Industry News

Sony hackers failed to hide their North Korean IP addresses, says FBI

Did they or didn’t they?

That’s the question everyone is asking in the computer security industry – is it really plausible that North Korea was responsible for the hack against Sony Pictures which saw the company’s computer grind to a halt with images of skulls, and documents and internal emails leaked to the internet?

In fact, it’s not just the security nerds who are interested in where the attack might have come from. I’ve lost count how many times in the last month family and friends unconnected to the security business have asked me who I believe was most likely to have perpetrated the hack.

Personally, I would be very surprised if North Korea was to blame. It just seems very odd behaviour and out of character for a country to make such an obvious assault against a particular business. Normally, state-sponsored hackers would be more interested in silently spying, and not drawing attention to themselves with payloads more likely to appeal to a teenage heavy metal fan.


But then, North Korea *is* a very odd country, and its leaders even stranger…

Maybe it is *possible* that a country run by a chap like Kim Jung-un would take offence at a comedy movie that portrayed his assassination (even though, let’s not forget, the initial communications between the hackers and Sony executives demanded money, and didn’t mention the film).

*Possible*, but likely? I, like many others in the computer security arena, remain unconvinced.

A disgruntled former employee sounds much more plausible to me.

Not that my opinion matters much, because the United States authorities are convinced that North Korea is to blame, and have even levied sanctions as a result.

And, realising that there are many who are skeptical about the blaming of North Korea, FBI director James Comey has given a speech at the International Conference on Cyber Security (ICCS) at Fordham University in New York, promising to reveal more information about how the agency came to its conclusion.

According to Comey the hackers “got sloppy”, occasionally forgetting to disguise their identity online by using proxy servers that bounce an internet connection around the world. Instead, claims Comey, the attackers revealed IP addresses that are exclusively used by North Korea.

“In nearly every case, [the hackers] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy.

“Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using… were exclusively used by the North Koreans.”

“They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.”

Unfortunately, Comey wasn’t prepared to take any questions after his talk – so it’s hard to be sure how the FBI confirmed that those North Korean IP addresses weren’t proxies themselves, perhaps deliberately commandeered by hackers to send investigators in the wrong direction.

Furthermore, the mystery of why the hackers only started to mention “The Interview” movie that has apparently enraged the North Korean regime so much *after* the media suggested it as a possible motive. Remember, the hackers initially said they were after money.

Unfortunately for us, the FBI says it cannot provide more information about how it came to its conclusion for national security reasons:

“I want to show you, the American people, as much as I can about the why, but show the bad guys as little as possible about the how. This will happen again and we have to preserve our methods and our sources.”

However, without more compelling evidence, or even some sliver of detail that might support the FBI’s case that it was a state-sponsored attack by North Korea, many of us will remain continue to dubious about the claim.

As security research Marc Rogers notes, Comey’s speech promised much but fundamentally failed to deliver the smoking gun necessary to prove North Korea’s involvement.

And for that reason, we’re right to remain skeptical.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • What’s wrong with heavy metal fans ? (Although I admit teenagers… that is another issue entirely!)

    According to Comey the hackers “got sloppy”, occasionally forgetting to disguise their identity online by using proxy servers that bounce an internet connection around the world. Instead, claims Comey, the attackers revealed IP addresses that are exclusively used by North Korea.

    I saw this the other day and my initial two, immediate reactions were: how arrogant for them to claim it was them being sloppy (seeing as how it was they who bested Sony, not the other way around).. and: maybe, just maybe they are throwing you off deliberately (never mind that IP means next to nothing – just consider that they could be throwing you off, too (not uncommon to attack from an already compromised network))? You know, something like Robert Tappan Morris making it seem that his worm was coming from another university (I seem to remember this, anyway) ? (Certainly the concept is not new)

    Interestingly, while I don’t always agree with his viewpoint, I do here (besides this point I agree with his other points on this attack): Alan Woodward suggests that none of the IPs were in fact in NK but instead in multiple countries. Among other things he said (quoted on BBC):

    “None of these addresses were actually in North Korea. They were in Singapore, Taiwan and all over the place.”
    “It is interesting that all the rhetoric seems to be coming from countries that have existing tensions. They are using specific cyber-attacks for political point-scoring.”
    (Funny thing is I pointed this out on one of my websites after the US originally blamed NK, some weeks back – it isn’t like the US and NK get along and in fact they aren’t exactly allies, are they? And different culture and different ways of expressing themselves (and yes that means NK is expressing themselves, something they are supposedly wanting to stop?)…).

  • I know someone who works in the cyber security sector who is COMPLETELY sure it was NOT North Korean hackers.

    As a security expert, they are absolutely sure the North Koreans have either the motives or the skill set for this hack. The fact that North Korea has only 2000 IP addresses is a key point. They do not have a cyber team within the country with the capability to do this, they would have had to learn in-depth hacking skills from abroad and have become an expert in an English-speaking country.

    The security expert I speak of is aware of many forums where people have been boasting about doing a hack of this type for some time.

    They would not have any political motive but instead be a team of teenagers in their bedrooms. Moreover, they would merely have pretended to be from North Korea in order to have deflected attention away from themselves (apparently this is common in the hacking sector) and would have thought it to be funny to pretend to be from North Korea.

    I am writing this comment as I think it is COMPLETELY IRONIC that the FBI has got involved and, as a peaceful commentator, I am concerned this poses a severe threat to security global world politics.

    These teenagers basically have no awareness of the trouble they have caused or what it really means in global politics.