FBI director confident North Korea was behind Sony hack, still offers no evidence

When late last year the FBI provided an update on their investigation into the Sony Pictures Entertainment hack, they fingered the North Korean government as the instigator.

The Bureau claimed that there is “significant overlap between the infrastructure used in this attack and other malicious cyber activity the US government has previously linked directly to North Korea,” that the malware used in the attack has similarities (lines of code, encryption algorithms, data deletion methods, etc.) to that previously tied to North Korean actors, and that the tools used in this attack are similar to those used in cyber attacks against South Korean banks and media outlets, believed to be executed by North Korean hackers.

Still, they said that they will not make public the actual evidence, as it would reveal the organization’s (and the NSA’s) investigative methods, intelligence capabilities and sources, as well as inform North Korea of its vulnerable spots.

The claims have not pacified the security community – many are not ready to believe the US government without proof. As well-regarded computer security expert Bruce Schneier recently pointed out, “American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong.”

On Wednesday, at the International Conference on Cyber Security held at Fordham University School of Law in New York, FBI director James Comey attempted to add the weight of his word to the claims.

“I have very high confidence in this attribution, as does the entire intelligence community,” he said to the audience.

He offered no additional evidence to support it, limiting new revelations to claims that the attackers got sloppy several times, and failed to use proxy servers when connecting to Sony’s servers, revealing thusly their actual IP address – an IP address allocated to North Korea.

According to him, the attackers also visited from the same IP address the Facebook account through which they sent the threatening messages to Sony.

Commenting on the security community’s skepticism, he said that they don’t have all the facts. “They don’t see what I see,” he said. But this is exactly the point security experts around the world are trying to make, and continue to point out.

“Various IP addresses have been associated with this attack, from a hotel in Taiwan to IP addresses in Japan. Any IP address connected to the internet can be compromised and used by attackers,” commented infosec pro Brian Honan.

All in all, Comey (and the US government) didn’t offer any evidence for their conclusions. They continue to say “Trust us!”, and they continue to bemoan the cybersecurity community’s mistrust.

In the meantime, the Obama administration used the claims as justification for the new sanctions they imposed against the North Korean government. They have also denied being involved with the recent outage affecting North Korea’s Internet connection.