If the FBI’s revelations on Wednesday about the sloppiness of North Korea’s hackers was meant to silence critics who doubt the government’s attribution for what happened to Sony, it failed.
Despite assertions from FBI Director James Comey that he has very high confidence in the attribution to North Korea and a statement by Director of National Intelligence James Clapper that North Korean General Kim Youn Choi was directly responsible for ordering the attack, security experts still doubt the veracity of the claims based on the evidence provided so far.
This includes a new detail from Comey that the attackers failed to use proxy servers through which to route some of their activity and mask their real IP addresses. As a result, Comey said, they unintentionally revealed that they were using addresses known to be “exclusively” used by North Korea. The new claim builds upon previous evidence cited by the FBI that components used in the Sony hack are similar or identical to components used in the so-called DarkSeoul attacks that struck South Korea last year and another claim that an IP address “associated with known North Korean infrastructure” contacted one of the command-and-control servers used in the Sony hack.
Critics have already responded to the previous evidence, so let’s examine the new information, with the understanding that this is not all the evidence the FBI possesses. Indeed, there may be signals intelligence obtained by the NSA or other intelligence agencies that provides better proof than what has been disclosed so far. Though, even accounting for this possibility, officials still haven’t explained why, if the attack was perpetrated by North Korea over the film The Interview, the initial communication between the hackers and Sony employees didn’t discuss the movie, but instead demanded money in an apparent extortion attempt over unspecified demands.
Claim: Hackers Failed to Mask Their IP Addresses
Comey, speaking on Wednesday at a cybersecurity conference at Fordham University, said the attackers had been careful to mask their real IP addresses by using proxy servers for most of their activity. But they apparently got sloppy and sent some emails to Sony executives and published some posts online without using a proxy. The references to posts is unclear, but according to a Wired reporter at the event, he said the word “paste” before correcting himself, suggesting this might refer to Pastebin posts the hackers made after the hack was exposed, when they were leaking Sony data to the public.
“In nearly every case,” Comey said, “[the Sony hackers] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.” He added that, “[t]hey shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.”
Comey wouldn’t take any questions from reporters at the event, but anonymous government officials did elaborate a bit in private to the New York Times. A story published Wednesday night quoted officials who said the Sony attackers, who go by the name Guardians of Peace, mistakenly logged into their Guardians of Peace Facebook account as well as Sony’s servers using IP addresses used by North Korea.
It was clear, the officials told the Times, that the hackers quickly realized their error because in several cases, after mistakenly logging in to these systems using the North Korea IP addresses, they “quickly backtracked and rerouted their attacks and messages through decoy computers abroad.”
It’s unclear if the Facebook posts are the same posts that Comey was referring to, or if Comey’s remarks, combined with the remarks of the anonymous officials, means that in at least four different cases the attackers exposed their real IP addresses: in sending emails to Sony executives, in logging into the Sony servers, in posting messages to Pastebin and in accessing the Facebook account.
“These guys literally burnt Sony down to hide their tracks and they staged everything pretty methodically.”
Neither Comey nor the Times sources mentioned when these incidents occurred, but the Times notes that “[b]efore the attacks in November, Sony Pictures was threatened in a series of messages posted to a Facebook account set up by a group calling itself ‘Guardians of Peace.’ After Facebook closed that account in November, the group changed its messaging platform and began sending threats in emails to Sony and on the anonymous posting site Pastebin.”
The timing of the mistakes could be important because within days after the hack was first exposed, stories about North Korea’s possible role in it were already being published, which would raise the possibility that if the hackers knew investigators were looking for North Korean links, they may have decided to provide them by using North Korean IP addresses. But that’s assuming the IP addresses the FBI cites are indeed North Korea IP addresses.
This is the main issue that critics have with all of the information the FBI has so far provided about the IP addresses: without knowing the exact IP addresses and what’s on the other end of them (a mail server, a web server, a laptop) or why officials concluded the addresses are used exclusively by North Korea, the public has little to go on to trust the government’s assessment.
But two of the most vocal FBI critics, Marc Rogers and Robert Graham, are united in their criticism of this evidence, pointing out the fallibility of IP addresses as proof of origin and the fallibility of asserting that the addresses are used exclusively by North Korea. Rogers also questions the revelation that the hackers made such a newbie mistake as forgetting to use a proxy to hide their IP address.
“It is plausible that a hacker could make a mistake and not use a proxy,” says Rogers, principal security researcher for the security firm CloudFlare and head of security for the Def Con hacker conference. “These guys literally burnt Sony down to hide their tracks and they staged everything pretty methodically. It would surprise me that somebody like that would make such a huge mistake to forget to use a proxy.”
However, Jeffrey Carr, a security consultant and CEO of Taia Global, notes that the alleged slip-up, and Comey’s language describing it, are remarkably similar to what occurred in the destructive DarkSeoul attacks that struck media and bank networks in South Korea last year. According to a South Korean publication, “A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
It’s not known if this is the same IP address used in the Sony hack. But the attribution of the DarkSeoul hack to North Korea has partly fueled the attribution of the Sony hack to North Korea, as well. Because officials say the attackers in both cases used some of the same tools to conduct their attack and the DarkSeoul hack was done by North Korea, then the Sony hack was done by North Korea as well. But it should be noted that some have disputed the DarkSeoul attribution, including Carr.
