Skip to main content

The NSA was tracking North Korea's hackers long before they attacked Sony Pictures

The NSA was tracking North Korea's hackers long before they attacked Sony Pictures


Leaked documents shed new light on how Pyongyang evaded US intelligence

Share this story

Intelligence gathered by the National Security Agency on North Korea more than four years ago led the US government to blame Pyongyang for the recent attack on Sony Pictures, according to a report from The New York Times. The report, citing former US officials, computer experts, and documents leaked last week by Edward Snowden, says the NSA used malware to track North Korean hackers as part of a program launched in 2010. That allowed the government to blame North Korea with unusual speed and certainty following December's hack on Sony Pictures, but the report also sheds light on how Pyongyang's hackers were able to get away with it in the first place.

US officials tell the Times that the operation against Sony began in September, when hackers gained access to the studio's network using spear phishing attacks. These involved planting malware through email links, but they evaded the NSA's radar because the hackers, unbeknownst to US officials, had stolen the credentials of a Sony administrator. The phishing campaign "didn't send off alarm bells," one person involved in the investigation tells the Times. They then spent two months roaming through Sony's computer systems before launching the attack in November.

"Figuring out how to respond was a lot harder."

The speed and certainty with which the US blamed North Korea for the Sony hack have raised eyebrows, with some suggesting that the sophisticated attack could've been carried out by a Sony insider or an outside group. But in a speech at a Fordham University security conference earlier this month, FBI Director James Comey said that intelligence officials "could see that the IP addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans." Comey also said that the North Koreans sometimes "connected directly and we could see them," adding that there was further supporting evidence that he could not discuss. "Figuring out how to respond was a lot harder," a White House official tells the Times.

The Times report goes on to describe how US officials were aware of the growing threat that North Korea posed, following a major attack on South Korean banks in 2013, but they apparently made no mention of it during a June meeting with Sony Pictures, after Pyongyang described The Interview as an "act of war."