by Bill Gertz
North Korean Internet Protocol addresses have been identified by investigators since 2011, including two specific groups. The first block included 1,024 addresses used since 2010 by Star Joint Venture, an Internet service provider venture between the state-run Korea Posts and Telecommunications Company and Thailand’s Loxley Pacific. The addresses were used to handle all official North Korean websites, such as KCNA (Korean Central News Agency, an official organ); Naenara, the official Web portal; the official broadcaster Voice of Korea; and Rodong Sinmun, the ruling Workers’ Party of Korea daily. They ranged from 175.45.176.0 to 175.45.179.255. A second group of 256 addresses ranged from 210.52.109.0 to 210.52.109.255. The addresses are owned by China Netcom, one of China’s largest Internet service providers, and were assigned to Korea Posts and Telecommunications. South Korea’s government, which cooperated with the FBI in investigating the Sony cyberattack, linked the 2013 attacks to IP addresses for Korea Post and Telecommunications, which is part of the North Korean Ministry of Post and Telecommunications.
Comey, the FBI director, concluded the North Koreans were “sloppy” in sending messages to its hackers that allowed investigators to trace the activities directly to Pyongyang, despite the use of cutout computer networks designed to mask the origin of the attacks. “It was a mistake by them,” Comey said. “It made it very clear who was doing this.”
The comments by the FBI chief were somewhat deceptive, as is often the case for senior officials in discussing sensitive U.S. government intelligence operations. By pointing the finger at sloppy North Korean tradecraft, Comey actually was seeking to protect the FBI’s actual source for uncovering the North Korea connection to the Sony hack, namely the supersecret cyber spies at the National Security Agency. The NSA had been monitoring North Korean cyber activities directly and through third parties since 2010 in what an internal NSA document described as “Fifth Party Collection,” the process of electronically spying on foreign spies. In spy parlance, information gathering is known as collection and in the case of NSA has expanded beyond simply getting information directly from a “second party,” like the tapping of underwater cables used by the Russian military and thereby learning their secrets during the Cold War. Third-party collection is electronic spying done on behalf of the United States usually by an ally, such as Britain’s electronic signals intelligence agency, GCHQ, which then supplies the data to NSA.
But NSA was able to demonstrate the ultimate state of the art in signals intelligence gathering by clandestinely tapping into foreign intelligence service communications, an extraordinarily difficult operation considering such telecommunications links are usually highly secure, protected with sophisticated and nearly unbreakable encryption, and very difficult to identify in the massive universe of electronic signals. A top-secret NSA memo made public in 2015 identifies fourth-party collection, and provides the first details of what is called fifth-party collection. “Fourth party collection refers to passively or actively obtaining data from some other actor’s [computer network exploitation] activity against a target,” the memo says. The memo then answered a question posed by an NSA employee on whether the agency had ever achieved the ultradifficult feat of fifth-party collection—spying by obtaining information through spying on spies as they are stealing secrets electronically from targets four layers removed from direct collection.
As an NSA analyst stated in an internal newsletter:
Yes. There was a project that I was working last year with regard to the South Korean CNE [computer network exploitation] program. While we aren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK put a lot of resources against them. At that point our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. That’s fourth party. (TS//SI//REL) However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you don’t want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access. (TS//SI//REL) I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF [no foreigners]) where there was an actor we were going against. We realized success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win. (TS//SI//REL). But they were all still referred to as fourth party.
Behind all the electronic intelligence jargon was the disclosure of a truly remarkable spying achievement. In nontechnical intelligence terms, the NSA has been able to spy on South Korean intelligence communications—no doubt sent electronically in Korean language and protected against interception by the use of a high level of encryption—that were themselves reporting on the interception of North Korean cyber-intelligence operational information that also was likely encrypted. The ability to do so is a sign of NSA’s spying and hacking power. The NSA document was among some of the 1.7 million NSA papers stolen by Edward Snowden.
Another leaked NSA document described this extraordinary capability to spy on the spies as “I drink your milkshake,” a line from the 2007 movie There Will Be Blood, which was based on Upton Sinclair’s novel Oil! (1927), about how oil companies drilled and drained oil from prized land by covertly tapping nearby wells. In the film, actor Daniel Day-Lewis tells his adopted son, “If you have a milkshake, and I have a milkshake. And I have a straw, there it is. And my straw reaches across the room and starts to drink your milkshake, I drink your milkshake! I drink it up!”
