Cybersecurity: Crime and Espionage

FBI Director James Comey's Remarks Today

By Benjamin Wittes
Thursday, January 8, 2015, 12:23 AM

I have been unable to find video or audio of FBI Director James Comey's remarks today adding to his prior attribution of the Sony hack to North Korea. Nor has the FBI itself released the text. That said, Fortune magazine has published the following, describing it as "Comey’s remarks in full":

As you know, we at the FBI and the entire intelligence community have attributed these attacks to North Korea. And we continue to believe that is the case. There is not much in this life that I have high confidence about---I have very high confidence about this attribution as does the entire intelligence community. So how do we know that? Or why do I have such high confidence in this attribution to North Korea?

Here’s the tricky part: I want to show you as much as I can the American people about the why and I want to show the bad guys as little as possible about the how---how we see what we see---because it will happen again and we have to preserve our methods and our sources.

There’s a couple of ways we’ve already said. You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a---I have, as you know from watching Silence of the Lambs---about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called Guardians of Peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”

We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives---what might be missing? And we ended up in the same place.

Now I know because I’ve read in the newspaper---seen in the news---that some serious folks have suggested that we have it wrong. I would suggest---not suggesting, I’m saying---that they don’t have the facts that I have---don’t see what I see---but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.

The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.

And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.

As I said, we have a range of other sources and methods that I’m going to continue to protect because we think that they’re critical to our ability—the entire intelligence community’s ability—to see future attacks and to understand this attack better. We have brought them all to bear in this situation and I remain where I started not just with high confidence, but with very high confidence that the north Koreans perpetrated this attack.

We’re still looking to identify the vector—so how did they get into Sony? We see so far spear phishing coming at Sony as late as September of this year. We’re still working that and when we figure that out we’ll do our best to give you the details on that. But that seems the likely vector for the entry to Sony.