FBI Defends Sony Hack AttributionN. Korean Hackers 'Got Sloppy' During Attack, FBI Director Says
See Also: Rethinking Endpoint Security
"Some folks have suggested we have it wrong" in terms of attributing the breach to North Korea, Comey said during his speech at the International Conference on Cyber Security in New York. "I'd say, they don't have the facts I have. They don't see what I see."
One piece of evidence Comey shared was that sometimes the Guardians of Peace - the hacking group that took responsibility for the Sony breach - "got sloppy" as they were sending e-mails threatening Sony employees and posting online various statements.
"They used proxy servers to disguise where they were coming from, and in sending and pasting those statements," Comey said. "But several times they got sloppy," he explained, saying that the hackers either forgot or had technical issues with covering their tracks. During those times, the FBI could see that the IP addresses being used were coming from those "exclusively used by the North Koreans," Comey said.
"It was a mistake by them that was a very clear indication," he added.
While the FBI is still looking into the attack vector that led to the breach, Comey said he suspects that spear-phishing was the cause, occurring "as late as September" in 2014. "We'll do our best to give you the details," he said. "But that seems the likely vector."
'Most Serious' Cyber-Attack
Earlier in the conference, Director of National Intelligence James Clapper called the Sony breach the "most serious" cyber-attack made yet against U.S. interests, according to NBC News. "[North Koreans] are deadly serious about affronts to the supreme leader," he said. "They will keep doing it again and again until we push back."
Following the FBI's attribution of the Sony Pictures hack to North Korea on Dec. 19, President Obama imposed sanctions against 10 individuals and three entities associated with the country's Pyongyang-based government. North Korea has denied being involved in the Sony hack and has called for a joint investigation with the United States.
Even after Comey's new remarks, some information security experts will continue to be skeptical of the FBI's attribution of the Sony attack to North Korea, says Rick Holland, a security analyst at Forrester Research. "Government trust within the cybersecurity space is at an all-time low," thanks in part to the leaks by former National Security Agency contractor Edward Snowden, Holland contends.
Still, it's not surprising to learn that the FBI's investigation was aided by the hackers' mistakes, Holland says. "Attackers are human and make mistakes, just like the defenders do," he says.
Earlier, many information security experts had been questioning the FBI's attribution of the Sony Pictures hack to North Korea, especially based on the scant amount of information that the bureau has so far released to substantiate that claim (see: Sony CEO Slams 'Vicious' Cyberattack).
Based on the publicly available information as of Jan. 5, Jeffrey Carr, CEO of threat-intelligence sharing firm Taia Global, warned that there's substantial "conflicting evidence" as to North Korea being involved at all.
Threat-intelligence firm Norse, which isn't officially involved in the Sony Pictures investigation, claims that it has found evidence that six people were behind the hack attack against Sony, and that none of them are based in North Korea. "We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history," Kurt Stammberger, a senior vice president at Norse, told CBS News.
Many security experts have also warned that attribution, by its very nature, is typically a lengthy process - for which no solid answers may ever be found.
The Guardians of Peace claimed credit for unleashing the Nov. 24 wiper malware attack against Sony Pictures that reportedly compromised 6,000 employees' computers and landline phones, after which attackers leaked high-quality digital copies of unreleased movies, as well as sensitive - and embarrassing - corporate data. Following the attack, G.O.P. said it would stop the leaks if the studio promised to never release "The Interview," which features a plot to assassinate North Korean leader Kim Jong-un.
Major movie chains balked at showing the film after G.O.P. also issued a terror threat against any theater that showed it. While Sony initially said it would shelve the film, in the face of criticism from President Obama, it instead released the film Dec. 24 via online channels, followed by it opening in about 330 independent U.S. cinemas on Christmas Day. The film quickly set an online box office record for the studio.