While the FBI is still making the case that North Korea is to blame for the massive hack against Sony Pictures Entertainment, there are signs that other hackers may have been trying to breach the company’s networks.
Sony employee emails disclosed by the self-proclaimed Guardians of Peace, who are the subject of the FBI’s investigation, show that CEO Michael Lynton received a spear-phishing email in September that sought to lure him into revealing log-in information for an Apple account. The same spear-phishing email was reported on various message boards around that time by other people who had received it, but had no obvious connection to Sony. The email appears to have been a relatively common attempt to gain personal information from a wide range of unwitting victims.
Other spear-phishing emails that show up in the Sony files can be traced back to Internet domains in Turkey and the United Kingdom, two countries that didn’t show up in the list of command-and-control addresses found inside the malware used in the Sony attack now being investigated by the FBI and that the Obama administration attributes to North Korea. The emails raise at least the possibility that some other group was attempting to trick Sony employees into revealing personal information, such as log-ins.
Of course, spear-phishing is an increasingly common means by which hackers attempt to gain access to a victim’s personal accounts or computer, in order to discover various log-ins, passwords, account numbers, and other personal data. And the fact that the emails may have come through Internet addresses in other countries doesn’t rule out North Korea’s involvement.
But competing theories about who was really behind the Sony hack have persisted ever since the company disclosed in December that its networks had been breached, possibly by intruders outraged over the company’s satirical film about North Korea, The Interview. And skepticism still surrounds the FBI’s investigation.
FBI Director James Comey said Wednesday that investigators have found spear-phishing emails that were sent to Sony employees as late as September. Such emails were the “likely vector” that the hackers used to get inside the company’s network, Comey said, from which they stole and deleted large amounts of data, including business emails and employee salaries.
In a speech to a cybersecurity conference in New York, Comey took the unusual step of revealing previously classified intelligence that he says shows North Korea is to blame.
The new information consisted of Internet protocol addresses that Comey said are “exclusively used” by North Korea. Comey did not specify what those addresses are. The FBI’s case to date has hinged partly on Internet addresses it says were used in previous attacks by North Korea, and numerous experts have pointed out that hackers routinely use different addresses to mask their true location.
Comey’s new evidence struck some experts as inconclusive. “Short of the government disclosing the actual IP addresses, and those being in the netblock range of those known to be associated with North Korea or used by North Korea-backed actors, I simply can’t jump on the North Korea bandwagon,” Stuart McClure, the president and founder of cybersecurity company Cylance, told The Daily Beast. “We need more evidence.”
Others said they believe the FBI has made its case and compared those who deny North Korea’s involvement to people who will not accept that al Qaeda was responsible for the 9/11 attacks.
“I don’t expect anything the FBI says will persuade Sony truthers,” Richard Bejtlich, the chief security strategist for cybersecurity company FireEye, told The Daily Beast. “The issue has more to do with truthers’ lack of trust in government, law enforcement, and the intelligence community. Whatever the FBI says, the truthers will create alternative hypotheses that try to challenge the ‘official story.’ Resistance to authority is embedded in the culture of much of the ‘hacker community,’ and reaction to the government’s stance on Sony attribution is just the latest example.”
Officials and experts who are privy to details of the FBI’s investigation say it is based on years’ worth of information gathered about North Korean hackers and almost certainly includes intercepted communications. The United States government might not release that information for years, if ever. The debate over who really pulled off the Sony hack, then, could continue indefinitely.
On Wednesday, Comey took on critics who have called on the FBI to release more information that proves North Korea is behind the attack. “They don’t have the facts that I have, don’t see what I see,” he said. The director added that he has “very high confidence” in few things, but on North Korea’s role in the attack, he’s certain.
For the first time, Comey disclosed that while the North Korean hackers did use so-called proxy servers to disguise where they were coming from, “several times they got sloppy. Several times, either because they forgot or they had a technical problem, they connected directly, and we could see them. And we could see that the IP addresses that were being used… were coming from IPs that were exclusively used by the North Koreans.”
Comey said the hackers seemed to realize their mistake and “shut it off very quickly,” referring to their Internet connection, and suggesting they were aware that they could be discovered in short order without masking their true location.
In disclosing that the United States was aware of Internet addresses used exclusively by North Korea, Comey shed more light on the extent of U.S. intelligence-gathering efforts. Current and former intelligence officials have said North Korea has long been a priority target for American spies. The country’s connections to the Internet are few and run almost entirely through China.
A private security expert privy to some details of the FBI’s investigation said Comey has made a persuasive case but cautioned that the director has not revealed all the bureau knows about North Korea’s role.