In the NSA document, the agency’s prowess for stealing electronic secrets was so formidable that it was drinking the milkshake of the South Korean spy service as the South Koreans were spying electronically on North Korea. Even more sensitive than the North Korean fifth-party collection is the second reference in the document to the NSA’s finding and using a software flaw discovered by another foreign spy service, likely Israel or France, known as a “0 day,” or zero-day, exploit. Zero days are extremely valuable hacking tools that result when secret vulnerabilities within software are found that allow for clandestine cyber intrusions. In the electronic spying and hacking world, zero days are the coin of the realm, and nations are known to devote hundreds of technical analysts to scouring the ones and zeros within large software programs to find them. NSA was able to find out that one of America’s allies had discovered a valuable zero-day exploit after listening in on the ally’s communications. That led in turn to the discovery of the zero day by U.S. analysts and then the use of the security hole in the software by NSA spies, an operation the unidentified NSA analyst called a major U.S. intelligence coup.
The NSA successfully drilled electronically into Chinese and then North Korean networks with the help of South Korean electronic spying operatives. The NSA placed monitoring software inside the North Korean networks, including Unit 121. The NSA then used electronic “beacons” that autonomously mapped out the North’s computer networks.
Shortly before the release of The Interview, the North Korean hackers, posing as a group called the Guardians of Peace, threatened terrorist attacks on movie theaters that were planning to show the film on the December 24 release date. The theaters buckled and refused to show it. The film was released instead as streaming online video, first by Netflix and then other streaming services. Many Americans viewed the movie on its opening day as an act of protest against a communist dictatorship seeking to stifle free speech. I was one of them. The film lived up to its reputation as a fart comedy. But watching it provided me with a sense of having taken part in a historic battle—one of the first of the twenty-first century’s new-style warfare.
Rogen spoke publicly about the North Korean hack more than a year
after the Sony attack. “I made a movie called The Interview that almost started a war,” Rogen told British talk show host Graham Norton in April 2016. “It was a horrible experience. It’s bad to be blamed for almost starting a war. . . . Not fun. Super weird.” Sony provided security guards for Rogen and others over concerns North Korean agents would be dispatched in hit teams to kill those involved in the film. North Korea in the past threatened to kill American comedy writers Matt Stone and Trey Parker for their satirical comedy Team America: World Police, which included an unflattering portrayal of Kim Jong Un’s father, Kim Jong Il.
Despite NSA’s penetration of North Korean cyberattack networks, the U.S. government and President Obama mishandled the major attack and sought to minimize its strategic significance. Reflecting his roots as a community organizer steeped in the radical leftist policies that grew out of the 1960s and ’70s, Obama deliberately passed up the opportunity to go on the offensive against North Korea. That would have made the United States look strong and powerful and assertive, something Obama had denounced as leading to the Iraq War in 2003. Instead, the president and his advisers refused to describe the attack as an act of information warfare. “No, I don’t think it was an act of war,” Obama said when asked about the attack. “I think it was an act of cyber vandalism that was very costly, very expensive.” The comment was part of the Obama ideology of not seeing threats in warfare terms because doing so would contradict his postmodern ideology of a world void of enemies and sharing common interests.
From the early stages, the FBI also mishandled the Sony hacking case by attempting to minimize the attack. The FBI has frequently made this knee-jerk bureaucratic reaction in the immediate aftermath of unwelcome events involving criminal, intelligence, or cyberattack failures, amid worries that confirming the incidents might reflect poorly on the FBI as an investigative agency. Despite immediate indications detected by NSA shortly after the attack became known that it was carried out by North Koreans—the malware used contained Korean language—and the fact that the obvious goal of the cyberattack was to prevent the release of The Interview, the U.S. government mishandled its response by first keeping silent, and naming North Korea only after the hackers threatened September 11–style terror attacks on movie theaters that were to show the film. The threats prompted Sony to capitulate to the dictatorship in Pyongyang.
Instead of immediately exposing the attack for what it was, the U.S. government initially issued vague statements and even denials. “There is no attribution to North Korea at this point,” FBI assistant director Joe Demarest, head of the bureau’s cyber division, told a security conference on December 9—nearly three weeks after the Sony attack. By that time, however, the NSA had fully linked the attack to Pyongyang, based on its past cyber intrusions into North Korean networks.
