Snowden, the Sony Hack and North Korea
The Obama administration’s self-confident attribution of the Sony hack to North Korea generated substantial skepticism in the cyber community; although over a month old, Wired's point-counterpoint offers a pretty good summary of the state of play at the height of the debate. But recently, there has been a major development in the case that has not gotten the attention it deserves: the stunning revelations in Snowden documents released in the fall of last year on the scope of NSA capabilities, including specifically on North Korea.
Working through the Snowden documents not only requires patience, but substantial technical expertise; many of them are unreadable to a layman. Cryptome keeps a running tally, but Lawfare offers them up in a more coherent organization that assigns them to the following categories: tools and methods; overseas USG locations from which operations are undertaken (the NSA has had agents in South Korea); foreign officials and systems that NSA has targeted; encryption that NSA has broken; ISPs or platforms that NSA has penetrated or attempted to penetrate; and identities of cooperating companies and governments. Just listing these categories gives you some sense of why the leaks were so sensitive.
The documents have been released piecemeal to a number of outlets, but one of the most careful analysis of them comes from Der Spiegel (this is really a portal that leads to a number of stories the journal has done as well as the documents themselves). Spiegel outlines the founding and evolution of the NSA’s top operational unit, the Office of Tailored Access Operations (TAO), created in 1997 and now with units in half a dozen locations in the US, with several hundred employees engaged in numerous operations a year (279 in 2010 to be exact). Beginning with methods that looked surprisingly like private hackers (such as spamming) the organization has subsequently developed much more sophisticated tools of computer network exploitation (CNE), including “a shadow network operated by the NSA alongside the Internet, with its own, well-hidden infrastructure comprised of ‘covert’ routers and servers.”
A technique straight out of a La Carre novel—updated to the early 21st century—is called 4th (or even 5th) party collection. In 2009, the NSA traced a data breach at the DoD to an IP address in Asia that had also been the source of other attacks. TAO was not only capable of tracing the attack's point of origin to China, but also in reading over the shoulder of the Chinese hackers at what they had stolen from other sources, including the UN.
Among the documents released to Spiegel is one titled “Is there Fifth Party Collection?” The memo (in .pdf) asks “Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two’s CNE activity against a target that NSA, Actor One and Actor Two all care about?” The note then goes on to list an “awesome” example and you guessed it: it reveals that the NSA has a pretty tight bead on North Korea’s CNE operations.
The date of the memo is unclear, but references suggest that it was after 2007. The analyst talks about working on a project “last year” on South Korea’s CNE program: “while we weren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them.” At this point—again, date unclear—“our access to NK was next to nothing but we were able to make some inroads to the SK CNE program.” They then discovered instances where North Korean officials had South Korean implants on their boxes “so we got on the exfil [exfiltration] points, and sucked back the data.” That is classic 4th party.
But some of the individuals the South Koreans were targeting were none other than agents in North Korea’s CNE network, described well in these posts at the Korea Herald by Song-sang Ho. So the NSA was looking over South Korean CNE operations at North Korean CNE operations. The NSA then ramped up their own direct efforts “as you don't want to rely on an untrusted actor [ie. South Korea] to do your work for you.”
This is obviously not a smoking gun on Sony in particular. But if Mandiant can do this work on China, imagine what a virtually unconstrained NSA can do. Subsequent documents may or may not reveal more about the penetration of North Korea’s capabilities in particular. But there is both direct and strong circumstantial evidence—and from none other than the Snowden leaks—that the NSA was and is plugged into North Korean CNE networks and operations.