FBI director James Comey has confirmed the agency’s conviction that a destructive cyber attack on Sony Pictures was carried out by North Korea, claiming that mistakes by the hackers led the trail back to IP addresses used “exclusively” by the hermit nation.
Speaking at a cybersecurity conference at New York’s Fordham Law School on Wednesday, the FBI boss revealed a few more details about the case, which the authorities have been pretty tight-lipped about up until now.
“In nearly every case, [the attackers] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said, according to Wired.
“Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using … were exclusively used by the North Koreans.”
Adding weight to his theory is the fact that, once they realized their mistake, the attackers quickly “shut it off,” he added.
The FBI’s conclusions have also been deduced from evidence provided by its “behavioral analysis unit.”
This team apparently determined psychological matches between the pronouncements and actions of the so-called ‘Guardians of Peace’ group who claimed responsibility for the attack and North Korean operatives.
Comey’s remarks add a little more substance to the FBI’s assertion that Pyongyang was behind the attack.
Its previous statement on this in mid-December claimed by way of evidence that the attack shared similarities with other malware campaigns tied to North Korea, including “specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”
It also revealed that the tools used in the Sony attack had similarities to those used in the DarkSeoul attacks against South Korean banks and media companies in 2013.
Finally, it said in December that several IP addresses in the Sony hack are “associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
Washington is counting on the FBI being right as it announced new sanctions on the totalitarian state last week – what are thought to be the first to be imposed in retaliation for a cyber attack on a US company.
However, some security experts were still skeptical of the FBI’s attribution of the attack to North Korea.
“All director Comey has really done is reiterate that IP addresses associated with North Korea were involved in the attack. However, any IP address can be compromised or spoofed to be used by attackers to confuse or deter investigators from identifying the true attackers,” security consultant Brian Honan told Infosecurity.
“There have also been other IP addresses from Japan and Taiwan associated with this attack which have not been explained away, nor has any explanation been given by the director as to why a nation state adversary would extort Sony as per some of the earlier emails in the attack.”
He added, however, that additional details would likely come out in the future, once time-consuming forensics and log data analysis have been completed.