Less than a month after Demarest declined to name North Korea, the White House announced it was imposing symbolic economic sanctions against ten North Koreans, including the head of the RGB and three front companies used by North Korea for overseas activities. White House officials who briefed reporters about the action stated that the people and entities named were not involved in the Sony hack. It was meant to send a message. But the message fell on deaf ears. “These entities, which have been previously sanctioned, by sanctioning them again under this authority, and frankly sanctioning them at a time when there is a great deal of international attention being focused on North Korea, will we think further isolate those entities from the international financial system and heighten the concern around the world with potentially doing business with these entities,” a senior administration official told reporters in announcing the sanctions. In other words, North Korea would pay no price.
Obama announced on December 19 that the U.S. sanctions were one element of the response and that other actions would be taken “in a place and a time and manner that we choose.” The president decried Sony’s cancellation of the release of The Interview as a dictator imposing censorship in the United States.
A temporary Internet outage in North Korea, where even ordinarily only a limited number of government officials and the elite can access the Internet, was detected in December 2015, setting off speculation that it was a U.S. counterattack. But U.S. officials told me the outage was not related to any U.S. action.
Obama’s comments were a bluff and he never followed through on the threat to take further action. North Korea was never punished, other than through the symbolic sanctions that had no impact on any North Korean companies or officials. It was the pattern of inaction and weakness the president followed in dealing with all of America’s adversaries, including China, Russia, and Iran.
The damage will be long-lasting. The failure to disclose early on the nature of the attack and players behind it sent a clear message to other would-be cyberattackers—with a relatively low-cost cyberattack, U.S. economic and government policies can be influenced in favor of a foreign government.
After the initial denials, the FBI declared on December 19, 2014, that the North Koreans carried out the attack. No explanation was given for why Demarest had claimed there was no link to Pyongyang. NSA director and U.S. Cyber Command commander Admiral Michael Rogers was categorical about his agency’s attribution of the Sony attack. “This was North Korea. Let there be no doubt in anyone’s mind,” he told Fox Business Network.
Still, the weak Obama administration response prompted many nongovernment cybersecurity experts to question whether North Korea really carried out the Sony cyberattack. Among the skeptics was Jeffrey Carr, who wrote on his blog, Digital Dao, that he did not believe the North Koreans were behind the Sony hack. “As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit,” Carr stated on January 7, 2015. Carr was convinced a Russian hacker group conducted the Sony attack, despite the evidence, including NSA penetrations of North Korean networks, that Sony was victimized by a state-sponsored North Korean cyberattack.
North Korea’s National Defense Commission, the party organ that controls the military, issued a statement calling the American charges groundless and demanding that the United States apologize. The reaction was part of classic North Korean information warfare, which calls for complete denials by high-level government agencies and officials to confuse the enemy about the regime’s clandestine operations. According to the North Korean commission:
It is a common sense that the method of cyber warfare is almost similar worldwide. Different sorts of hacking programs and codes are used in cyberspace.
If somebody used U.S.-made hacking programs and codes and applied their instruction or encoding method, perhaps, the “wise” FBI, too, could not but admit that it would be hard to decisively assert that the attack was done by the U.S. What is grave is that U.S. President Obama is recklessly making the rumor about “DPRK’s cyber-attack on Sony Pictures” a fait accompli while crying out for symmetric counteraction, strict calculation and additionally retaliatory sanctions.
To hammer home its information operation against the Sony film, the commission charged there was clear evidence the Obama administration was “deeply involved in the making of such dishonest reactionary movie.” The statement was based on the hacked Sony documents. “It is said that the movie was conceived and produced according to the ‘guidelines’ of the U.S. authorities who contended that such movies hurting the dignity of the [North Korean] supreme leadership and inciting terrorism against it would be used in an effective way as ‘propaganda against North Korea,’ ” the statement said, noting the leaked emails from Robert King, the State Department special envoy on North Korean human rights. The Pyongyang statement also mentioned the Guardians of Peace, the front group used in the attack. “We do not know who or where they are but we can surely say that they are supporters and sympathizers with [North Korea]. The army and people of [North Korea] who aspire after justice and truth and value conscience have hundreds
of millions of supporters and sympathizers, known or unknown, who have turned out in the sacred war against terrorism and the U.S. imperialists, the chieftain of aggression, to accomplish the just cause.”
The commission vowed to press ahead with its attacks beyond Sony. “Nothing is more serious miscalculation than guessing that just a single movie production company is the target of this counteraction. Our target is all the citadels of the U.S. imperialists who earned the bitterest grudge of all Koreans. The army and people of [North Korea] are fully ready to stand in confrontation with the U.S. in all war spaces including cyber warfare space to blow up those citadels.” Those targets include the White House and the Pentagon; indeed “the whole U.S. mainland” will be hit by the North Korean military.