Speaking at a cybersecurity conference in Manhattan today, FBI director James Comey went into more detail about how the FBI determined North Korea was behind the recent digital attacks on Sony Pictures, which culminated in the partially canceled release of The Interview. According to Comey, the Guardians of Peace "got sloppy" when masking their IP addresses, allowing FBI researchers to determine that emails and other messages to Sony employees were originating from internet connections used exclusively by North Korea. This evidence had been hinted at in a previous Wall Street Journal article, but has never been publicly attributed.
"We know who hacked Sony. It was the North Koreans."
Web access in North Korea is extremely limited and connections are almost exclusively controlled by the government, which makes it unlikely a third party would be able to hijack a North Korean IP without the government's explicit consent. "We know who hacked Sony. It was the North Koreans," Comey told the audience. "I have very high confidence about this attribution."
The FBI publicly attributed the Sony hack to North Korea last month, based on similarities in the attack methods and physical infrastructure to previous attacks that had been attributed to North Korea. The bureau cited further evidence that could not be made public, which has been the subject of intense speculation in the weeks since. In the wake of the announcement, many have criticized the bureau's public evidence as flimsy, while others have questioned whether the FBI simply got the attribution wrong. It's a particularly serious issue now that the US has levied sanctions against the North Korea in response to the hack. North Korea has maintained its innocence, although it has applauded the actions of the hackers on a number of occasions.
Researchers have speculated that NSA tools like XKeyscore could also have been used to track leaked data across the network, but kept secret because of the classified nature of the programs involved. In many cases, the leaked files took hours to fully seed, giving officials ample time to trace the source, and recently leaked NSA documents described similar file-tracking operations as "trivial."
Still, Comey and others seem determined to hold North Korea accountable for the attack on Sony. President Obama has described the sanctions against North Korea as only the first aspect of the government's retaliation, suggesting further measures, public or otherwise, may still be in the works. Speaking at the same conference this morning, Director of National Intelligence James Clapper called the Sony hack "the most serious cyberattack ever made against US interests."