Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Sony The Internet United States

FBI: North Korean Hackers "Got Sloppy", Leaked IP Addresses 219

An anonymous reader writes "The FBI launched a PR counterattack against skeptics of the assertion by the US government that North Korean hackers were responsible for anonymous threats received by Sony before its scheduled premiere of the film The Interview. Sony initially cancelled the Christmas day release, but later relented after receiving extensive criticism. In a speech at a New York City cybersecurity conference hosted by Fordham University, FBI Director James Comey said that while the attackers concealed their identify by using proxy servers, on occasion they "got sloppy" and made direct connections, exposing their true IP addresses; these indicated a North Korea origin. Comey also mentioned additional corroborative evidence, including patterns matching those seen in previous attacks known to have come from North Korea, but was guarded on details. Also at the Fordham conference, US Director of National Intelligence James Clapper mentioned recently meeting the Kim Yong Chol, the North Korean general in charge of cyberwarfare. Clapper emphasized Kim's belligerence and lack of a sense of humor, implying that an advance screening of "The Interview" would likely have enraged and provoked the North Korean brass."
This discussion has been archived. No new comments can be posted.

FBI: North Korean Hackers "Got Sloppy", Leaked IP Addresses

Comments Filter:
  • by Anonymous Coward

    How do they know that the connections from North Korea weren't proxied themselves?

    If I was going to launch a hack as major as the Sony one, I'd absolutely 100% be sure to leave some breadcrumbs (perhaps even multiple trails) to cover my own tracks.

    Cliche movie quote: "he's clean...too clean..."

    • by TheCarp ( 96830 )

      Lol its like some people never played Uplink. Even the game had the log deleter and the log modifier, which was used in the frame job contracts. Its almost kind of a no brainer. and hardly a new concept, what is a botnet really but a way to look like hundreds of other people instead of yourself?

  • Hmmm (Score:5, Funny)

    by Anonymous Coward on Thursday January 08, 2015 @09:18AM (#48763857)

    Until now, I believed it was North Korea.

    But the US government always lies. I'm starting to doubt!

  • by rmdingler ( 1955220 ) on Thursday January 08, 2015 @09:22AM (#48763869) Journal
    Sometimes, Occam's razor comes to bear.
    • by Pliny ( 12671 )

      It doesn't require a grand conspiracy to doubt North Korea had enough lead time to compromise Sony so thoroughly in response to The Interview. It also isn't a Oliver Stone-esqe reach to observe that there are anecdotal reports all over the place of hackers planting false trails to China and Russia to blend in with real attacks from both places.

      In the absence of actual publicly produced evidence from someone *without* a history of lying to the public and Congress, it's safe to assume that the "North Korean I

      • It's not that your argument is without merit. The U.S. government, every World gov't in fact, can be expected to prevaricate when it suits them to some advantage over the truth. What is that advantage in this case? Justification for sanctions? They act up so regularly this incident was hardly necessary to justify sanctions.

        I would only argue that North Korea has motive (clearly the movie is insulting to a hack dictator), opportunity(the World knew the movie was in development long before its release), and n

  • by nimbius ( 983462 ) on Thursday January 08, 2015 @09:22AM (#48763873) Homepage
    Listening to his speech is like sitting through a Transformers movie. You know the words, and you know the terms, but theyre all used in an entirely incoherent fashion. James seems to think hacking works just like a James Bond film in that its all about time. hackers that 'disconnect quickly' wont be found and those that 'get sloppy' will be detected by some ostentatious array of flashing lights and sirens attached to a mainframe.

    James hasnt pulled his star wars head out of his NCIS ass and given any pertanent information like how hackers breeched sony, what attack vectors were used, what exploits were performed (if any) and what if any IDS or firewall technology was complicit in the breech. So given the lack of seriously technical information surrounding this leak its more than plausible by Occams Razor that Sony was the result of a simple phishing attack or bruteforce. Its also a little too convenient that a country which outright bans american films and that would never have to tolerate its citizenry watching it, happens to care enough to make a retaliatory strike against what for all intents and purposes is a nonthreat. What IS however quite possible is a disgruntled employee simply decided to dump the mail server to the pirate bay, and because you can as a business affect an insurance claim against hackers, its convenient to do so in the face of a movie that will in all likelyhood barely break even.
    • by mwvdlee ( 775178 )

      [...]and given any pertanent information like how hackers breeched sony, what attack vectors were used, what exploits were performed (if any) and what if any IDS or firewall technology was complicit in the breech.