In any case, critics of the FBI say it’s possible that the North Korean IP addresses the FBI is identifying in the Sony hack were themselves proxies—that is, systems the attackers hijacked to conduct their activity.
Statements by Comey and anonymous government officials that the hackers “shut it off very quickly once they saw the mistake” and went back to using known proxies, imply that the hackers had unintentionally used the IP addresses and quickly cut their connection to the Sony server. But if it was a case that the hackers had simply hijacked a North Korean system to conduct their activity, their sudden abandonment of that IP address could mean simply that they decided to stop using that proxy for some technical reason, that the hijacked system was taken offline for some reason, or they got kicked out of the system by its owner.
“It would surprise me that somebody like that would make such a huge mistake to forget to use a proxy.”
“That can mean so many different things,” says Robert Graham, CEO of Errata Security. “It sounds like that’s the interpretation [the FBI] put on things, but not necessarily what happened.”
Interpreting forensic data is fraught with problems, primarily because the same data can be viewed differently by different security researchers. Graham points to analysis of the Witty worm attack as a prime example. That malicious worm, unleashed a decade ago, was designed to destroy random data on machines it infected. Smart experts who examined the worm and infection data found patient zero—the system from which the infection began—and concluded that from there the worm had struck a hit-list of 50 initial computers at the Fort Huachuca Army base in Arizona before spreading to other systems. This led to speculation that the worm was either an inside job by someone at the base or was an external attack that targeted the base. But Graham came to a different conclusion: that the machines, which were all on the same Army network but not, it turns out, at the same base, were infected at different points and by different machines. The infection of 50 systems on the same network, and the erroneous belief that they were in the same location, only made it appear that they had all been hit by patient zero as part of a targeted attack.
“I came up with a different explanation and mine was right and theirs was wrong,” Graham says. “But if you read their document, you would say their interpretation is the only possible correct one. Until you read my explanation, and you realize why the first one is wrong. And that’s the way all data is when you look at these things.”
Claim: The IP Addresses Were Used Exclusively By North Korea
In the same way critics are skeptical that the exposed IP addresses were the real source of the attack, they also scoff at the FBI’s assertion that the IP addresses were used exclusively by North Korea.
It’s difficult to know what to make of the FBI’s claim without knowing the specific IP addresses in question. The FBI described them as ones used by North Korea, but didn’t say they were inside North Korea, which can mean a number of things. Either they’re IP addresses registered by North Korea’s only ISP—Star Joint Venture—or they’re IP addresses assigned to North Korea by another ISP it uses in China. Or it could refer to satellite IP addresses that North Korea uses, which would render the IP addresses to multiple locations. Or it could refer to entirely different IP addresses in other countries, such as China, Japan or other places where North Korea is said to have hackers. But regardless of where the addresses are located, it’s the assertion by authorities that they are used exclusively by North Korea that has critics most skeptical.
Even if the government can show that North Koreans have exclusively used these IP addresses in the past, the system used by that address could have since been compromised by the Sony hackers.
Carr points out the issues with this kind of attribution in relation to the DarkSeoul hack. He notes in a blog post that the IP address identified in the DarkSeoul case, which served as the key evidence in linking that attack to North Korea, is registered to Star Joint Venture—which is a joint venture between the North Korean government and Loxley Pacific Company in Thailand. As such, he notes, a hacker might gain access to North Korea systems and infrastructure by compromising Loxley. “It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack,” he writes, “and then browse through NK’s intranet with trusted Loxpac credentials.”
We should note, however, that South Korea didn’t only use the North Korea IP address to attribute the DarkSeoul attack to North Korea. But the IP address attribution in the DarkSeoul case still carries the same quandary that the Sony hack carries: how do investigators know that an IP address is used only by North Korea?
Eliminating the possibility that others may have hijacked the servers or systems at these addresses for their own use would require more than simple traffic analysis pinning an intrusion to an IP address.
“If this IP address is exclusively used by the North Koreans, then the only source that information could come from is signals intelligence,” says Rogers. “That’s the only way they could be monitoring someone else’s IP address.”
If this is the trump card the government has, it’s not sharing.
Asked if it doesn’t give him pause that Comey and the intelligence community are so confident in their findings, Graham says no, because “if you’re really looking for something, you can always tie things back to the way you want them to be seen. It’s all a matter of perspective.”
Similarly he’s suspicious of claims that a North Korean general directed the attack on Sony. Does it mean North Korea conducted the hack? Or does it mean a North Korean agent was on a forum where one of the Sony hackers also spent time and the two struck a deal? Or does it mean something else entirely?
“They certainly know things beyond what they’re telling us,” he says, “but at the same time, they’re not telling us things that are critical [to know].”
There are some, however, who believe that nothing will satisfy the skeptics.
Richard Bejtlich, chief security strategist for FireEye, the company hired by Sony to help investigate and clean up after the attack, told the Daily Beast: “I don’t expect anything the FBI says will persuade Sony truthers. The issue has more to do with truthers’ lack of trust in government, law enforcement, and the intelligence community. Whatever the FBI says, the truthers will create alternative hypotheses that try to challenge the ‘official story.’ Resistance to authority is embedded in the culture of much of the ‘hacker community,’ and reaction to the government’s stance on Sony attribution is just the latest example.”