President Barack Obama was persuaded to accuse North Korea of attacking Sony Pictures based on intelligence gathered during a US hack of the country’s networks in 2010, according to US reports.
Attribution of cyber attacks is notoriously difficult, but the US tracked the internal workings of computers and networks used by North Korea’s hackers, the New York Times revealed.
This capability stemmed from a National Security Agency (NSA) mission to break into North Korean networks that led to the US hiding software on systems to monitor North Korean activities.
The NSA was assisted by South Korea and other US allies, the paper said, citing former US and foreign officials, computer experts and a newly disclosed NSA document published in Der Spiegel.
The US has come under fire for not offering enough evidence to back up its accusation of North Korea's part in the attacks, but the New York Times said the US was reluctant to expose its intelligence-gathering capabilities.
However, the revelation has raised new questions about why the US did not warn Sony Pictures that the attack was underway.
According to unnamed US officials, the NSA should have been able to see the phishing attacks in September that have since been identified as the way hackers got Sony systems administrator credentials to access the network.
READ MORE ABOUT THE SONY PICTURES HACK
- North Korea behind Sony attack -- what now?
- North Korea slams 'hostile' US sanctions over Sony cyber attack
- North Korea denies Sony hack that exposed 47,000 personal records
- How is the Sony hack different from other attacks?
- Sony hack exposes poor security practices
- Films leaked online after Sony Pictures hack
- FBI connects Sony Pictures hack to North Korean government
- Sony hack timeline: How a silly comedy sparked real cyber-terror
- Surviving the Sony Pictures hack: Is the company's future in jeopardy?
Rival theories abound
However, one person briefed on the investigation said the phishing attacks did not look unusual at the time and – even with their view into North Korea’s activities – US intelligence agencies did not understand the severity of the attack on Sony Pictures in November 2014.
But others have suggested the NSA did not warn Sony Pictures because it did not want to reveal the extent of its monitoring capabilities.
The attack resulted in the destruction of computers, the leak of sensitive documents including salary details and confidential emails between executives, and the leak of some unreleased films.
It also resulted in Sony film The Interview – a comedy about an assassination attempt on North Korean leader Kim Jong-un – being briefly shelved and then released online.
The US Office of the Director of National Intelligence said the intelligence community was fully aware of North Korean attempts to infiltrate US commercial networks, tracking them routinely, reports the BBC.
"While no two situations are the same, it is our shared goal to prevent bad actors from exploiting, disrupting or damaging US commercial networks and cyber infrastructure," said spokesman Brian Hale.
Commentators voice skepticism
While the revelation of an NSA foothold in North Korean networks certainly makes the US claim that North Korea was behind the Sony Pictures attack much more believable, independent security consultant Graham Cluley voiced caution.
“It’s healthy to be skeptical – especially as those speaking to the media continue to do so anonymously, with no ability to question their motives for leaking information. And, presumably, the cat is now out of the bag,” he wrote in a blog post.
The New York Times noted that, because of the sophistication of the Sony hack, many experts remained skeptical that North Korea was the culprit, or at least the lone culprit.
Some have suggested it was an insider, a disgruntled Sony ex-employee – or an outside group cleverly mimicking North Korean hackers.
The paper said many experts remained unconvinced of the FBI director James Comey’s claim that, while the Sony attackers had largely concealed their identity by using proxy servers, on several occasions they “got sloppy” and connected directly, revealing their own IP address.