NSA confident of North Korean role in Sony cyber attack as new sanctions imposed on 10 officials
N. Korea linked to Sony hack
By Bill Gertz
The North Korean cyber attack on Sony Pictures Entertainment prompted President Obama this week to impose additional sanctions for what he called “coercive cyber-related actions” and human rights violations by the rogue regime in Pyongyang.
The Treasury Department sanctioned the Reconnaissance General Bureau, the clandestine service of the North Korean government involved in cyber attacks, along with 10 North Koreans involved in overseas activities of the state-run Korea Mining Development Trading Corp., also known as KOMID. Another North Korean front, Korea Tangun Trading Corp., also was sanctioned.
KOMID, the North’s main foreign arms dealer, and Korea Tangun Trading, used to acquire foreign defense goods and technology, are known to be used by North Korea as cover for intelligence activities.
“Reconnaissance General Bureau (RGB) is North Korea’s primary intelligence organization and is involved, inter alia, in a range of activities to include conventional arms trade proscribed by numerous United Nations Security Council resolutions,” Treasury said in a statement.
“Many of North Korea’s major cyber operations run through RGB,” the notice said.
The Treasury statement on the new sanctions that identified the RGB, KOMID and Tangun did not provide details of the officials, but stated that they worked in Russia, Iran, Syria, Namibia, and Shenyang in northern China.
The listing of the 10 North Koreans as Specially Designated Nationals revealed that they range in age from 58 to 42.
Treasury said the sanctions are part of the Obama administration’s effort to “hold North Korea accountable for its destabilizing, destructive and repressive actions, particularly its efforts to undermine U.S. cyber-security and intimidate U.S. businesses and artists exercising their right of freedom of speech,” the statement said.
“Today’s actions are driven by our commitment to hold North Korea accountable for its destructive and destabilizing conduct,” Treasury Secretary Jacob J. Lew said.
The secretary said the sanctions are part of the effort to “defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States.”
Lew called the North Korean officials “critical North Korean operatives.”
The presidential action followed renewed debate in some cyber security circles over whether North Korea was behind the cyber attack that began around the Thanksgiving Day holiday, or whether American insiders to the movie company carried it out.
The Sony attack resulted in the loss of massive amounts of internal proprietary information, including unreleased films, and sensitive internal emails.
After threats of violence by the ostensible group behind the cyber attack, the Guardians of Peace, movie theaters across the country refused to show Sony’s comedy, “The Interview” involving a plot to assassinate current North Korean supreme leader Kim Jong Un.
Intelligence officials say the evidence obtained by the National Security Agency, working with South Korean intelligence, is strong. It reveals both forensic evidence contained within the malicious software used in the attack linking the attack to North Korean hackers as well as close similarities to earlier cyber attacks against South Korean financial institutions and news organizations that were found to be directly linked to the North Korean government and military, specifically the shadowy Reconnaissance General Bureau Unit 121, headed by North Korean Gen. Kim Yong-chol, who was sanctioned earlier by Treasury for his role in the sinking of a South Korean warship in 2010.
The Jan. 2 executive order by the president stated that “the provocative, destabilizing, and repressive actions and policies of the government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014” violated United Nations security council resolutions against the Pyongyang regime.
The U.S. sanctions block the transfer of all assets of the North Korean government or its ruling Workers Party of Korea held by U.S. institutions, such as bank or financial institutions.
The order also blocks all donations or payments to North Korean officials, and blocks entry of all North Korean government and party officials to the United States.
The sanctions appear largely symbolic and follow the Obama administration’s soft-line policy in dealing with foreign cyber attacks. Obama said last month that he did not regard the Sony attack as an act of war and regarded it more as “cyber vandalism.”
Regarding attribution for the Sony attack, the San Mateo-based firm Norse Corp. announced this week that it asserted that a company insider carried out the attack and not North Korean cyber hackers.
“We can’t find any indication that North Korea either ordered, masterminded or funded this attack,” Kurt Stammberger, a senior vice president at Norse, told the Los Angeles Times.
The FBI, based on NSA intelligence, rejected Norse’s claims.
“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment,” FBI spokeswoman Jenny Shearer said.
“Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” she added. “There is no credible information to indicate that any other individual is responsible for this cyber incident.”
Shearer said the FBI is trying to identify and pursue those that carried out the attacks and declined to provide further details because of the ongoing investigation.
But U.S. officials said NSA, whose electronic spying capabilities are the main source of cyber threat intelligence, has high confidence in its assessment of a North Korean state-sponsored attack.
The agency also obtained information from the South Korean government, which has dealt with several cases of North Korean government attacks over the past several years.
It is not clear why some cyber security expert like those at Norse continue to cast doubt on the U.S. intelligence assessment that Pyongyang was behind the attack. However, it is likely due to the growing anti-NSA sentiment in many security circles that grew out of disclosures of NSA spying produced by former NSA contractor Edward Snowden.
The Snowden disclosures, based on release of highly-classified NSA documents, have been seized on by many anti-American leftists who falsely have sought to exploit revelations of secret NSA spying activities as what they say are a threat to civil liberties, despite the fact that the agency is restricted from spying on Americans. The anti-NSA sentiment has impacted many in the American high-technology community and sowed distrust toward the super-secret agency. NSA for its part, has done little to try and counteract this negative trend. The agency continues its policy of keeping almost all its activities – including its successes and operations in cyber space – secret.
NSA has been the lead spy service engaged cyber intelligence work from the earliest days of the new domain known as cyber space.
For example, documents released by the agency reveal that in 1997, NSA’s then-Deputy Director William B. Black, Jr. stated in the classified internal newsletter Cryptolog that the agency has had the mission of conducting computer network attack under a Pentagon order dated March 3, 1997.
“This delegation of authority has added a new, third dimension to NSA’s ‘one mission’ future,” Black stated. “That is, in the networked world of cyberspace, CNA technology is the natural companion of NSA’s exploit and protect functions.” The NSA newsletter stated that “the future of warfare is warfare in cyberspace.”
However, the Obama administration’s liberal policymakers view both the U.S. intelligence community and the U.S. military with deep skepticism and in the case of many officials, outright hostility.
As a result, effective cyber security programs, and cyber warfare capabilities have been hamstrung. Instead, the administration has sought to rely largely on diplomatic efforts and financial and other sanctions.
Those policies have led to an increase in cyber attacks by nation states that see little risk in waging covert cyber warfare against the United States, and in using cyber means to steal vast amounts of computer information held in both government and private sector networks.
— Bill Gertz
Jan. 2, 2015