      Likewise, the public still hasn't gotten the shopping list and blueprints required to make the bomb in the [insert random terrorist attack] attacks.

      I do agree the "North Korea did it" storyline seems a bit off.

    • by Xest ( 935314 )

      "Its also a little too convenient that a country which outright bans american films and that would never have to tolerate its citizenry watching it, happens to care enough to make a retaliatory strike against what for all intents and purposes is a nonthreat."

      Apparently dodgy Chinese DVD copies regularly make their way into North Korea, and a number of Hollywood Films are quite popular regardless of their actual legality so I think you're wrong about that. See this story going back to 2012 for example:

      http:/ [bbc.co.uk]

      • by rtb61 ( 674572 )

        That is what it is all about, accepted modern forms of justice. This evidence thing you speak of where is it, why hasn't it been presented and of course as part of the normal legal process why hasn't it been challenged and validated by that challenge. It is called trial in absentia https://en.wikipedia.org/wiki/... [wikipedia.org]. Where the accused does not turn up but where the accuser proves their case. Innocent until proven guilty in a court of law. Any government wants to claim anything about anything, then they must

  • Crapper? (Score:5, Insightful)

    by AmiMoJo ( 196126 ) * <mojoNO@SPAMworld3.net> on Thursday January 08, 2015 @09:25AM (#48763893) Homepage

    Is this the same James Clapper who lied to Congress, and now expects us to believe him?

    • by ShaunC ( 203807 )

      Nah, different guy. This is James Comey, the FBI director. The one who's spent the last couple of months heavily pushing the narrative that if Apple and Google allow encryption on their devices, a child will die. Which isn't false, anymore than it's false to say that if Americans are allowed to drive, a child will die. It's weird, though, I can't seem to recall any government officials lobbying to outlaw cars.

      I'll give Comey credit for one thing, he's kept a low enough profile that the Nigerians don't yet s

  • by Anonymous Coward on Thursday January 08, 2015 @09:32AM (#48763939)

    The "got sloppy and leaked IP addrs" sounds like the same way the Silk Road server was found. I wonder what parallel construction existed (NSA?) telling the FBI where to look, and what to look for. Of course, we'll never hear those details because, "National Security".

  • by Anonymous Coward on Thursday January 08, 2015 @09:35AM (#48763953)

    "Clapper emphasized Kim's belligerence and lack of a sense of humor, implying that an advance screening of "The Interview" would likely have enraged and provoked the North Korean brass."

    Well FUCK ME: if Kim Yong Chol can't take a little "jokey-joke" then obviously it was DPRK who stole the cookies from the cookie jar!

    "FBI Director James Comey said that while the attackers concealed their identify by using proxy servers, on occasion they "got sloppy" and made direct connections, exposing their true IP addresses; these indicated a North Korea origin."

    Well SHIT: apparently when the attackers connect from Eastern Europe: "it's a proxy server" but if they connect from an IP address inside a regime the CIA has a hard-on for pressuring economically: it's a smoking gun.

    "Comey also mentioned additional corroborative evidence, including patterns matching those seen in previous attacks known to have come from North Korea, but was guarded on details"

    BLAH BLAH "secret evidence" BLAH: here's the problem with sticking your nose up everyone's ass Clapper, even when you "know" something is a fact: nobody believes you because the evidence was gathered through spying and deciept! Even if you manage to fabricate some "parallel" construction without revealing which routers on the TREASURE MAP are poisoned: nobody will fucking believe you because you've lost all credibility.

    Essentially, the FBI is saying "Trust us: you know we're hacking everyone else so you can trust us when we say we have SECRET EVIDENCE that North Korea hacked Sony". Everything else is just confirmation bias bullshit.

