguely threatened retaliation for a now-shelved Sony comedy film in which actors Seth Rogen and James Franco are asked by the CIA to kill North Korean dictator Kim Jong-un. Sony ultimately canceled the film's release amid threats of violence to moviegoers from the group that has claimed responsibility for the hack.
The FBI statement provided some evidence it said linked North Korea with the hack, but was constrained by the need to keep some information classified. The bureau said it found the clues in "specific lines of code, encryption algorithms, data deletion methods and compromised networks."
There was also "significant overlap" in the infrastructure used in the attack on Sony and "other malicious cyber activity" the U.S. government has previously attributed to North Korea, the statement said. One example provided was the allegation that several IP addresses associated with North Korean infrastructure communicated with IP addresses that were "hardcoded into the data deletion malware" used in the Sony hack.
The FBI also concluded that the "tools" used in the Sony attack were similar to those used in a cyberattack on South Korean banks and broadcasters in March 2013. South Korean officials blamed the North for that attack and said it cost hundreds of millions of dollars.
The evisceration of a corporation's network defenses has raised the question of how vulnerable federal networks are to such a cyberattack. Joe Demarest, assistant director of the FBI's Cyber Division, has estimated that the malware used in the Sony hack would have penetrated 90 percent of network defenses in private industry and perhaps even in government.
Demarest's comments about the vulnerability of private and government networks illustrate "that what we had considered as being prepared was insufficient to fully protect…critical systems and our critical data," John Cohen, professor at the Rutgers School of Criminal Justice and a former Department of Homeland Security official, said in an interview.
A certain level of preparedness could have blunted the impact of the hack, he added. Had Sony officials' encrypted their emails, for example, some of the key disclosures could have been averted, said Cohen, who until April was the acting undersecretary for intelligence and analysis at DHS.
At a press briefing at the White House after the FBI released its statement, President Barack Obama said the government and private sector need to do more to guard against cyberattacks like the one on Sony. "We've been coordinating with the private sector but a lot more needs to be done," he said. "Were not even close to where we need to be."
He called for the next Congress to pass information-sharing legislation like a measure that stalled in this month's lame-duck session. The U.S. government, Obama added, would respond "proportionally" to the attack on Sony.
The Justice Department has taken a strong stance against alleged state-sponsored cyberattacks on U.S. firms, indicting five members of the Chinese military for cyber espionage in May. A DOJ spokesman did not respond to requests for comment on whether the FBI's conclusions would trigger an indictment of a North Korean.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.