14 DAY TRIAL // The National Security Agency (NSA) had infiltrated the computer networks of North Korea long before the attack on Sony Pictures Entertainment and had information on Pyongyang planning the incident, but the agents connected the dots only after the unfortunate event.
A recent disclosure of a new set of secret NSA documents by German newspaper Der Spiegel shows that the agency spent time and effort to breach North Korea’s network and the operation was a success.
NSA did not connect spear-phishing attack to Sony hack
Investigators of the Sony hack determined that the attackers had spent more than two months conducting reconnaissance activity, from mid-September to mid-November 2014. “They were incredibly careful, and patient,” someone close to the investigation told The New York Times.
The attack was carried out on November 24 and consisted in erasing all the data from the Sony computers, but not before exfiltrating sensitive corporate information and private communication of the company’s bosses.
It appears that the initial spear-phishing attack that stole the authentication credentials of a Sony administrator went unnoticed by the agents, as this type of attack is quite common.
However, after the attack was deployed, the connection with North Korea was quickly established, prompting the FBI to officially attribute the incident to the Pyongyang government on December 19.
The FBI provided vague information on the evidence it possessed that led to this conclusion, which sparked controversy from security experts about the Bureau’s correct attribution claims.
IPs used by GoP traced to Shenyang, China
Later, at a security conference on January 7, 2015, at Fordham University in New York, FBI Director James Comey offered new clues saying that the hackers failed to hide their real IP addresses, “either because they forgot or because they had a technical problem, they connected directly.”
He also added that the IPs were ones used exclusively by the North Koreans. He did not mention if they were outside the country, though.
According to some experts cited by New York Times, some of the IP addresses were traced to the Chinese city Shenyang, a well-known North Korean hacker hub.
A group operating under the name Guardians of Peace (GoP) claimed responsibility for the attack on Sony and they initially demanded monetary compensation for not making public the data they stole from the company. Later on, their demands changed and focused on preventing the release of “The Interview,” a comedy movie about the assassination of North Korean leader Kim Jong-un.