The U.S. government’s confidence that North Korea was behind the unprecedented hack on Sony Pictures owed much to the N.S.A.’s penetration and tracking of Pyongyang’s Internet activity, theNew York Times reports.
Newly disclosed N.S.A. documents as well as testimony from computer experts and former U.S. and foreign officials reveal that the American spy agency had embedded itself deep into North Korea’s cyber connections to the outside world as far back as 2010, including networks in China, those in Malaysia favored by the country’s hackers and finally networks inside the secretive country itself.
The N.S.A and allies in South Korea had built up a sophisticated and wide-ranging program that involved placing malware on the North’s hacker unit’s computers and networks that allowed the tracking of their online activity. North Korea’s hacker unit is said to contain as many as 6,000 people and has large outposts in China. The N.S.A. has declined publicly to acknowledge the existence and effectiveness of its North Korean operations fearing that they would lose what valuable intelligence access they had on a country that for intents and purposes is hermetically sealed off from the world.
It was the evidence gathered by this malware that was the deciding factor in President Obamaaccusing North Korea of being responsible for being behind the Sony attack, according to officials who spoke to The Times. The intelligence evidence was so compelling that it overcame Obama’s natural caution and led him to overtly charge another government for mounting a cyberattack on American targets, a highly unusual move in diplomatic circles, as well as lay new economic sanctions against North Korea.
“Attributing where attacks come from is incredibly difficult and slow,” James A. Lewis, a cyberwarfare expert at the Center for Strategic and International Studies in Washington told The Times. “The speed and certainty with which the United States made its determinations about North Korea told you that something was different here — that they had some kind of inside view.”
The revelations of an N.S.A. “early warning system” on North Korea’s hacking activity will inevitably raise questions as to why the Sony attack was not flagged and stopped sooner. According to The Times report, phishing emails sent by North Korean hackers sent to Sony employees were tracked but did not seem overly unusual, but only in hindsight was it established that the North was able to steal the “credentials” of a Sony systems administrator allowing it almost free reign inside the studio’s network.
It was also later established that the Sony hack was a dedicated two month effort by North Korea’s hacking units that involved mapping Sony’s computers systems and identifying the most critical files. The Times reports that the level of sophistication, patience and commitment North Korea put into the hack had caught many American officials by surprise despite Pyongyang stating that the controversial Seth Rogen film The Interview was “act of war”, a deliberate provocation that would see retribution.
Indeed, the level of sophistication had many security experts publicly question the U.S. government’s confidence in North Korea’s guilt, or sole guilt, with many suggesting that the real culprits behind the attack were either insiders, ex-Sony employees or outside hacking groups pretending to be North Korea. The FBI disclosing some of the evidence that the government had on Pyongyang, including the evidence that North Korean hackers got “sloppy” and left digital fingerprints, has not quelled persistent security industry skepticism of North Korean involvement.