    I'm by no means a penn-tester, but I know the routine well enough to say that claims of attack heuristics having unique or distinct fingerprint are pretty fucking sketchy. 2/3rds of Penn-testers never have to do more than litter "SEX TAPE" cds/usb thumb drives in the parking lot, run a metasploit scan, set up a fake wifi hotspot, or ARP-Spoof the router to get everything they need for total network rape.

    If a random hacker owns my box using these tactics, did North Korea do it because we've seen them run Metasploit scans before?

    This shit was obviously a for-profit hack which went pear shaped, and then the State Deparment/defense Intelligence/cyber-warfare wing jumped on this shit like a bunch of opportunist dogs in heat. Not the case? Then how about some of that transparency Obama promised us and they can pull the viel off the SECRET EVIDENCE or STFU and quit wasting everyone's time pretending they need an excuse to put economic sanctions on North Korea.

    Do it cause "glorious leader has a bad haircut" for all I care, but stop pissing on us and telling us it's raining: I'm sick of being lied to be these assholes.

    • > apparently when the attackers connect from Eastern Europe: "it's a proxy server" but if they connect from an IP address inside a regime the CIA has a hard-on for pressuring economically: it's a smoking gun.

      Actually, in this case it actually is good evidence. Eastern Europe is full of open proxies, and you can tell they are open proxies by actually using them as proxies. North Korea has a total of 1024 IP addresses assigned, and fewer than that in use. US intelligence has mapped most of those to indiv

      • by vux984 ( 928602 )

        So yeah, when messages come from the IP of the appropriate NK government offices, it actually is reasonably strong evidence.

        Its definitely suggestive. Its hardly conclusive.

        Computers in north korea can be botted just like anyone elses. And if I controlled a botted computer somewhere behind a North Korean ip address NAT... well... you know I'd HAVE to proxy through it just for the hacker-cred...

      • by hey! ( 33014 )

        Except there's no way of telling whether those addresses weren't being used proxies too.

        This is an exercise in Bayesian logic. If you had a high degree of prior suspicion that NK was behind this, it'll look like a smoking gun. If you have a low degree of prior suspicion, it won't look nearly so significant. Personally, I'm in the middle. I think this makes it more likely that NK was behind the attack, but I don't regard it as a "smoking gun". It seems perfectly credible that someone who can orchestrate th

    • "Clapper emphasized Kim's belligerence and lack of a sense of humor, implying that an advance screening of "The Interview" would likely have enraged and provoked the North Korean brass."

      Well FUCK ME: if Kim Yong Chol can't take a little "jokey-joke" then obviously it was DPRK who stole the cookies from the cookie jar!

      On the other hand, *some* people have no sense of humor when it comes to jokes/comics about The Prophet (or ISIS leaders) - even though there's no prohibition actually in the Quran (according to Wikipedia). Even *if* the gunmen who killed 12 people at the French satirical magazine Charlie Hebdo the other day hadn't yelled, "we have avenged the Prophet Muhammad," most people would have instantly assumed the gunmen were Muslim extremists and been correct.

      Sometimes ducks actually walk and talk like ducks.

  • In other words... (Score:2, Insightful)

    by Anonymous Coward

    "We know it, but won't tell you. Trust us".

    Sorry, FBI, but I don't trust you this > much. Based on experience.

    (Not that I trust -- or somehow like! North Korean regime, mind you).

    • "We know it, but won't tell you. Trust us".

      Sorry, FBI, but I don't trust you this > much. Based on experience.

      (Not that I trust -- or somehow like! North Korean regime, mind you).

