Monday, January 19, 2015

Traced to Pyongyang

When Sony Pictures was hacked late last year, there was considerable speculation as to the groups--or nation--that was responsible for the cyber-attack.

After the FBI became involved, the agency quickly announced that North Korea was behind the hack, citing the use of malware associated with previous cyber-strikes conducted by Pyongyang.  But other security experts disagreed, claiming the "evidence" offered by the FBI was skimpy, at best, and suggested that "hacktivist" groups might be responsible.

We took a slightly different approach, noting that the bureau had access to information unavailable to other experts.

Fact is, the FBI maintains a close working relationship with NSA on cyber-security issues and can draw upon that agency's vast expertise in that field.   In fact, some members of the FBI's cyber division are stationed at NSA HQ at Fort Meade, MD, to facilitate liaision efforts between the organizations.  It's a safe bet the FBI's "North  Korea"  analysis was based, at least in part, on data provided by NSA, and so far, the feds have said virtually nothing about the role of the SIGINT agency in the Sony investigation. If the assessment is based on NSA data, it would add more credence to the North Korean angle.

In fact, the NSA has active partnerships with a number of tech firms, allowing it to probe for potential weaknesses and monitor activity from various hacker groups, including those sponsored by nation-states.  Author Shane Harris recently detailed the extent of these relationships in his book @War: the Rise of the Military-Internet Complex: 

The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and U.S. officials. Cisco, one of the world’s top network equipment makers, leaves backdoors in its routers so they can be monitored by U.S. agencies, according to a cyber security professional who trains NSA employees in defensive techniques. And McAfee, the Internet security company, provides the NSA, the CIA, and the FBI with network traffic flows, analysis of malware, and information about hacking trends.

Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. To an extent, these openings for government surveillance are required by law. Telecommunications companies in particular must build their equipment in such a way that it can be tapped by a law enforcement agency presenting a court order, like for a wiretap. But when the NSA is gathering intelligence abroad, it is not bound by the same laws. Indeed, the surveillance it conducts via backdoors and secret flaws in hardware and software would be illegal in most of the countries where it occurs.  


Today's edition of The New York Times offered additional insights into the NSA's cyber-capabilities, disclosing that the spy agency first penetrated North Korea's on-line networks as early as 2010:  

Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.


A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

Of course, these new revelations beg a rather important question: given NSA's detailed knowledge of North Korean neworks and hacking capabilities, why wasn't more done to blunt or even defeat the DPRK threat?  Actually, there are two major reasons.  First, the U.S. government is still trying to figure out the level of protection that NSA can offer to commercial IT infrastructure.  And beyond that, NSA is acutely aware that intervention not only reveals details of its defensive capabilities, it also compromises a valuable intelligence source.

It's no consolation to Sony, but if the company had been a public utility or in the financial sector, it would have likely received great assistance, and at an earlier juncture in the attack.  But as we've learned in recent weeks, attacks on non-critical targets can also create havoc.  Accordingly, the nation must decide how much help it needs from organizations like the NSA and what it is willing to give up in the name of cyber defense.


  

         

1 comment:

Anonymous said...

My money is on No Such and the feebs. They are not stupid.