The FBI is now officially blaming North Korea for the attacks that have ravaged Sony Pictures for the past weeks.
Per the FBI (emphasis added):
As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.
The FBI reports that it has been working directly with Sony Pictures Entertainment since shortly after the attacks began. In the course of the investigation, the FBI has found the malware that infected Sony is similar to other malware known to be written and deployed by North Korean actors in the past, down to specific lines of code.
There are infrastructural links too. Several IP addresses hard-coded into the malware's data-deletion algorithms also track back to IPs with connections to previous, known North Korean cyber attacks. Reports from CNN also explain that the attacks were routed through a number of other countries—including China—and masked by standard DNS spoofing, which the FBI was able unmask with help from the NSA.
Other than that, the details are sparse, suggesting the evidence itself is either thin, confidential, or both. Especially given some of the report's seemingly glaring omissions.
Noticeably absent are any mentions of China, which has been rumored to have supported the North Korean effort, nor is there any suggestion that any other entities assisted North Korea in its attack of Sony Pictures. Neither does the FBI outline any plan for moving forward with action against North Korea following this formal accusation. Only that:
Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.
North Korea has been a popular—if not official—suspect since the beginning simply because Sony Pictures is responsible for The Interview, a comedy in which Seth Rogan and James Franco play journalists tasked with assassinating Supreme Leader of North Korea, Kim Jong-Un. Initially the hackers made no reference to North Korea or The Interview until the leaks had been in progress for days, at which point they explicitly called for Sony Pictures to kill the film, later supplementing the demands with threats of terrorist attacks against theaters showing the film. Threats that worked, as major theater chains backed away from the hack until Sony Pictures canceled screenings altogether. To make matters worse, this backtrack unleashed a wave of cowardice as Paramount pulled screening rights to Team America: World Police, seemingly without even being spurred by any further threat. Basically, the hackers won, full stop.
Evidence pointing to North Korea as a culprit in this attack was sparse at first, with reports that the hack originated in a hotel room in Bangkok, alongside the FBI's assertions that a North Korean origin were doubtful and North Korea's own insistence that it had nothing to do with the attack. After Sony Pictures dropped The Interview entirely, though, reports came rushing in from the New York Times, AP, ABC, and CNN, all citing unnamed U.S. officials connecting North Korea to the hack.
Although we've got a formal accusation on our hands, there are plenty of holes that still need filling. Reports that North Korea stole a Sony system administrator's credentials (and how it may have been done) remain unconfirmed, as does any possibility of China's involvement. And, of course, there's the big question: Can we keep this from happening again?
The FBI's full statement follows below:
Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the "Guardians of Peace" claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.
The FBI has determined that the intrusion into SPE's network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees' personally identifiable information and confidential communications. The attacks also rendered thousands of SPE's computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company's business operations.
After discovering the intrusion into its network, SPE requested the FBI's assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony's quick reporting facilitated the investigators' ability to do their jobs, and ultimately to identify the source of these attacks.
As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea's attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.
- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
- Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.