      I agree with your premise but not your conclusion.
      They do lie a lot... but then we get to the whole "Why would they lie?" bit...
      We all already hate the DPRK.
      It's right to hate them, they're the most evil organization in the world. They still have concentration camps for Gods sakes.
      The US government gains nothing by this. They could pretty much do anything they wanted to, short of nuking the place, and I think the general US population would cheer. So this isn't some sort of FUD attempt. The American peoples

      • by dbIII ( 701233 ) on Thursday January 08, 2015 @11:06AM (#48764627)

        The US government gains nothing by this

        Various empire building "cyberwarfare" types do even if it's to the detriment of other parts of the government that are defunded to feed their growth.
        I've spoken to someone who managed to get out of N.K. so I'm well aware that it's a basket case of evil, but we're just being misdirected by self serving pricks in this case. The links were suggested long after the hack and the very convenient story started building after that.

  • by DoofusOfDeath ( 636671 ) on Thursday January 08, 2015 @09:37AM (#48763971)

    Clapper lid to Congress under oath. What are the odds he'll tell the truth at a random conference?

    I don't feel like looking it up, but I'm fairly sure I remember news stories about the FBI lying as well. (To the FISA court? I forget.) Anyway, their word is meaningless. They are without honor.

    • Clapper lid to Congress under oath. What are the odds he'll tell the truth at a random conference?

      I don't feel like looking it up, but I'm fairly sure I remember news stories about the FBI lying as well. (To the FISA court? I forget.) Anyway, their word is meaningless. They are without honor.

      "Everyone lies" - Gregory House [wikipedia.org]

  • by BlackPignouf ( 1017012 ) on Thursday January 08, 2015 @09:39AM (#48763985)

    It must be true, Colin Powell brought a vial to the United Nations Security Council, and claimed it contained a 99.9999% pure North Korean IP.

  • by Chrisq ( 894406 ) on Thursday January 08, 2015 @09:47AM (#48764025)
    Playing devil's advocate, it's possible that it wasn't the North Koreans who '"got sloppy" and made direct connections, exposing their true IP addresses'. Another explanation would be that some other group is responsible and got clever, routing attacks via North Korea to shift the blame.
    • by T.E.D. ( 34228 )

      Playing devil's advocate, it's possible that it wasn't the North Koreans who '"got sloppy" and made direct connections, exposing their true IP addresses'. Another explanation would be that some other group is responsible and got clever, routing attacks via North Korea to shift the blame.

      I blame Xenu

    • Nahh, you're playing the conspiracy advocate. In light of additional supporting evidence for the established story you're adding more layers of increasingly unlikely scenarios to support your predetermined conclusion. Don't worry, most humans are hard wired to do it.

      Like someone above posted, using a NK IP address as a proxy is extremely unlikely since they only have about 1000 total IP addresses. Lucky for you, the conspiracy onion can support an infinite number of layers...so no, I can't prove it wasn't a

    • Playing devil's advocate, it's possible...

      Unfortunately, you present not a single shred of evidence, nor do you provide any evidence to counter what the FBI has said.

      .
      Devil's advocate or not, without any evidence the credibility of what you assert is zero.

      • Unfortunately, you present not a single shred of evidence, nor do you provide any evidence to counter what the FBI has said.

        The FBI hasn't presented any evidence either - they've merely made claims. "State secrets" is their shield and one that has been previously used to hide lies.

        It's impossible to prove if any of the actors are telling the truth. Only independent third-party security firms have released any data, so they get the natural edge towards veracity.

  • Not experts (Score:2, Insightful)

    by Anonymous Coward

    Stop calling these self-promoting headline grabbers "security experts". They were wrong, and obviously so in a big way, even at the time. They two words "security expert" should never again be applied to these idiots who couldn't wait to call the FBI wrong. The Whitehouse had the resources of the USA including the NSA at their disposal. Anyone who thought their pet theory trumped that is by definition a "security moron".

  • timeframe? (Score:3, Informative)

    by ramriot ( 1354111 ) on Thursday January 08, 2015 @10:48AM (#48764479)

    This information leaked by Clapper and Comey while not exactly a lie is misleading at best. Without the exact timeframe of the "got Sloppy" IP's it is not possible to determine if this is actually NK actioning an attack or GOP making it look like NK after the fact.

