U.S. says evidence ties North Korea to Sony cyberattack
“This is of a different nature than past attacks,” one senior official told the Times. A cyberattack which began by wiping out data on corporate computers – similar to attacks conducted against organizations in in South Korea and Saudi Arabia, but not in the United States — has turned “into a threat to the safety of Americans” if Sony were to go ahead with the release of the movie. The official, however, echoing a statement from the Department of Homeland Security, said there was “no specific, credible threat information” which would suggest that any attack was imminent.
The United States believed it had knowledge of North Korean cyber capabilities. Four years ago the NSA managed to penetrate North Korean computer operations, including the country’s elite cyberteam, and leave “implants” in the country’s networks to monitor the development of malware transmitted from the country.
Much of North Korea’s hacking, however, is done from China, and although the attack on Sony made use of some commonly available cybertools, one intelligence official told the Times that “This was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”
The Times notes that the hackers of Sony left a long forensic trail. The attackers used available commercial tools to wipe data off Sony’s systems. They also employed tools and techniques which had been used in at least two previous attacks, one in Saudi Arabia two years ago, and another last year in South Korea, aimed at banks and media companies.
The recent attacks at Sony were routed from command and control servers in different parts of the world, but one of those servers, a computer in Bolivia, had been used before, in a limited set of cyberattacks on South Korean targets two years ago. Analysts say this this suggests, but does not prove, that that the same group or individuals may have been behind both attacks.
These analysts note that the malware the hackers used in the attacks on Sony also shared many similarities with the malware used in last year’s destructive attacks on South Korean banks and broadcasters. Those attacks, which also combined the destruction of some data with the theft of other data, are assumed to be the work of a cybercriminal gang known as Dark Seoul. Some experts say it cannot be ruled out that the Sony attack was the work of a Dark Seoul copycat.
The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco – an attack attributed to Iran – in which the hackers wiped out data off 30,000 Aramco computers, replacing it with an image of a burning American flag.
The three attacks — in South Korea, Saudi Arabia, and Sony – have something else in common: In each attack, experts were unable to confirm the initial entry point. As to Sony, “It’s clear that they already had access to Sony’s network before the attack,” Jaime Blasco, a security researcher at AlienVault, told the Times.