Sony Hack: NSA Broke Into North Korea's Network Before Attack on Studio (Report)
The U.S. government's strong contention that Pyongyang was behind the cyberattack on Sony goes back to malware planted by the spy agency to track North Korea's online activity.
The U.S. government's confidence that North Korea was behind the unprecedented hack on Sony Pictures owed much to the NSA's penetration and tracking of Pyongyang's Internet activity, The New York Times reported.
Newly disclosed NSA documents as well as testimony from computer experts and former U.S. and foreign officials revealed that the American spy agency had embedded itself deep into North Korea's cyber connections to the outside world as far back as 2010, including networks in China, those in Malaysia favored by the country's hackers, and networks inside the secretive country itself.
The NSA and its allies in South Korea had built up a sophisticated and wide-ranging program that involved placing malware on the North's hacker unit's computers and networks that allowed the tracking of their online activity. North Korea's hacker unit is said to contain as many as 6,000 people and has large outposts in China. The NSA has declined publicly to acknowledge the existence and effectiveness of its North Korean operations, fearing that they would lose what valuable intelligence access they had on a country that for all intents and purposes is hermetically sealed off from the world.
The evidence gathered by this malware was the deciding factor in President Obama accusing North Korea of being responsible for the Sony attack, according to officials who spoke to the Times. The intelligence evidence was so compelling that it overcame Obama's usual caution and led him to overtly charge another government for mounting a cyberattack on American targets, a highly unusual move in diplomatic circles, as well as lay new economic sanctions against North Korea.
"Attributing where attacks come from is incredibly difficult and slow," James A. Lewis, a cyberwarfare expert at the Center for Strategic and International Studies in Washington told the Times. "The speed and certainty with which the United States made its determinations about North Korea told you that something was different here — that they had some kind of inside view."
The revelations of an NSA "early warning system" on North Korea's hacking activity will inevitably raise questions as to why the Sony attack was not flagged and stopped sooner. According to the Times report, phishing emails sent by North Korean hackers to Sony employees were tracked but did not seem overly unusual. Only in hindsight was it established that the North was able to steal the "credentials" of a Sony systems administrator, allowing it almost free rein inside the studio's network.
It was also later established that the Sony hack was a dedicated two-month effort by North Korea's hacking units that involved mapping Sony's computers systems and identifying the most critical files. The Times reported that the level of sophistication, patience and commitment North Korea put into the hack had caught many American officials by surprise despite Pyongyang stating that the controversial Seth Rogen film The Interview was an "act of war," a deliberate provocation that would see retribution.
Indeed, the level of sophistication had many security experts publicly question the U.S. government's confidence in North Korea's guilt, or sole guilt, with many suggesting that the real culprits behind the attack were either insiders, ex-Sony employees or outside hacking groups pretending to be North Korea. The FBI disclosing some of the evidence that the government had on Pyongyang, including the evidence that North Korean hackers got "sloppy" and left digital fingerprints, has not quelled persistent security industry skepticism of North Korean involvement.