We may finally know why the US was so confident about identifying North Korea’s hand in the Sony attack: it turns out the NSA had front-row seats to the cyber carnage, having infiltrated computers and networks of the country’s hackers years ago.
According to the New York Times, a recently released top-secret document traces the NSA’s infiltration back to 2010, when it piggybacked on South Korean “implants” on North Korea’s networks and “sucked back the data”.
The NSA didn’t find North Korea all that interesting, but that attitude changed as time went on, in part because the agency managed to intercept and repurpose a 0-day exploit – a “big win,” according to the document.
Unidentified officials told the New York Times that the program snowballed, to the point that malware was placed to track the internal workings of many of the computers and networks used by North Korea’s cyber forces: an army that South Korea’s military recently said has about 6,000 elite hackers.
The million-dollar question, of course, was why the NSA’s “early warning radar” of planted spyware failed to give Sony Pictures Entertainment (SPE) a heads-up about the recent attack, even though it provided a trail of evidence convincing enough for President Obama to take the unprecedented step of accusing a nation of cyberattack.
The NSA should have seen the first spear-phishing attacks, which, two US officials told the NYT, North Korea threw against Sony beginning in early September.
But, the New York Times reports, there was nothing remarkable about the attacks, and only in retrospect did investigators figure out that the phishing was successful in stealing credentials of a Sony systems administrator, which allowed the attackers to get inside Sony’s systems and roam freely.
According to a person briefed on the investigation, that gave North Korea two months to thoroughly map Sony’s systems, identify critical files and plot how to rip it to shreds.
The New York Times quotes him:
They were incredibly careful, and patient. [But even with their view into the North’s activities, US intelligence agencies] couldn’t really understand the severity [of the forthcoming destruction].
NBC News further reports that the first the government learned of the Sony attack was on 24 November 2014, when Sony alerted the FBI’s cyber unit.
The latest twist in the Sony saga supports those who’ve been arguing that the US must have had a lot more evidence shoring up its confident accusations of North Korea.
Will it convince those who believe that the attack was unleashed by a disaffected former employee working with hacktivists?
Readers, does it convince YOU? Please let us know in the comments section below.
Image of US and North Korea courtesy of Shutterstock.
Robert Scroggins
Now I see why the U. S. government was reluctant to reveal their reason for attribution to North Korea. This was because of the current animosity toward NSA/governmental spying by the U. S. Additionally, the NSA is more concerned with national security than with being the security arm for Sony.
Regards
Joe
The NSA is interested in “get it all” — I wonder if their primary mission actually *is* national security. And, frankly, I still doubt that it was NK. One reason is that we can no longer believe anything our spy agencies tell us.
Orun Bhuiyan
That’s a serious screw up on Sony’s part. I mean, I understand successfully spear-phishing an executive or someone in operations.. but a sysadmin?
Daniel
Hmm. I still don’t know about all of this. If the NSA had access to North Korea’s computers then the NSA could of technically launched the attack from the zombie computers and covered up their tracks.
It’s not like it would be the first time, since more Edward Snowden evidence shows they could take existing botnets and temporarily re-purpose them for their own bidding. Since the NSA doesn’t actually own the computers, it will look as if someone else did it. A scapegoat, so to speak.
In all honesty, there’s no way to prove who did it if any kind of government corruption was at play… and multiple parties benefited from the attack.
Paul Ducklin
I don’t quite understand the NYT’s assertion that “the NSA should have spotted the phishing emails sent to Sony,” as though the NSA [a] would inevitably have seen them even if all the other suggestions about the degree of its infiltration are true and [b] would have blurted out that it had seen them if it had.
James
The million-dollar question, of course, was why the NSA’s “early warning radar” of planted spyware failed to give Sony Pictures Entertainment (SPE) a heads-up about the recent attack
For the same reasons that Project Ultra during World War II did not always provide information to Allied commanders based on decryptions of the German Enigma. In the NSA’s case, if they had provided an early warning to Sony, that would have tipped off North Koreans that their networks had been infiltrated by spyware from NSA. It would also make sense for the NSA to be concerned that the lax security on Sony’s part that allowed the initial breach would have also disclosed any information that NSA passed on to Sony.
Paul Ducklin
The other thing is, what exactly do you say? The NSA could send an email to just about every company in America to say “we think you will receive phishing emails in the next week” and be 100% correct :-)
Anyway, what if the attackers simply paid someone else to send the spearphish?
ST
Isn’t this what public-private information sharing is all about? By this standard, the government doesn’t *want* to share any more than private companies *want* to share. Somebody is going to have to agree to share sometime, and frankly I believe it’s the government’s responsibility to do so. Some portion of the NSA capability was funded by Sony tax dollars.
maggotification
This would be a sound theory, except the US publicly announced that it knew about the attack all along shortly after the attack. Project Ultra wasn’t revealed until 40+ years after the war ended.
Anonymous
The NYT has form as a US government stenographer not a “news” organization.
Zero credibility
Tom Fiorillo
NSA is known to stand for Never Say Anything, or No Such Agency. They knew about the 9/11 hackers but were legally forbidden to share the information (PBS Nova, The Spy Factory). I personally think Snowden could have made us aware of the NSA’s activities in a way that did not give up as much secret information as he did. James Bamford’s revelations went unheeded before Snowden.
Wayne
It seems to me that the NSA has just negated a really valuable asset by announcing that it was used to track the Sony attack.
peter
Yes exactly, and WHY?
Joe
Because you can tell lies for free. They aren’t giving up anything. It wasn’t NK; it was an ex-SONY employee.
Josh
I would suspect they may no longer have this asset. The attack on North Korea’s network likely resulted in the discovery and mitigation of these vulnerabilities.
bob
american propaganda of NK hack continues….
SizzleBizzle
If this is true (and I have my reservations), all it says to me once again is America believe they can do as they please, the whole world is their playground and they believe they have a free run of it. They do need to be brought down from their self-proclaimed pedestal a little bit in my opinion.
Why is it so condemned when a country is doing it to them? Perhaps it’s because whoever compromised Sony done a better job than they could ever achieve themselves.
In any case, The Interview probably isn’t worth watching anyway.