Outside the Beltway

F.B.I. Charges North Korea With Being Behind Hacking Attacks On Sony

The U.S. Government has formally charged North Korea with responsibility for the hacking attack on Sony. How to respond to that attack is a more complicated question.

Doug Mataconis · Friday, December 19, 2014 · 7 comments

The Federal Bureau Of Investigation has formally charged North Korea with being behind the hacking attacks against Sony that has led to the disclosure of a host of private information, and has been tied to complaints from Pyongyang regarding the release of a movie depicting the assassination of North Korean leader Kim Jong Un as well as threats of terrorist attacks inside the United States should the movie be shown:

WASHINGTON — The F.B.I. on Friday said it had extensive evidence that the North Korean government organized the cyberattack that debilitated Sony Pictures computers, marking the first time the United States has explicitly accused the leaders of a foreign nation of hacking American targets.

The bureau said that there were significant “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” to previous attacks by the North Koreans. It also said that there were classified elements of the evidence against the North that it could not reveal.

“The F.B.I. also observed significant overlap between the infrastructure used in this attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea,” the bureau said. “For example, the F.B.I. discovered that several Internet protocol addresses associated with known North Korean infrastructure communicated with I.P. addresses that were hardcoded into the data deletion malware used in this attack.”

The F.B.I. said that some of the methods employed in the Sony attack were similar to ones that were used by the North Koreans against South Korean banks and news media outlets in 2013.

“We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there,” the F.B.I. said.

It added: “Though the F.B.I. has seen a wide variety and increasing number of cyberintrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior.”

Sony this week dropped its plans for the release of “The Interview,” a movie that depicts the assassination of the North Korean leader, Kim Jong-un, after threats were made against the theater companies that intended to show it.

The F.B.I.’s announcement was carefully coordinated with the White House and reflected the intensity of the investigation; just a week ago a senior F.B.I. official said he could not say whether North Korea was responsible. But it also puts new pressure on President Obama on how to respond. Administration officials note that the White House has now described the action against Sony as an “attack,” as opposed to mere theft of intellectual property, and that suggests that Mr. Obama is now looking for a government response, rather than a corporate one.

The F.B.I.’s statements “are based on intelligence sources and other conclusive evidence,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Now the U.S. has to figure out the best way to respond and how much risk they want to take. It’s important that whatever they say publicly signals to anyone considering something similar that they will be handled much more roughly. The North Koreans are crazy, and they have nuclear weapons, and the U.S. response needs to be sensitive. That is not true for others in the world.”

North Korea has been under extraordinary economic sanctions for decades, and it has done nothing to curb either its nuclear program or these cyberattacks. A military response seems unlikely — the White House said on Thursday that it was examining options for a “proportional response,” and that would seem to rule out conventional military options.

Some of the evidence has been developed from “implants” that the National Security Agency has placed in networks around the world. But North Korea has proved to be a particularly hard target, because it has relatively low Internet connectivity to the rest of the world, and its best computer minds do not move out of the country often, where their machines and USB drives could be accessible targets.

“Suffice it to say,” one senior intelligence official said this week, “that we almost never name a suspect country. So when we do, it’s got to be based on something fairly strong.”

As the F.B.I. pointed out, the attacks at Sony share similarities with a similar series of destructive attacks last year on South Korean banks and broadcasters, and they used the same data-wiping tool that Iranian hackers used to destroy data on 30,000 computers at Saudi Aramco in 2012, according to forensics researchers.

In 2009, a similar campaign of coordinated cyberattacks over the Fourth of July holiday hit 27 American and South Korean websites, including those of South Korea’s presidential palace, called the Blue House, and its Defense Ministry, and sites belonging to the United States Treasury Department, the Secret Service and the Federal Trade Commission. North Korea was suspected, but a clear link was never established.

Left unaddressed in the F.B.I’s statement are the threats that were tied to the attacks on the computer systems that there would be unspecified acts of violence in the United States if the movie that the North Koreans objected to — a Seth Rogan/James Franco comedy called “The Interview — were shown in theaters. Because of those threats, film distributors and theater owners backed out of showing the film earlier this week and Sony has canceled the scheduled release of the movie on December 25th. The fact that the group that was claiming responsibility for the attacks, which is likely either just a mask for the North Korean Government or a group that was working on their behalf, is the same group that was releasing the information stolen in the attacks, though, suggests fairly strongly that the two originate from the same source. Which means, of course, that North Korea was threatening to kill Americans for going to see a movie in addition to engaging in what can only really be described as cyberwarfare.

The other question that remains outstanding, of course, is how the United States can and should respond to this attack. One option can be seen in the indictment that was handed down earlier this year against five members of the People’s Libertation Army for hacking attacks against private and government computer systems in the United States for the purpose of stealing information to benefit Chinese industry. At the time, there was no small degree of criticism of the move because it is, admittedly, a rather symbolic and meaningless move since China is unlikely to surrender the people accused in the indictment for processing and trial in the United States, and indeed the Chinese continue to deny that they have ever engaged in the kind of cyber espionage that the indictment alleges. Our ability to reach inside North Korea, or wherever the hackers that Pyongyang used in this attack may be located, to get at the people who actually committed the attack at issue here would seem to be even more limited. Additionally, it’s unclear what additional sanctions the United States can place on the North Koreans at this point that we have not already imposed due to violations of their agreements related to their nuclear and missile programs. In theory, I suppose, we could engage in some counter cyberwar and use our resources to effectively cut off whatever limited access to the Internet that North Korea actually has, but we may not want to fully clamp down on that because it could have an impact on the ability of underground groups to communicate with the outside world. An additional risk, of course, is that actions we take against North Korea in response to the Sony hacking could serve to reignite tensions on the Korean Peninsula, especially if Kim Jong Un choose to respond with some symbolic military move that forces South Korean, American, and Japanese forces to do the same. In the end, though, I agree that some response is necessary here, though I must say I’m at at loss as to what an effective and rational response ought to be, especially since I’m not entirely certain that we’re dealing with rational actors in Pyongyang. What the President says when he speaks later this afternoon will be exceedingly important.

If nothing else, though, this attack and the F.B.I.’s confirmation that they are the result of the act of a foreign power make it clear yet again that cyberwarfare is more than just something out of a Hollywood movie. It was happening prior to this attack, of course, but the extent of this attack, the fact that it was motivated by something as seemingly irrational as the reaction to what by all accounts is a sub-par Seth Rogan/James Franco comedy, and the fact that it was tied into threats of terror attacks against targets brings home just how serious a problem this could become in the future. This time, the attacks were directed against the computers of an entertainment company, and they resulted in, mostly, embarrassment to company executives, the distribution of copyrighted material across the web, and the release of some private information of some private information. Next time, it could be an attack on the computer systems of major American banking institutions, health care companies, infrastructure such as power plants, and even government computer systems in an effort to “blind” American intelligence assets in the early hours of a conventional attack. It’s rather obvious that important parts of the economy and the government are not sufficiently secure from these types of attacks, and that’s something that will need to be addressed. While private industry must obviously play a role in ensuring that its own systems are secure, when we are witnessing foreign governments use the cyberworld as a battlefield, it seems apparent that there is a role that must be played by the Defense Department and other agencies of the Federal Government whose job it is to protect the nation as a whole from foreign attack. Otherwise, we could wake up one morning and find ourselves facing something akin to a digital Pearl Harbor or September 11th that could be just as destructive as an actual physical attack.