Sony hackers failed to hide their North Korean IP addresses, says FBI

Did they or didn’t they?

That’s the question everyone is asking in the computer security industry – is it really plausible that North Korea was responsible for the hack against Sony Pictures which saw the company’s computer grind to a halt with images of skulls, and documents and internal emails leaked to the internet?

In fact, it’s not just the security nerds who are interested in where the attack might have come from. I’ve lost count how many times in the last month family and friends unconnected to the security business have asked me who I believe was most likely to have perpetrated the hack.

Personally, I would be very surprised if North Korea was to blame. It just seems very odd behaviour and out of character for a country to make such an obvious assault against a particular business. Normally, state-sponsored hackers would be more interested in silently spying, and not drawing attention to themselves with payloads more likely to appeal to a teenage heavy metal fan.

But then, North Korea *is* a very odd country, and its leaders even stranger…

Maybe it is *possible* that a country run by a chap like Kim Jung-un would take offence at a comedy movie that portrayed his assassination (even though, let’s not forget, the initial communications between the hackers and Sony executives demanded money, and didn’t mention the film).

*Possible*, but likely? I, like many others in the computer security arena, remain unconvinced.

A disgruntled former employee sounds much more plausible to me.

Not that my opinion matters much, because the United States authorities are convinced that North Korea is to blame, and have even levied sanctions as a result.

And, realising that there are many who are skeptical about the blaming of North Korea, FBI director James Comey has given a speech at the International Conference on Cyber Security (ICCS) at Fordham University in New York, promising to reveal more information about how the agency came to its conclusion.

According to Comey the hackers “got sloppy”, occasionally forgetting to disguise their identity online by using proxy servers that bounce an internet connection around the world. Instead, claims Comey, the attackers revealed IP addresses that are exclusively used by North Korea.

“In nearly every case, [the hackers] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy.

“Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using… were exclusively used by the North Koreans.”

“They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.”

Unfortunately, Comey wasn’t prepared to take any questions after his talk – so it’s hard to be sure how the FBI confirmed that those North Korean IP addresses weren’t proxies themselves, perhaps deliberately commandeered by hackers to send investigators in the wrong direction.

Furthermore, the mystery of why the hackers only started to mention “The Interview” movie that has apparently enraged the North Korean regime so much *after* the media suggested it as a possible motive. Remember, the hackers initially said they were after money.

Unfortunately for us, the FBI says it cannot provide more information about how it came to its conclusion for national security reasons:

“I want to show you, the American people, as much as I can about the why, but show the bad guys as little as possible about the how. This will happen again and we have to preserve our methods and our sources.”

However, without more compelling evidence, or even some sliver of detail that might support the FBI’s case that it was a state-sponsored attack by North Korea, many of us will remain continue to dubious about the claim.

As security research Marc Rogers notes, Comey’s speech promised much but fundamentally failed to deliver the smoking gun necessary to prove North Korea’s involvement.

And for that reason, we’re right to remain skeptical.