U.S. officials have concluded North Korea is behind the hacking
attack on Sony Pictures, elevating the issue from a question of
corporate security to national security, according to people
familiar with the investigation.
Within the U.S. government, there has been an internal debate in
recent days about when and how to reveal that belief publicly,
because doing so could complicate relations with Japan, and raises
the difficult question of how the U.S. should respond to an
aggressive act by a foreign government.
U.S. officials are still gathering evidence and are trying to
build a clearer picture of who directed the hacking and how.
Investigators strongly suspect the attack was carried out by a
North Korean government hacking team known as Unit 121 in the
General Bureau of Reconnaissance, people briefed on the matter
said. That team has previously been linked to other cyberattacks
against South Korean targets.
The Sony hack raises a perplexing question for U.S. security
officials--how to respond to a foreign government suspected of
hacking an American company to embarrass them. While the Sony hack
has also raised public safety and economic issues, it isn't the
type of scenario envisioned by many security officials, who worry
about the hacking of critical infrastructure systems.
The U.S. rarely fingers other nations of conducting cyberattacks
in the U.S., even when it has strong suspicions. One exception came
this May when the Justice Department indicted five Chinese military
officers, alleging they hacked U.S. companies" computers to steal
trade secrets.
If the U.S. publicly blames North Korea for the attack,
officials believe it would then have to craft some kind of
response. Those options are constrained, given how North Korea is
already sanctioned and cut off from much of the world. Some U.S.
officials have also expressed concern that blaming North Korea for
the attack could put Japan, a U.S. ally, in a bind. Tokyo, unlike
America, has to deal with North Korea as a neighbor just across the
Sea of Japan.
Determining who is behind a cyberattack is far from science. For
instance, the Sony hackers" traffic was routed through a variety of
overseas addresses, including a hotel in Thailand, these people
said. But hackers can easily fake the apparent origin of their
attacks and there are numerous signs linking the Sony hack to North
Korean government hackers that security researchers have tracked
for years.
The attack code was written on machines set with Korean as the
default during Korean peninsula working hours, according to people
familiar with the matter. The types of remote servers used in the
Sony hack have been linked to those used by other breaches linked
to North Korea. North Korea's hackers also have a habit of posing
as previously unknown hacker groups that use broken English and
drawings of skeletons. The group called "Guardians of Peace"
claimed credit for the Sony breach, the "New Romanic Cyber Army"
hit South Korean banks and broadcasters last year while "Whois
Hacking Team" took over a website for LG Uplus Corp., the South
Korean telecommunications company around the same time.
Crowdstrike Inc., a U.S. cybersecurity firm, calls this group
"Silent Chollima," a reference to the mythical winged horse used in
the North's economic development plans, and has tracked it back to
at least 2006. The company declined to comment on the Sony breach.
When the FBI recently released the malware used in the movie studio
hack, the company told clients it believed it was the work of
"Silent Chollima."
Peter Singer, a cybersecurity strategist and senior fellow at
the New America Foundation, and other cyberwar experts, worry what
happened to Sony could become the new normal after Sony decided to
pull the movie and Washington is yet to make some sort of response.
"This is now a case study that is signaling to attackers that you
can get all that you want and even more," Mr. Singer said.
Nations are yet to agree on what types of cyberattacks are
acceptable without escalating tensions. "We can set the norms by
coming out and saying this is just too much," said Jay Healey, an
expert on cybersecurity and diplomacy at the Atlantic Council in
Washington.
After hackers entered Sony's systems more than a month ago, they
installed malicious code that would eventually wipe hard drives on
many corporate computers. This wiped away many of the digital clues
and has made the investigation by the Federal Bureau of
Investigation and FireEye Inc., a cybersecurity company, more
difficult.
As of Wednesday, investigators still can't say they have removed
and blocked the hackers from Sony's systems, people familiar with
the investigation said.
The situation also remains tenuous for Sony Corp., Sony
Pictures's parent company in Tokyo. After investigators at FireEye
determined North Korea was likely linked to the attack, it proposed
a public report that would offer an update on the breach and
implicate Pyongyang hackers. Sony's Japan headquarters nixed the
idea, people familiar with the probe said.
Write to Devlin Barrett at devlin.barrett@wsj.com and Danny
Yadron at danny.yadron@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires