Feds Double Down on North Korea Hack Theory

NSA head Adm. Michael S. Rogers at the ICCS 2015 conference in New York, Jan. 8, 2015. Credit: Paul Wagenseil/Tom's Guide

(Image credit: NSA head Adm. Michael S. Rogers at the ICCS 2015 conference in New York, Jan. 8, 2015. Credit: Paul Wagenseil/Tom's Guide)

NEW YORK — A parade of top U.S. officials last week reaffirmed their certainty that North Korea was behind the devastating network intrusion at Sony Picture Entertainment, even as they dismissed the concerns of doubters and offered little further evidence for their conclusion.

"I don't have very high confidence about much in life, but I have very high confidence about this attribution, as does the entire intelligence community," FBI Director James B. Comey told the International Conference on Cyber Security here Wednesday (Jan. 7).

MORE: North Korea Hacked Sony? Don't Believe It, Experts Say

Other speakers and panelists at the four-day conference expressed similar sentiments. They included National Security Agency Director and Commander of U.S. Cyber Command Michael S. Rogers, former head of the House Intelligence Committee Michael J. Rogers (no relation), White House security adviser Lisa Monaco and FBI Cyber Division head Joseph Demarest.

"Based on the overwhelming information intelligence and evidence that we have, it's certainly North Korea," Demarest said during a panel discussion Thursday (Jan. 8).

"I have a high degree of confidence that North Korea was complicit in the attack on Sony," Rep. Rogers, who retired from Congress earlier this month, said during the same panel discussion. "That is a recognized term of art, which tells you you are pretty much spot-on. Which is really a CYA of, 'Yeah, we know you did it.'"

Not fully convinced

The FBI, which is leading the investigation, and President Barack Obama believe the North Korean government controlled the "Guardians of Peace," the hackers who stole an enormous amount of data from Sony Pictures and shut down the company network Nov. 24. (Comey said the intrusion may have begun with a spear-phishing attack in September.)

The motive is said to have been outrage over the comedy "The Interview," in which two bumbling American journalists botch an assassination attempt on North Korean leader Kim Jong-un. In a televised news conference Dec. 19, Obama blamed North Korea and promised American retaliation.

Yet the stated evidence of North Korean involvement, which includes similarities to earlier attacks against South Korean banks and media companies, has failed to convince many information-security professionals. The skeptics point out that cybercriminals often share and steal malware and servers — and that the initial email threatening Sony Pictures demanded money without mentioning any movie.

Tidbits of evidence

Citing the skepticism, which has reached the mainstream media, Comey offered a bit more evidence in his speech Wednesday.

"There are a couple of things that I have urged the intelligence community to declassify that I want to tell you right now," he said.

The Guardians of Peace, Comey explained, generally used proxy servers that would disguise the locations of their computer when contacting Sony Pictures and posting their statements online. But, he said, they sometimes "got sloppy."

"Several times — either because they forgot, or because they had a technical problem — they connected directly, and we could see them," Comey said. "We could see that the IP [Internet Protocol] addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans."

"They would shut it off very quickly once they realized the mistake," he added, "but not before we saw them and knew where it was coming from."

Comey also said the FBI's behavioral-analysis unit compared the communications by the Guardians of Peace to statements by known North Korean attackers, and reached the conclusion that "it's the same actors."

NSA Director Rogers, who spoke Thursday, disclosed that his agency had indeed contributed to the FBI's investigation.

"We were asked to provide our technical expertise, we were asked to take a look at the malware, we were asked to take a look at not just the data that was being generated from Sony, but also what data could we bring to the table," he said in response to a question from Daily Beast reporter Noah Shachtman. "We were a part of the broad interagency effort, [but] not in a lead role."

Doubting the doubters

Overall, however, panelists and speakers at the conference treated North Korean involvement in the Sony hack as a proven fact, and dismissed skeptics as ignorant of evidence that the FBI couldn't disclose without jeopardizing national security.

The skepticism is "based on very limited information," Monaco said during Thursday's panel discussion. "[The skeptics] don't have the information that the intelligence community and the FBI have."

"They don't have the facts that I have, don't see what I see," Comey said, adding that the FBI — and presumably the NSA — had to keep the most crucial evidence secret in order to safeguard the methods that were used to collect it.

"We have a range of other sources and methods that I'm going to continue to protect," he said, "because we think they're critical to our ability — the entire intelligence community's ability — to see future attacks and to understand this attack better."

MORE: 5 Worst Security Fails of 2014

Private-sector 'swagger'

Rep. Rogers blamed the doubt on misplaced overconfidence among private-sector information-security experts — overconfidence he said he'd seen while trying to craft cybersecurity legislation with firms whose staffers believed they were smarter than the government.

"It was shocking to me the amount of swagger on behalf of some of these companies, that they had all the answers," he said. "And it was shocking to me, knowing what I saw in the classified space ... and the gap that they just didn't know about and I don't think they believed was there." 

"There is a huge capability in our NSA, the FBI, the CIA to some minor degree, that I think would pale most of these folks about what they think they know is going on in cyberspace," Rogers added. "I always tell the folks when I give speeches ... If your CIO comes in and says, 'Don't worry, boss, I got it handled,' find yourself a new CIO."

Only Preet Bharara, the U.S. Attorney for the Southern District of New York, who moderated the panel discussion, seemed to give the doubters any credence.

"Why isn't it enough for the director [of the FBI] to simply say: 'It was North Korea, trust us, we have the information you don't have'?" he asked. "Does the government take any efforts to try to persuade those folks? ... Or give them a little additional information to convince them that they're wrong and that the pronouncements by the FBI director are correct?"

Monaco shot down that line of questioning, implying instead that the doubters weakened America's strategy of deterrence against online attacks by other countries.

"It is counterproductive," she responded, "to our efforts to make very clear to both this nation-state, and other state and non-state actors who would engage in destructive and coercive actions like this, that there will be consequences and that the U.S. government takes it very, very seriously."

Red-teaming the theories

Skepticism about North Korean involvement, FBI officials said, was actually part of the attribution process, which involved a "red team" of expert analysts making counterarguments.

"Whenever North Korea was mentioned, we would throw the flag," Demarest said, using a football term for challenging a referee's call.

"Is there an alternative explanation, or is there a different suspect that we should be looking at as a result of the information that we've analyzed?" he said. "Overwhelmingly, it came out as North Korea, or a proxy put up by North Korea."

"We brought in a red team from all across the intelligence community," Comey said. "What else could be explaining this? What other explanations might there be? What might we be missing? What competing hypothesis might there be? Evaluate possible alternatives. What might we be missing? And we end up in the same place."

Name and shame

The FBI had to make sure it was North Korea, several officials said, because the U.S. government has adopted a strategy of deterrence that publicly names overseas perpetrators behind cyberattacks that threaten national security.

"It was very, very important that we as a government, we as the FBI, said, 'We know who hacked Sony. It was the North Koreans who hacked Sony,'" Comey said. "That is why we have, as much as we can, tried to offer our attribution and the 'whys' behind our attribution."

"The attribution decision, and the decision to make that public, was not undertaken lightly," Monaco said. "If you're going to be making statements about the activities of a nation-state having crossed a threshold and taken very destructive and coercive action ... you'd better be right."

"The entire world is watching how we as a nation are going to respond to this," said NSA Director Rogers. "If we don't acknowledge this, if we don't name names here, we will only encourage others to decide, 'Well, this must not be a red line for the United States. This must be something they're willing to accept.' That couldn't be further from the reality. It's unacceptable behavior."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.