The FBI has released another fragment of evidence it claims proves the US Government assertion that North Korea was behind November’s mega cyberattack on Sony - the attackers used IP addresses exclusively associated with the country, it said.
The fact that the FBI rolled out its director James Comey to make this announcement shows the increasingly political and geo-political importance the US attaches to convincing people of North Korea’s hacking guilt.
The case he outlined has several over-lapping elements to it. The attackers had “got sloppy” and logged into Sony’s servers without remembering to hide the IP addresses used, he said. Realising this, the attackers reverted to decoy addresses which drew attention to the mistake.
It wasn’’t clear from third-party accounts of this press conference whether Comey was referring to the use of command and control or, more likely, the way the cover group Guardians of Peace sent messages and threats to Sony and others through Facebook and the Pastebin website.
Nor did he reveal any evidence as to why the IP addresses used could be reliably connected to North Korea. The US and South Korea have experienced previous attacks strongly connected to the country so it could be the coincidence of the Sony attacks using the same infrastructure is too strong to dismiss. The IP evidence was mentioned in December by Government sources.
"There is not much in this life that I have high confidence about. I have very high confidence about this attribution, as does the entire intelligence community," Comey is reported to have said in his briefing.
“Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using […] were exclusively used by the North Koreans.”
The North Koreans gained access to Sony’s network through some kind of booby-trapped email attack, he said.
The problem the FBI has in convincing a sceptical security audience is much as it has been for every single cyber attack attributed to a state actor in recent years – definitive evidence is almost impossible to gather. There are too many ways to hide or ruse attacks and that some onlookers will rightly pick holes.
Evidence ends up being about parallel forms of inside intelligence that governments rarely expand upon leaving the digital trail as one of inference as much as forensics. Interestingly, all attackers know and exploit this. Uncertainty is the nature of the Internet.
In a separate development earlier this week, the South Korean Defense Ministry has claimed in an analysis that North Korea’s cyberwar capability now stretches to 6,000 trained personnel, an increase of estimates it has put out in the past ranging from 3,000 to as many as 5,000.
The Ministry didn’t offer any sources for this data and while plausible – North Korea has an unusually large standing army – will sound speculative to some without further detail.
The “army” was also being used not for cyber-attacks that would have a psychological impact on its Southern neighbour, the analysis reportedly said.