U.S. Spies Say They Tracked ‘Sony Hackers’ For Years

American spies have detailed dossiers on the North Koreans who the U.S. says were behind the Sony attack. But the still-secret evidence likely won’t convince skeptics.

Photo Illustration by Emil Lendof/The Daily Beast

The FBI and U.S. intelligence agencies for years have been tracking the hackers who they believe to be behind the cyber attack on Sony, according to current and former American officials. And during that long pursuit, U.S. agencies accumulated still-classified information that helps tie the hackers to the recent Sony intrusion.

The Obama administration announced a round of sanctions against North Korea Friday, and explicitly said the measures were in retaliation for the “destructive and coercive cyber attack on Sony Pictures Entertainment.”

But investigators pinned the Sony attack on North Korea in early December, not long after the FBI began investigating the breach and almost three weeks before President Obama publicly pointed the finger at the Hermit Kingdom in a December 19 news conference, according to two individuals with knowledge of the case. The Obama administration waited to go public not because officials weren’t confident in the intelligence, but because the White House was weighing the significant policy decision of whether to publicly tie a nation-state to a specific cyber attack on U.S. soil for the first time.

Ever since the Obama administration made its public case against North Korea for the Sony hack, a slew of independent cybersecurity experts have been skeptical of the government’s public case against Pyongyang, calling it flimsy and circumstantial. But sources familiar with the investigation say that the most damning evidence against the Sony hackers was obtained in a secret, and years earlier, during previous intelligence-gathering efforts. The notion that the FBI was basing its claims of North Korean culpability solely off evidence from the Sony hack is “completely untrue. They’re also using evidence that they’ve been collecting for years,” said one person privy to some details of the investigation.

If there are misgivings within the administration about holding North Korea publicly to account, they weren’t on display on Friday. The White House and the Treasury Department announced a round of sanctions against three North Korean organizations, among them the country’s intelligence bureau, and ten individuals, including government officials and others who work for a North Korea’s main weapons dealer.

The sanctioned individuals weren’t involved in the Sony attack, administration officials said. But the decision to punish them and by extension the North Korean regime came after the White House decided the Sony hack “crossed a threshold,” as one senior administration official put it, going beyond cyber espionage or harassing attacks on Web sites and into the realm of destruction and coercion. The intruders had deleted large amounts of data from Sony’s networks, and threatened to attack movie theatres that showed Sony’s North Korean satire, The Interview.

The White House was judging the Sony attack against previous North Korean aggression, underscoring that officials are relying on an historical record of hacking behavior. Investigators have also been privately sharing some of their findings with private cyber security companies that also have invested several years in monitoring North Korean hacker groups, officials said, in an effort to help vet their case and bolster their claims.

U.S. investigators still aren’t saying precisely what information definitively links the North Koreans to the Sony attack and others. And to date, the FBI has disclosed only circumstantial evidence, including Internet addresses and patterns of malware used in the Sony attack that were seen in other attacks attributed to North Korea, which many cyber security experts have dismissed as insufficient and speculative.

But two former intelligence officials, who aren’t involved in the investigation, said that the conclusions in the Sony attack are almost certainly based on other information besides malware analysis or the Internet addresses used in the attack.

Among the catalog of data used for attributing cyber attacks to a particular actor are intercepted communications among the hackers themselves. “It could be a kind of battle damage assessment from the hackers to their higher-ups,” said one former official, referring to reports from the frontline hackers about the effects of their campaign against Sony. “There’s a lot of this kind of feedback in [an incident] like this. And it’s not difficult to intercept that.”

A second former U.S. official said that intelligence agencies monitor particular “behaviors” exhibited by members of a hacking group in order to help identify them. “What are their work hours? What code do they use? What sort of comments are in the code?” the official said. “When you add all that up, it’s a pretty comprehensive set of indicators.”

The Defense Department also maintains a set of dossiers of known hackers operating overseas, including in China, which is both the source of pervasive cyber espionage against U.S. and has served as a home based for some of North Korea’s best-known cyber attack cells.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

The two former officials said that North Korea has long been a high-priority target for U.S. intelligence agencies, particularly the NSA and the CIA, which has its own cyber sleuthing units and would be called upon to help investigate the Sony attack. The FBI has publicly credited unnamed U.S. intelligence agencies, as well as the private sector, with helping it attribute the Sony hack to North Korea.

The role of private investigators has stirred controversy in the investigation. Last week, the Norse Corp. released findings that it said showed at least six individuals, including one disgruntled ex-Sony employee, were behind the attack, and not North Korea. The FBI met with Norse employees in the company’s offices in St. Louis, but officials subsequently dismissed the findings and said they weren’t based on information that the government has obtained but not released. An executive with Norse declined to comment on Friday.

That explanation will hardly satisfy skeptics who have pointed out, correctly, that hackers routinely use Internet addresses and malware signatures employed by other groups to mask their own identities or to pin the blame on others. And other information in recent days has pointed to possible assistance that the North Koreans may have had from outside the country. On Monday, an anonymous official told Reuters that government investigators now think North Korea may have “contracted out” the Sony hack to other individuals. Another set of hackers that goes by the name the Lizard Squad told the Washington Post that they helped with the Sony hack. And a Twitter account claiming to represent the Guardians of Peace, the group that has claimed responsibility for the attack, says they are not Korean.

But a senior administration official said on Friday, “We remain very confident in the attribution,” and noted that a number of other private experts had agreed.

One cybersecurity firm, CrowdStrike, whose senior executives include former top cyber investigators from the FBI, has said it’s been tracking the group it believes was behind the Sony attack since 2006. The group, which CrowdStrike dubbed Silent Chollima, was responsible for a “major destructive attack” in July 2009, when it hit more than 30 Websites in the United States and South Korea with a large-scaled denial of service attack. The Web sites included those of the White House and the Pentagon, CrowdStrike’s co-founder Dmitri Alperovitch wrote in a blog post in December.

CrowdStrike says it tracked another attack in which Silent Chollima used a “wiper” malware to erase data from thousands of computers in South Korea. A wiper program was also used in the Sony attack. Of course, such malicious code is now publicly available, and could be used by almost anyone. But this gang kept up similar attacks, over and over. “For the next five years, Silent Chollima actors repeatedly launched similar data destructive attacks against South Korean businesses and government organizations,” Alperovitch wrote. “These attacks had distinct similarities with the malware used against Sony.”

When Obama finally pointed the finger at North Korea in December, he promised a response to the Sony hack and left no doubt that he wanted victims of cyber attacks to stand up to threats. The sanctions announced Friday represent “the first aspect of our response” for those attacks, said White House spokesman Josh Earnest.

His statement seemed to imply that the United States wasn’t behind a full-scale Internet outage in North Korea last month. Pressed on the question during a briefing with reporters, a senior administration official would neither confirm nor deny U.S. involvement, but pointed to at least one alternative theory that’s been discussed publicly: the North Koreans may have taken down their small number of Internet connections as a precaution against what they presumed would be some kind of cyber response by the United States.

Instead, it appears that the Obama administration has opted to punish North Korea financially. In naming publicly ten individuals whom officials say are involved in various illegal activity, including illicit weapons sales, the administration is putting North Korean elites on notice that they can track their activities and take actions to stop them.