NSA’s North Korean insight reportedly helped attribute Sony hack

When the FBI formally accused North Korea of being behind the Sony Pictures hack, it was clear that it knew more than it were letting on about the evidence – it’s one thing to give anonymous briefings about the attack’s attribution, and another to officially name the attacker. Unsurprisingly, it turns out that the NSA played a major role in creating that confidence.

Apart from providing interesting context for the global digital arms race and noting how Chinese hacks on the U.S. Defense Department turned out to be awfully expensive, a Der Spiegel article over the weekend referenced a document (PDF) that described the “ramping up” of the NSA’s targeting of North Korea. The NSA has a clever “fourth party collection” strategy of tracking what other spies are doing and stealing what they find – in this case, it was South Korea spying on North Korea, and after a while the NSA decided to establish its own window into North Korean intelligence.

On Sunday the New York Times described these efforts in greater detail, citing anonymous officials and computer experts to assert that the NSA had penetrated the Chinese networks connecting North Korea with the rest of the world, and “picked through connections in Malaysia” that North Korean hackers use. This program apparently dates back to 2010 – long before the Sony Pictures kerfuffle.

However, despite this insight and the fact that North Korea had expressed anger at the upcoming release of “The Interview”, it seems the NSA failed to alert Sony Pictures about the incredibly damaging hack – internal documents were stolen and published, movies were leaked, executives were embarrassed – before it happened. Officials told the NYT that the NSA should have been able to spot the spear phishing that gave the attackers access to Sony’s networks, but “those attacks did not look unusual”.

According to the piece, South Korea reckons North Korea has around 6,000 hackers in its Reconnaissance General Bureau spy agency and Bureau 121 hacking unit, and a large hacking “outpost” in Shenyang, China. The Sony hack involved two months of planning, U.S. investigators later decided.

Earlier this month, FBI chief James Comey claimed that the North Koreans “got sloppy” in the Sony hack, failing to properly mask the North Korea-associated IP addresses from which their attack originated. According to the NYT piece, this same laxity manifested in a North Korean hack on South Korean banks and broadcasters back in 2013, which was traced back to Shenyang with the addresses falling “within a spectrum of IP addresses linked to North Korean companies.”