The FBI says it is confident North Korea is behind the recent cyber attack on Sony Entertainment Pictures, despite the fact that attribution of such attacks is extremely difficult.
The US has been criticised for fresh sanctions against three North Korean organisations and 10 individuals in the first action of its kind in retaliation for a cyber attack on a US company.
Critics do not have access to the same facts as the FBI, the agency’s director James Comey told the International Conference on Cyber Security in New York
“We know who hacked Sony. It was the North Koreans. I have very high confidence about this attribution,” he said, according to a tweet by The Intercept journalist Jana Winter.
North Korea has repeatedly denied responsibility and denounced the fresh US sanctions in response to the November 2014 cyber attack on Sony Pictures Entertainment as “hostile” and “repressive”.
Cyber security experts have noted that it is often extremely difficult to say with any certainty who is responsible for cyber attacks or even where the attacks originate.
Industry pundits have questioned the FBI conclusions, saying the attack is more likely to be the work of North Korean sympathisers, hacktivists or disgruntled company insiders.
But the FBI director said that while the Sony attackers had largely concealed their identity by using proxy servers, on several occasions they “got sloppy” and connected directly, revealing their own IP address.
This allowed FBI researchers to establish that threatening emails to Sony employees originated from internet connections used exclusively by North Korea, where internet connections are almost exclusively controlled by the government.
“It was a mistake by them that we haven’t told you about before that was a very clear indication of who’s doing this. They would shut if off very quickly once they realised the mistake, but not before we saw them and knew where it was coming from,” said Comey.
He said this had provided evidence linking North Korea to the attack on Sony’s network, which was backed up by similarities in malware used in other attacks attributed to North Korea.
However, in a blog post in December, veteran cyber security expert Bruce Schneier wrote that although North Korea has extensive cyber attack capabilities, there was nothing special or sophisticated about the Sony hack that would indicate a government operation.
“In fact, re-using old attack code is a sign of a more conventional hacker being behind this,” he wrote.
But the FBI director added that there was also other evidence gathered from “a range of sources and methods”, which he could not share publicly.
Comey said these sources and methods are critical to the entire intelligence community’s ability to see future attacks and understand attacks better.
The FBI director’s comments appear to have done little to silence critics, however, with some pointing out that the North Korean IP addresses picked up by the FBI could have been decoy proxies themselves.
“Various IP addresses have been associated with this attack, from a hotel in Taiwan to IP addresses in Japan,” security researcher Brian Honan told the BBC.
“Any IP address connected to the internet can be compromised and used by attackers,” he said.
Speculation linking the attack on Sony was fuelled by the fact that it came just ahead of Sony’s planned release of the film The Interview, which concerns a plot to assassinate North Korean leader Kim Jong Un.
The cyber attack led to Sony withdrawing The Interview from its planned release, but it is now available for download and is showing at some cinemas.
The controversial film reportedly made about $15m through downloads alone over its first three days of distribution.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK