Obama Sanctions North Korea, Citing Discredited Sony Allegation
January 3, 2015
Jason Ditz / AntiWar.com & The Huffington Post & Shane Harris / The Daily Beast
Even though FBI allegations that North Korea was behind the hacking of Sony Pictures have long since been discredited, President Obama today announced a new round of North Korea sanctions in retaliation for this. North Korea has consistently denied involvement. The timing of the sanctions suggests there's more than just a botched FBI investigation behind them, however, as the sanctions were announced just one day after both North and South Korea began talking up a summit designed to improve ties between the two.
Obama Sanctions North Korea, Citing Discredited Sony Allegation
Jason Ditz / AntiWar.com
(January 2, 2015) -- Even though the FBI's allegations that North Korea was behind the hacking of Sony Pictures have long since been discredited, with cybersecurity experts pointing the finger at a group of hackers centered around a disgruntled former employee, President Obama today announced a new round of sanctions against North Korea explicitly in retaliation for this. [See next story – EAW.]
White House officials termed the sanctions the "first aspect" of the president's promised "proportional" retaliation against North Korea for cancelling the release of Sony movie The Interview, a movie which was released at any rate.
The timing of the sanctions suggests there's more than just a botched FBI investigation behind them, however, as the sanctions were announced just one day after both North and South Korea began talking up a summit designed to improve ties between the two.
Whenever North Korea has suggested any sort of rapprochement with the US, it has been dismissed by President Obama out of hand, and this move may be designed to sabotage any South Korean talks, or to at least send the signal that no matter what the Park government decides, the US will remains hostile to North Korea.
Obama Announces New Sanctions
On North Korea In Response To Sony Hack
The Huffington Post
(January 2, 2015) – Escalating a conflict that's engulfed a major motion picture studio and nearly derailed a movie's release, President Barack Obama ordered new sanctions against North Korea on Friday in response to the hacking of Sony Pictures Entertainment.
The sanctions, which target three companies and 10 North Korean government officials, are the first step in what administration officials said would be a "proportional response" to the Sony hack.
Though those next steps weren't stated, officials on a background call on Friday suggested that a conflict largely waged in the dark corners of the Internet is about to become more openly adversarial and global.
The goal, said the official, is to further isolate the already isolated nation from the international finance community by encouraging others to stop doing business with the sanctioned entities. This is, one official noted, the first time the United States has responded to a cyberattack in such a manner.
"We have certainly connected sanctions in terms of human rights abuses and other things and doing that through cyberspace," said the official, who spoke on condition of anonymity, "but this is the first time to my knowledge that we've used this tool in response to a direct attack on a US company."
Though none of the officials sanctioned by the US government were directly involved in the Sony attack, senior administration officials said the action taken on Friday was in response to that incident.
"This is really an example of where you had a country really cross a threshold in terms of an attack due to its destructive and coercive nature," said a senior administration official.
The White House press secretary referenced the Sony attack in a statement issued after the announcement of the sanctions:
Today, the President issued an Executive Order (E.O.) authorizing additional sanctions on the Democratic People's Republic of Korea. This E.O. is a response to the Government of North Korea's ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack on Sony Pictures Entertainment.
The E.O. authorizes the Secretary of the Treasury to impose sanctions on individuals and entities associated with the Government of North Korea. We take seriously North Korea's attack that aimed to create destructive financial effects on a US company and to threaten artists and other individuals with the goal of restricting their right to free expression.
As the President has said, our response to North Korea's attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing. Today's actions are the first aspect of our response.
The cyberattack that North Korea allegedly waged against Sony was believed to be in retaliation to the release of "The Interview," a satirical film starring Seth Rogen and James Franco that depicts the death of North Korean leader Kim Jong Un. North Korea has denied involvement in the Sony hacking, and some security researchers have questioned whether there is enough evidence to blame North Korea.
The senior administration officials said they "remain very confident" that the North Korean government was behind the attack, with one bristling that it is not "accurate to say there has been a lot of doubt."
They noted that some cybersecurity firms commenting on the matter "don't have the same access" to intelligence that the government does. And, as a way of underscoring their confidence, they added that it is "extremely rare for the US government to take this step" of issuing sanctions in response to a cyberattack.
After the hackers issued threats to anyone who saw "The Interview," Sony canceled plans to release the film, which was originally slated to be released Dec. 25. They later reversed that decision, releasing the film in some theaters and on multiple on-demand platforms.
In his last press conference of 2014, Obama said Sony had "made a mistake" by canceling the release of the movie.
"I wish they'd spoken to me first [before canceling the release of the film]," Obama said.
After the Internet in North Korea was shut down in late December, the country blamed the US, calling Obama a "monkey," according to The Associated Press. Officials on the call would not address speculation that the United States was behind that bit of sabotage. One official said there were "many possible reasons for the Internet outage, including the possibility that they did it to themselves."
US Spies Say They Tracked ‘Sony Hackers' For Years
Shane Harris / The Daily Beast
(January 2, 2015) -- American spies have detailed dossiers on the North Koreans who the US says were behind the Sony attack. But the still-secret evidence likely won't convince skeptics.
The FBI and US intelligence agencies for years have been tracking the hackers who they believe to be behind the cyber attack on Sony, according to current and former American officials. And during that long pursuit, US agencies accumulated still-classified information that helps tie the hackers to the recent Sony intrusion.
The Obama administration announced a round of sanctions against North Korea Friday, and explicitly said the measures were in retaliation for the "destructive and coercive cyber attack on Sony Pictures Entertainment."
But investigators pinned the Sony attack on North Korea in early December, not long after the FBI began investigating the breach and almost three weeks before President Obama publicly pointed the finger at the Hermit Kingdom in a December 19 news conference, according to two individuals with knowledge of the case.
The Obama administration waited to go public not because officials weren't confident in the intelligence, but because the White House was weighing the significant policy decision of whether to publicly tie a nation-state to a specific cyber attack on US soil for the first time.
Ever since the Obama administration made its public case against North Korea for the Sony hack, a slew of independent cybersecurity experts have been skeptical of the government's public case against Pyongyang, calling it flimsy and circumstantial. But sources familiar with the investigation say that the most damning evidence against the Sony hackers was obtained in a secret, and years earlier, during previous intelligence-gathering efforts.
The notion that the FBI was basing its claims of North Korean culpability solely off evidence from the Sony hack is "completely untrue. They're also using evidence that they've been collecting for years," said one person privy to some details of the investigation.
If there are misgivings within the administration about holding North Korea publicly to account, they weren't on display on Friday. The White House and the Treasury Department announced a round of sanctions against three North Korean organizations, among them the country's intelligence bureau, and ten individuals, including government officials and others who work for a North Korea's main weapons dealer.
The sanctioned individuals weren't involved in the Sony attack, administration officials said. But the decision to punish them and by extension the North Korean regime came after the White House decided the Sony hack "crossed a threshold," as one senior administration official put it, going beyond cyber espionage or harassing attacks on Web sites and into the realm of destruction and coercion. The intruders had deleted large amounts of data from Sony's networks, and threatened to attack movie theatres that showed Sony's North Korean satire, The Interview.
The White House was judging the Sony attack against previous North Korean aggression, underscoring that officials are relying on an historical record of hacking behavior. Investigators have also been privately sharing some of their findings with private cyber security companies that also have invested several years in monitoring North Korean hacker groups, officials said, in an effort to help vet their case and bolster their claims.
US investigators still aren't saying precisely what information definitively links the North Koreans to the Sony attack and others. And to date, the FBI has disclosed only circumstantial evidence, including Internet addresses and patterns of malware used in the Sony attack that were seen in other attacks attributed to North Korea, which many cyber security experts have dismissed as insufficient and speculative.
But two former intelligence officials, who aren't involved in the investigation, said that the conclusions in the Sony attack are almost certainly based on other information besides malware analysis or the Internet addresses used in the attack.
Among the catalog of data used for attributing cyber attacks to a particular actor are intercepted communications among the hackers themselves. "It could be a kind of battle damage assessment from the hackers to their higher-ups," said one former official, referring to reports from the frontline hackers about the effects of their campaign against Sony. "There's a lot of this kind of feedback in [an incident] like this. And it's not difficult to intercept that."
A second former US official said that intelligence agencies monitor particular "behaviors" exhibited by members of a hacking group in order to help identify them. "What are their work hours? What code do they use? What sort of comments are in the code?" the official said. "When you add all that up, it's a pretty comprehensive set of indicators."
The Defense Department also maintains a set of dossiers of known hackers operating overseas, including in China, which is both the source of pervasive cyber espionage against US and has served as a home based for some of North Korea's best-known cyber attack cells.
The two former officials said that North Korea has long been a high-priority target for US intelligence agencies, particularly the NSA and the CIA, which has its own cyber sleuthing units and would be called upon to help investigate the Sony attack. The FBI has publicly credited unnamed US intelligence agencies, as well as the private sector, with helping it attribute the Sony hack to North Korea.
The role of private investigators has stirred controversy in the investigation. Last week, the Norse Corp. released findings that it said showed at least six individuals, including one disgruntled ex-Sony employee, were behind the attack, and not North Korea.
The FBI met with Norse employees in the company's offices in St. Louis, but officials subsequently dismissed the findings and said they weren't based on information that the government has obtained but not released. An executive with Norse declined to comment on Friday.
That explanation will hardly satisfy skeptics who have pointed out, correctly, that hackers routinely use Internet addresses and malware signatures employed by other groups to mask their own identities or to pin the blame on others. And other information in recent days has pointed to possible assistance that the North Koreans may have had from outside the country.
On Monday, an anonymous official told Reuters that government investigators now think North Korea may have "contracted out" the Sony hack to other individuals. Another set of hackers that goes by the name the Lizard Squad told the Washington Post that they helped with the Sony hack. And a Twitter account claiming to represent the Guardians of Peace, the group that has claimed responsibility for the attack, says they are not Korean.
But a senior administration official said on Friday, "We remain very confident in the attribution," and noted that a number of other private experts had agreed.
One cybersecurity firm, CrowdStrike, whose senior executives include former top cyber investigators from the FBI, has said it's been tracking the group it believes was behind the Sony attack since 2006. The group, which CrowdStrike dubbed Silent Chollima, was responsible for a "major destructive attack" in July 2009, when it hit more than 30 Websites in the United States and South Korea with a large-scaled denial of service attack.
The Web sites included those of the White House and the Pentagon, CrowdStrike's co-founder Dmitri Alperovitch wrote in a blog post in December.
CrowdStrike says it tracked another attack in which Silent Chollima used a "wiper" malware to erase data from thousands of computers in South Korea. A wiper program was also used in the Sony attack. Of course, such malicious code is now publicly available, and could be used by almost anyone. But this gang kept up similar attacks, over and over.
"For the next five years, Silent Chollima actors repeatedly launched similar data destructive attacks against South Korean businesses and government organizations," Alperovitch wrote. "These attacks had distinct similarities with the malware used against Sony."
When Obama finally pointed the finger at North Korea in December, he promised a response to the Sony hack and left no doubt that he wanted victims of cyber attacks to stand up to threats. The sanctions announced Friday represent "the first aspect of our response" for those attacks, said White House spokesman Josh Earnest.
His statement seemed to imply that the United States wasn't behind a full-scale Internet outage in North Korea last month. Pressed on the question during a briefing with reporters, a senior administration official would neither confirm nor deny US involvement, but pointed to at least one alternative theory that's been discussed publicly: the North Koreans may have taken down their small number of Internet connections as a precaution against what they presumed would be some kind of cyber response by the United States.
Instead, it appears that the Obama administration has opted to punish North Korea financially. In naming publicly ten individuals whom officials say are involved in various illegal activity, including illicit weapons sales, the administration is putting North Korean elites on notice that they can track their activities and take actions to stop them.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.