The reason the U.S. was confident that North Korea was behind the cyberattack on Sony was because the National Security Agency had infiltrated their computer systems. According to The New York Times, the infiltration occurred before the hack of Sony. And while intelligence officials would not discuss confirm the details of the report, the Times learned that evidence gleaned from the U.S. penetration of North Korean government hackers’ activities persuaded Barack Obama and his national security staff that North Korea was behind the attack.
According to the report, the NSA began placing malware in North Korean systems in 2010. Originally, the purpose of the surveillance was to gain insight into North Korea’s nuclear program, but after a large cyberattack on South Korean banks and media companies in 2013, the agency began to track North Korea’s cyber warfare attempts.
A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.
In the case of the Sony Pictures hack, which knocked nearly the entire company’s system offline, investigators believe that the North had stolen the “credentials” of a Sony systems administrator, which enabled them to spend two months familiarizing themselves with Sony’s network and plotting how to destroy files, computers, and systems.
“They were incredibly careful, and patient,” said one person briefed on the investigation. But he added that even with their view into the North’s activities, American intelligence agencies “couldn’t really understand the severity” of the destruction that was coming when the attacks began Nov. 24.
Attributing where attacks come from is incredibly difficult and slow,” said James A. Lewis, a cyberwarfare expert at the Center for Strategic and International Studies in Washington. “The speed and certainty with which the United States made its determinations about North Korea told you that something was different here — that they had some kind of inside view.”
Indeed, the level of sophistication of the Sony attacks saw many security experts question the administration’s claim of North Korean guilt. Many suggested that Sony insiders, disgruntled ex-Sony employees, or outside hacking groups pretending to be North Korea were behind the attack. And that is despite the fact that FBI director, James B. Comey, released some of the evidence that North Korea was the culprit.
And we could see that the I.P. addresses that were being used to post and to send the emails were coming from I.P.s that were exclusively used by the North Koreans,” he said. Some of those addresses appear to be in China, experts say.
The skeptics say, however, that it would not be that difficult for hackers who wanted to appear to be North Korean to fake their whereabouts. Mr. Comey said there was other evidence he could not discuss. So did Adm. Michael S. Rogers, the N.S.A. director, who told the Fordham conference that after reviewing the classified data he had “high confidence” the North had ordered the action.
This kind of surveillance is what the NSA is supposed to be doing, rather than spying on Americans. Obviously there is more to be discovered about the Sony attack and now that the New York Times has opened the door, look for new information soon.
Cross-posted at The Lid