    It all comes down to the fact that the NK / The Interview connection was not voiced by GOP until after the press had latched on to that link to point the finger at NK because of Sony pictures being the producer of The Interview. Now if the sloppy tradecraft (very unlikely) leaking a NK IP (175.45.176.0 – 175.45.179.255, 210.52.109.0 – 210.52.109.255 take your pick) prior to any mention of NK being responsible in the press then that would lend strong credence to that assertion. Otherwise it may point to GOP being unconnected with NK apart from PWNing either a machine within NK or via a BGP poisoning attack of a China Telecom router. Which neither China Telecom or NK are going to openly admit because of loosing face. Remember also that most of the machines in China & NK that run commercial OS's do so outside the ULA and are thus unable to keep patched and are thus open to being attacked by many known zero-day issues.

    In the end it all comes down to this, governments are very bad at doing business and whoever GOP owes their allegiance or funding to, the attack on Sony was a covert criminal act conducted possibly across international boundaries and thus it needs to be treated as such. So If and when their is conclusive proof of someone who is responsible then legal recompense needs to be sought. Unfortunately international law and covert actions being what it is, it seems unlikely that even given the first the second will reach some resolution. FWIW this is a teachable moment for all large corporations, so start listening to their CISOs and give them the funds and manpower to properly secure their networks in the current climate.

  • by Anonymous Coward on Thursday January 08, 2015 @10:59AM (#48764569)

    If you do not understand that every packet in and out of NK is logged then hand in your geek badge. If you do not understand that major efforts over the last few years have focused on being able to scrutinize all that traffic successfully then hand in your geek badge. If you do not understand that all activity including packet size packet count and timing information through NSA managed Tor nodes can be used to trace an attack especially one transferring such massive quantities of data making it impossible to hide even with obfuscation then hand in your geek badge, you truly are an idiot who slept through the Snowden revelations. They KNOW who conducted this attack and they will never tell you why for good reason. Some "security expert" claiming otherwise if no such thing, but you're always find some dummy looking for a headline.

  • They've been going on about the "elite" hackers North Korea has supposedly trained and deployed, but now they supposedly made an amateur mistake like not covering their trail through proxies?

    Shit, man, the US "intelligence" services just provide more and more comedy for the world as time goes on... what a freakin' JOKE.

  • by Karmashock ( 2415832 ) on Thursday January 08, 2015 @12:50PM (#48765531)

    What is more, 100 terabytes of company data is a lot to download. That didn't happen in a couple weeks. In fact, a fair amount of it might have been taken PHYSICALLY from Sony's servers.

    Again... hack was in progress for more then a year.

  • I read here that they have a single IPv4 block.

    At 100mb/s (with nothing else using it) it would take 3 months to download the "100TB" that is said to have been downloaded. At 10mb/s it would take 30 months. (All approximate). This is end-to-end bandwidth, including all of the hops in between, like these proxies (for when they weren't sloppy).

    • by ShaunC ( 203807 )

      I don't believe the North Korea story, but lack of transit is not (IMO) a solid argument against their involvement. I don't think anyone has accused them of downloading everything into their country and sending it back out. If I were a North Korean cyber warrior tasked with exfiltrating terabytes of data out of Great Satan's companies, I'd compromise some vulnerable servers in a country with fat pipes, and direct the attacks from there. A few kbps is plenty to sustain a control channel via ssh/RDP/LogMeIn t

  • James Clapper mentioned recently meeting the Kim Yong Chol, the North Korean general in charge of cyberwarfare. Clapper emphasized Kim's belligerence and lack of a sense of humor, implying that an advance screening of "The Interview" would likely have enraged and provoked the North Korean brass."

    Maybe Kim just doesn't like being lied to?

  • Like I believe the FBI, that the hackers "got sloppy". They did that good a job, *then* got sloppy? There's no chance, of course, that whoever actually did it *delberately* put those false trails in, no, no....

                    mark

  • Clapper: “We could see that the IP addresses that were being used to post and to send e-mails were coming from IPs that were exclusively used by the North Koreans.”
    Is he claiming that the NSA was watching the attack and data exfiltration while it was happening? Could they or should they have stopped it?

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...