WASHINGTON, Jan. 19 (Xinhua) — The U.S. National Security Agency (NSA) secretly broke into the computer systems of the Democratic People’s Republic of Korea (DPRK) in 2010, the New York Times reported Monday, an apparent effort by the U.S. side to convince skeptics it has evidence that Pyongyang was behind last year’s cyberattack on Sony Pictures Entertainment.
Citing former U.S. and foreign officials, computer experts briefed on the operations and a newly disclosed NSA document, the newspaper said the U.S. spy agency penetrated directly into the DPRK networks with the help of South Korea and other American allies after first hacking the Chinese networks that connect North Korea to the outside world.
The NSA began placing malware in the DPRK networks in 2010, first focusing on the DPRK’s nuclear program and its leadership, but the focus shifted after a cyberattack in 2013 on South Korean banks and media companies, the report said.
As for the Sony attack, U.S. investigators concluded that the hackers spent more than two months, from mid-September to mid- November, mapping Sony’s computer systems before carrying out the attack that began on Nov. 24.
The evidence gathered by the U.S. malware proved critical in persuading President Barack Obama to accuse the DPRK of ordering the Sony attack and to promise retaliation, which has begun in the form of new economic sanctions, it said.
It’s the first time the United States has publicly charged another government with mounting a cyberattack on American targets.
But the New York Times also raised questions about why the United States was not able to alert Sony beforehand about the attack, which the U.S. said was probably caused by the release of “The Interview,” a movie that features an assassination attempt against DPRK leader Kim Jong Un.
Pyongyang has repeatedly denied any involvement in the Sony hack.
Many experts are skeptical that DPRK was the culprit, or the lone culprit, suggesting that it was an insider, a disgruntled Sony ex-employee or an outside group mimicking DPRK hackers, the newspaper said.
“Many remain unconvinced,” said the report. “It would not be that difficult for hackers who wanted to appear to be North Korean to fake their whereabouts.”
A related article:
North Korea: Hackers or Hacked?
Attempting to attribute the Sony Pictures Entertainment attack to North Korea is complicated by the fact that a worm active in that country may be allowing foreign hackers access to computers within North Korea. While there is no evidence computers infected with this worm were involved on the attack on Sony, any attribution based on IP address alone must be treated as suspect.
North Korea has an extremely narrow connection to the Internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific. Star JV peers with two other networks to connect to the Internet, China Unicom and Intelsat, and is only allocated a single IP address block, 188.8.131.52/22.
That address block contains 1,024 IPv4 addresses. This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses as is allocated to Cloudmark.
The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE).
Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees.
One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony.
However, the data may well have been exfiltrated to a location outside North Korea. For example, one part of the SPE attack was traced to the Regis Hotel in Bangkok.
As part of the evidence that North Korea was responsible for the SPE attack, the FBI stated that, “…several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
On examining the email flows sent to Cloudmark clients from North Korean IP addresses we can see that one of North Korean IP, 184.108.40.206, has been sending spam, which is a common sign of an infected machine. The Composite Block List (CBL) maintained by the anti-spam non-profit Spamhaus confirms this.
That currently lists 220.127.116.11 as being infected with the Wapomi worm, which is transmitted by USB drives and file server shares. This malware includes a software downloader that gives the criminal controlling it the ability to download and run any sort of malware on the victim’s machine.
Cloudmark only detected this IP address sending spam on December 11, 2014, but it could have been under the control of criminal hackers long before that. It’s not clear if this is one of the IP addresses that the FBI regards as “Known North Korean infrastructure.”
However, unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct.
Related youtube links