New Evidence Supports White House Claim That North Korea Was Behind Sony Hack

January 19, 2015 Updated: October 8, 2018

The United States National Security Agency (NSA) had access for years to North Korea’s computer networks, new evidence shows, supporting the U.S. government claim that it was able to track to North Korea the massive hack into the Sony Pictures Entertainment network.

Less than a month after the large-scale data leak, including over 47,000 social security numbers, unreleased movies, and financial documents, brought Sony Entertainment to its knees, the U.S. government blamed North Korea for the attack—an unusually expedient move.

Media and some cyber security experts questioned the involvement of the totalitarian nation, pointing out, among other reasons, that the U.S. administration didn’t show any conclusive evidence. It also seemed that the FBI reached its conclusion and assigned blame too quickly.

Yet new evidence lends some backing to the administration’s claim.

According to an NSA document leaked by Edward Snowden, the NSA already had access to North Korea’s computer networks, with the help of South Korea. The document was published by German newspaper Der Spiegel.

“[O]ur access to NK [North Korea] was next to nothing but we were able to make some inroads to the SK [South Korean] CNE [Computer Network Exploitation] program,” the NSA document states. “We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data.”

Later, NSA furthered the penetration with its own resources.

We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data.
— NSA document

“[S]ome of the individuals that SK was targeting were also part of the NK CNE program,” the document states. “But once that started happening, we ramped up efforts to target NK ourselves.”

The NSA got deep enough to monitor North Korean cyber hacking operations, The New York Times reported on Jan. 18, citing U.S. and foreign government sources. The operation dated as far back as 2010.

The report notes though the NSA didn’t notify Sony of an incoming attack.

Even if they had intelligence beforehand, it would be in line with the way NSA operates to not inform Sony, says Bruce Schneier, chief technology officer of Co3 Systems, a cyber security incidents response management company.

“If they knew about it beforehand, it’s unlikely they would have told anybody,” he said. “The NSA is unwilling to disclose how deep they penetrated North Korea.”

In terms of national security, “revealing sources and methods” would be deemed by the NSA to be more damaging than letting hackers deliver a blow to Sony Pictures—a Japanese-owned subsidiary.

The Sony cyber-hack came to light on Nov. 24 when computers of Sony Pictures employees started to fail due to an apparent malware attack. A group calling itself the “Guardians of Peace” claimed responsibility and started to release personal information of Sony Pictures employees demanding a release of the film “The Interview” be canceled.

The film is a comedy depicting a CIA operation to assassinate North Korean dictator Kim Jong-un.

On Dec. 17, the U.S. government stated it was able to track the attack to North Korea. Two days later the administration formally blamed North Korea for the attack.

President Barack Obama issued an Executive Order in early January authorizing sanctions against North Korea in response to the attack.

North Korea previously stated the movie’s release would be an “act of war,” but also denied any connection to the attack.

Security firm Norse conducted its own investigation using data leaked by the hackers and speculated a Sony’s disgruntled ex-employee was behind the attack. The firm’s investigation revealed an ex-staffer who made angry comments online and even contacted a hacker group. The FBI rejected Norse’s interpretation.

Former Anonymous hacker Hector Monsegur also doubted North Korea was behind the hack saying the isolated country doesn’t have the capability to carry out such a massive attack. About 100 terabytes of data as apparently stolen in the breach.

But in the age of cloud computing the hackers could have mounted the attack out of a living room, Schneier said, borrowing or highjacking network resources where available across the Internet.

Although there’s no way of telling for sure who was behind the attack, Schneier believes the picture we’re seeing, given the Snowden leak, is consistent with the U.S. government version of the story.

Follow Petr on Twitter: @petrsvab