This week, FBI director James Comey offered new information on the Sony Pictures hack in hopes of easing public doubts about the bureau's claim that North Korea was behind the attack. But many security pros remain wary, saying available intel leaves too fuzzy a picture for attribution.
On Wednesday, Comey spoke at the International Conference on Cyber Security in New York, which was held at Fordham University. His remarks (published in full here) were essentially that, naysayers who “suggested that we [the FBI] have it wrong,” are the mistaken party.
“They don't have the facts that I have, don't see what I see, but there are a couple of things that I have urged the intelligence community to declassify…” Comey said in his speech, before offering up the findings.
According to the agency, the attackers who targeted Sony, called the Guardians of Peace (GOP), failed “several times” to use proxy servers that would have disguised their IP addresses (which were “exclusively used by the North Koreans”) when sending threatening emails to Sony employees and posting online messages.
“It was a mistake by them that we haven't told you about before that was a very clear indication [of] who was doing this,” Comey said. “They would shut if off very quickly once they realized the mistake, but not before we saw them and knew where it was coming from.”
He later added that spear phishing emails sent to Sony employees as late as September of 2014 appeared to be the “likely vector for the entry into Sony.”
After Comey's remarks went viral, security experts immediately took to social media to weigh in on the details. Errata Security CEO Robert Graham, for instance, called attention to the “fallibility of IP addresses,” when using them as proof for attack attribution.
While Comey said the FBI also used a “range of other sources and methods,” (which it will continue to protect) to make its case that North Korea was the perpetrator in the Sony attack – many security practitioners believe that evidence isn't yet strong enough to definitively name a culprit.
In an interview with SCMagazine.com, Christopher Budd, Trend Micro's global threat communications manager, emphasized that “good attribution never rests on a single piece of evidence, but on a number of factors that come together to make a complete picture.”